Cleanup of preceding fix

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -195,6 +195,10 @@ elif [ -n "${options[VARDIR]}" ]; then
     fi
 fi
 
+if [ -z "${options[SERVICEDIR]}" ]; then
+    options[SERVICEDIR]="${options[SYSTEMD]}"
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -209,7 +213,7 @@ for on in \
     INITFILE \
     AUXINITSOURCE \
     AUXINITFILE \
-    SYSTEMD \
+    SERVICEDIR \
     SERVICEFILE \
     SYSCONFFILE \
     SYSCONFDIR \

Shorewall-core/configure.pl

@@ -154,6 +154,8 @@ if ( $options{VARLIB} ) {
     $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }
 
+$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -167,8 +169,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SYSTEMD
+	  SERVICEDIR
-          SERVICEFILE
+	  SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE

Shorewall-core/install.sh

@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -329,9 +329,13 @@ if [ -n "${SYSCONFDIR}" ]; then
     chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
 
-if [ -n "${SYSTEMD}" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
-    chmod 755 ${DESTDIR}${SYSTEMD}
+fi
+
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
 
 mkdir -p ${DESTDIR}${SBINDIR}

Shorewall-core/lib.cli

@@ -367,6 +367,17 @@ resolve_arptables() {
     esac
 }
 
+#
+# Try to run the 'savesets' command
+#
+savesets() {
+    local supported
+
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
+}
+
 #
 # Save currently running configuration
 #
@@ -428,45 +439,47 @@ do_save() {
 	    ;;
     esac
 
-    case ${SAVE_IPSETS:=No} in
+    if ! savesets;  then
-	[Yy]es)
+	case ${SAVE_IPSETS:=No} in
-	    case ${IPSET:=ipset} in
+	    [Yy]es)
-		*/*)
+		case ${IPSET:=ipset} in
-		    if [ ! -x "$IPSET" ]; then
+		    */*)
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			if [ ! -x "$IPSET" ]; then
-			IPSET=
+			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			    IPSET=
+			fi
+			;;
+		    *)
+			IPSET="$(mywhich $IPSET)"
+			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+			;;
+		esac
+
+		if [ -n "$IPSET" ]; then
+		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
+			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
+			hack='| grep -v /31'
+		    else
+			hack=
 		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-		    ;;
-	    esac
 
-	    if [ -n "$IPSET" ]; then
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
-                    #
+			# Don't save an 'empty' file
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
-                    #
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		    hack='| grep -v /31'
+		    fi
-		else
-		    hack=
 		fi
-
+		;;
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+	    [Nn]o)
-                    #
+		;;
-                    # Don't save an 'empty' file
+	    *)
-                    #
+		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		;;
-		fi
+	esac
-	    fi
+    fi
-	    ;;
-	[Nn]o)
-	    ;;
-	*)
-	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-	    ;;
-    esac
 
     return $status
 }
@@ -480,6 +493,8 @@ save_config() {
 
     [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
 
+    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
+
     if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 
@@ -1470,10 +1485,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
     fi
 
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local count
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local max
 
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
+	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
+	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
+	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    else
+	heading "Conntrack Table"
+    fi
 
     if [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -1599,6 +1626,15 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    g_purge=Yes
+			    option=${option%p}
+			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1923,7 +1959,7 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 
-	    ipset=$(echo $ipset | sed 's/./_/g');
+	    ipset=$(echo $ipset | sed 's/\./_/g');
 
 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
@@ -3083,11 +3119,45 @@ reject_command() {
 }
 
 save_command() {
+    local finished
+    finished=0
+
+    shift
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
     case $# in
-	1)
+	0)
 	    ;;
-	2)
+	1)
-	    RESTOREFILE="$2"
+	    RESTOREFILE="$1"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3382,7 +3452,11 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on
 
 	if [ -x ${VARDIR}/firewall ]; then
-	    run_it ${VARDIR}/firewall $g_debugging start
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+	    else
+		run_it ${VARDIR}/firewall $g_debugging start
+	    fi
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
@@ -3418,6 +3492,14 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
+			f*)
+			    g_fast=Yes
+			    option=${option#f}
+			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3479,6 +3561,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3515,6 +3601,14 @@ restart_command() {
     return $rc
 }
 
+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -3544,9 +3638,10 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
-    echo "   save [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
+    echo "   save [ -C ] [ <file name> ]"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
@@ -3571,7 +3666,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
     echo "   stop"
     echo "   status [ -i ]"
     echo "   version [ -a ]"
@@ -3623,6 +3718,7 @@ shorewall_cli() {
     g_directives=
     g_inline=
     g_tcrules=
+    g_counters=
 
     VERBOSE=
     VERBOSITY=1
@@ -3818,6 +3914,11 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	run)
+	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    get_config Yes
+	    run_command $@
+	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
     	    shift

Shorewall-core/lib.common

@@ -157,6 +157,7 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
+	[ -n "$g_counters" ]   && options=${options}c
 
 	options="${options}V $VERBOSITY"
 
@@ -172,6 +173,7 @@ run_it() {
 error_message() # $* = Error Message
 {
    echo "   $@" >&2
+   return 1
 }
 
 #

Shorewall-core/shorewallrc.apple

@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
+SERVICEDIR=                            #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.

Shorewall-core/shorewallrc.archlinux

@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
+SBINDIR=/usr/bin                       #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
+SERVICEDIR=                           #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.

Shorewall-core/shorewallrc.debian

@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed

Shorewall-core/shorewallrc.redhat

@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed

Shorewall-core/shorewallrc.slackware

@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.

Shorewall-core/shorewallrc.suse

@@ -8,13 +8,13 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed

Shorewall-init/init.debian.sh

@@ -71,7 +71,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
     fi
 
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
@@ -123,6 +123,17 @@ shorewall_start () {
 
   echo "done."
 
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+      echo -n "Restoring ipsets: "
+
+      if ! ipset -R < "$SAVE_IPSETS"; then
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
   return 0
 }
 
@@ -142,6 +153,20 @@ shorewall_stop () {
 
   echo "done."
 
+  if [ -n "$SAVE_IPSETS" ]; then
+
+      echo "Saving ipsets: "
+
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      else
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
   return 0
 }
 

Shorewall-init/init.fedora.sh

@@ -42,7 +42,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
     fi
 
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
 	${SBINDIR}/$PRODUCT $OPTIONS compile -c

Shorewall-init/init.sh

@@ -67,7 +67,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
     fi
 
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then

Shorewall-init/init.suse.sh

@@ -77,7 +77,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
     fi
 
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit

Shorewall-init/install.sh

@@ -35,6 +35,7 @@ usage() # $1 = exit status
     echo "usage: $ME [ <configuration-file> ]"
     echo "       $ME -v"
     echo "       $ME -h"
+    echo "       $ME -n"
     exit $1
 }
 
@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'
 
 finished=0
+configure=1
 
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
+
+    case "$option" in
 	-*)
 	    option=${option#-}
 
@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -176,6 +184,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
+[ -n "$SANDBOX" ] && configure=0
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 if [ -z "$BUILD" ]; then
@@ -191,7 +201,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +316,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
     install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
     
@@ -319,13 +330,17 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
         chmod 755 ${DESTDIR}${SBINDIR}
     fi
@@ -366,14 +381,24 @@ if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+    elif [ $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
     fi
 
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi
 
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
+	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	else
+	    mkdir -p ${DESTDIR}${CONFDIR}/default
+	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
+	fi
     fi
 
     IFUPDOWN=ifupdown.debian.sh
@@ -384,7 +409,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -415,17 +440,33 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
+	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    else
+	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	else
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
+	fi
 	;;
     suse)
 	if [ -z "$RPM" ]; then
+	    if [ $configure -eq 0 ]; then
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+	    fi
+
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,7 +494,7 @@ case $HOST in
 esac
 
 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -476,7 +517,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -505,7 +546,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
     fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d

Shorewall-init/shorewall-init

@@ -30,7 +30,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
     fi
 
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
@@ -63,18 +63,19 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
       else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
       fi
   done
@@ -95,8 +96,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-init/shorewall-init.service

@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
+Description=Shorewall IPv4 firewall (bootup security)
-After=syslog.target
 Before=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStop=/sbin/shorewall-init stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall-init/shorewall-init.service.214

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target

Shorewall-init/uninstall.sh

@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,6 +69,42 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -114,22 +150,29 @@ fi
 
 echo "Uninstalling Shorewall Init $VERSION"
 
+[ -n "$SANDBOX" ] && configure=0
+
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 
 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-init remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-init remove
-        insserv -r $INITSCRIPT
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $INITSCRIPT
-	chkconfig --del $(basename $INITSCRIPT)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $INITSCRIPT)
-	systemctl disable shorewall-init
+	fi
     fi
 
     remove_file $INITSCRIPT
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SYSTEMD/shorewall-init.service
+fi
+
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 
@@ -159,8 +202,9 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 fi
 
+rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
 
 echo "Shorewall Init Uninstalled"
 

Shorewall-lite/init.fedora.sh

@@ -39,7 +39,7 @@ fi
 
 start() {
     echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
     echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile

Shorewall-lite/install.sh

@@ -30,6 +30,7 @@ usage() # $1 = exit status
     echo "usage: $ME [ <configuration-file> ]"
     echo "       $ME -v"
     echo "       $ME -h"
+    echo "       $ME -n"
     exit $1
 }
 
@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
+configure=1
 
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
+    option=$1
+
+    case "$option" in
 	-*)
 	    option=${option#-}
 
@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -186,6 +195,8 @@ done
 
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 
+[ -n "$SANDBOX" ] && configure=0
+
 #
 # Determine where to install the firewall script
 #
@@ -206,7 +217,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -346,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 
@@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -369,7 +381,7 @@ fi
 
 if [ -n "$INITFILE" ]; then
     if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544
 
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -380,12 +392,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -466,18 +482,18 @@ done
 if [ -d manpages ]; then
     cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
     for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
     cd ..
@@ -499,7 +515,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
     rm -f ${SHAREDIR}/$PRODUCT/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -526,8 +542,8 @@ if [ ${SHAREDIR} != /usr/share ]; then
     eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi

Shorewall-lite/manpages/shorewall-lite.xml

@@ -116,6 +116,8 @@
       <arg><option>-l</option></arg>
 
       <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -299,7 +301,7 @@
 
       <arg><option>-n</option></arg>
 
-      <arg><option>-p</option></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
 
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
@@ -314,6 +316,8 @@
 
       <arg choice="plain"><option>restore</option></arg>
 
+      <arg><option>-C</option></arg>
+
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
@@ -325,7 +329,23 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>save</option></arg>
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">function</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
 
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
@@ -337,7 +357,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-b</option></arg>
 
@@ -359,7 +379,21 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-f</option></arg>
 
@@ -373,7 +407,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
       choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -386,7 +420,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>event</option><arg
       choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -399,11 +433,11 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg><option>-x</option></arg>
+      <arg><option>-c</option></arg>
 
-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="plain"><option>routing</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -413,7 +447,21 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
@@ -425,7 +473,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-m</option></arg>
 
@@ -445,6 +493,10 @@
       <arg><option>-n</option></arg>
 
       <arg><option>-p</option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-C</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -465,7 +517,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -496,8 +549,9 @@
 
     <para>The nolock <option>option</option> prevents the command from
     attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
+    need to include <command>shorewall</command> commands in the
-    <filename>/etc/shorewall/started</filename>.</para>
+    <filename>started</filename> <ulink
+    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
 
     <para>The <emphasis>options</emphasis> control the amount of output that
     the command produces. They consist of a sequence of the letters <emphasis
@@ -508,8 +562,8 @@
     role="bold">v</emphasis> adds one to the effective verbosity and each
     <emphasis role="bold">q</emphasis> subtracts one from the effective
     VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    white-space between <emphasis role="bold">v</emphasis> and the
     VERBOSITY.</para>
 
     <para>The <emphasis>options</emphasis> may also include the letter
@@ -628,6 +682,9 @@
 
           <para>The <emphasis role="bold">-l</emphasis> option causes the rule
           number for each Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
         </listitem>
       </varlistentry>
 
@@ -789,6 +846,12 @@
           <para>The <option>-p</option> option causes the connection tracking
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
         </listitem>
       </varlistentry>
 
@@ -804,6 +867,36 @@
           <emphasis>filename</emphasis> is given then Shorewall-lite will be
           restored from the file specified by the RESTOREFILE option in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during <emphasis
+          role="bold">shorewall save</emphasis>, then the counters saved by
+          that operation will be restored.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
         </listitem>
       </varlistentry>
 
@@ -818,6 +911,10 @@
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the iptables packet and byte counters to be saved along with
+          the chains and rules.</para>
         </listitem>
       </varlistentry>
 
@@ -829,6 +926,19 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -992,7 +1102,9 @@
               <term><emphasis role="bold">routing</emphasis></term>
 
               <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
               </listitem>
             </varlistentry>
 
@@ -1042,6 +1154,22 @@
           <para>The <option>-p</option> option causes the connection tracking
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
+
+          <para>The <option>-m</option> option prevents the firewall script
+          from modifying the current routing configuration.</para>
+
+          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
+          If the RESTOREFILE named in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
+          executable and is not older than the current filewall script, then
+          that saved configuration is restored.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the <emphasis
+          role="bold">save</emphasis> command, then the packet and byte
+          counters will be restored.</para>
         </listitem>
       </varlistentry>
 
@@ -1073,6 +1201,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall-lite/shorewall-lite.service

@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
 After=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall-lite/shorewall-lite.service.214

@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall-lite/uninstall.sh

@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
@@ -69,6 +74,42 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,8 +153,12 @@ fi
 
 echo "Uninstalling Shorewall Lite $VERSION"
 
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall-lite clear
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+	shorewall-lite clear
+    fi
 fi
 
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -123,28 +168,34 @@ elif [ -n "$INITFILE" ]; then
 fi
 
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-lite remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-lite remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif [ mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall-lite
+	fi
     fi
 
     remove_file $FIREWALL
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall-lite
 
-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
+rm -f ${MANDIR}/man5/shorewall-lite*
+rm -f ${MANDIR}/man8/shorewall-lite*
 
 echo "Shorewall Lite Uninstalled"
 
-

Shorewall/Macros/macro.Goto-Meeting

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Citrix/Goto Meeting macro
+#
+# /usr/share/shorewall/macro.Goto-Meeting
+#          by Eric Teeter
+#       This macro handles Citrix/Goto Meeting
+#       Assumes that ports 80 and 443 are already open
+#       If needed, use the macros that open Http and Https to reduce redundancy
+####################################################################################
+#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                                       PORT(S) PORT(S) LIMIT   GROUP
+PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)

Shorewall/Perl/Shorewall/Accounting.pm

@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
     my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
 
-    $acctable = $config{ACCOUNTING_TABLE};
-
     $jumpchainref = 0;
 
     $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {
 
 	set_section_function( &process_section );
 
+	$acctable = $config{ACCOUNTING_TABLE};
+
 	first_entry "$doing $fn...";
 
 	my $nonEmpty = 0;

Shorewall/Perl/Shorewall/Chains.pm

@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
+                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
-		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -262,6 +262,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
+				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -793,6 +794,13 @@ sub decr_cmd_level( $ ) {
     assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 
+#
+# Mark an action as terminating
+#
+sub make_terminating( $ ) {
+    $terminating{$_[0]} = 1;
+}
+
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1654,7 +1662,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
     my ( $chainref, $jump, $target, $number, @matches ) = @_;
 
-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
+    my $ruleref  = {};
 
     $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
 
@@ -1673,7 +1682,15 @@ sub insert_irule( $$$$;@ ) {
     
     $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
 
-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
+	#
+	# Avoid failure in spice if we insert beyond the end of the chain
+	#
+	$number = @$rulesref;
+	push @$rulesref, $ruleref;
+    } else {
+	splice( @$rulesref, $number, 0, $ruleref );
+    }
 
     trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
 
@@ -3503,7 +3520,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -4420,6 +4437,7 @@ sub do_proto( $$$;$ )
 
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
+			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4459,7 +4477,8 @@ sub do_proto( $$$;$ )
 
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= get_set_flags( $ports, 'dst' );
+			    $output .= '-m set ';
+			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4624,30 +4643,35 @@ sub do_iproto( $$$ )
 
 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
-			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
 
-			if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
+			if ( $ports =~ /^\+/ ) {
-			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
+			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
+			} else {
+			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
 
-			    if ( port_count ( $ports ) > 15 ) {
+			    if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
-				if ( $restricted ) {
+				fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
-				    fatal_error "A port list in this file may only have up to 15 ports";
+
-				} elsif ( $invert ) {
+				if ( port_count ( $ports ) > 15 ) {
-				    fatal_error "An inverted port list may only have up to 15 ports";
+				    if ( $restricted ) {
+					fatal_error "A port list in this file may only have up to 15 ports";
+				    } elsif ( $invert ) {
+					fatal_error "An inverted port list may only have up to 15 ports";
+				    }
 				}
-			    }
 
-			    $ports = validate_port_list $pname , $ports;
+				$ports = validate_port_list $pname , $ports;
-			    push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
+				push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
-			    $multiport = 1;
+				$multiport = 1;
-			}  else {
+			    }  else {
-			    fatal_error "Missing DEST PORT" unless supplied $ports;
+				fatal_error "Missing DEST PORT" unless supplied $ports;
-			    $ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports;
 
-			    if ( $srcndst ) {
+				if ( $srcndst ) {
-				push @output, multiport => "${invert}--ports ${ports}";
+				    push @output, multiport => "${invert}--ports ${ports}";
-			    } else {
+				} else {
-				push @output, dport => "${invert}${ports}";
+				    push @output, dport => "${invert}${ports}";
+				}
 			    }
 			}
 		    } else {
@@ -4657,8 +4681,10 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
-			if ( $multiport ) {
 
+			if ( $ports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";
@@ -4859,62 +4885,79 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rate, $action ) = @_;
+    my ( $rates, $action ) = @_;
 
-    return '' unless $rate and $rate ne '-';
+    return '' unless $rates and $rates ne '-';
 
     fatal_error "Rate Limiting not available with $action" if $norate{$action};
-    #
-    # "-m hashlimit" match for the passed LIMIT/BURST
-    #
-    if ( $rate =~ /^[sd]:{1,2}/ ) {
-	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 
-	my $limit = "-m hashlimit ";
+    my @rates = split_list $rates, 'rate';
-	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-	my $units;
 
-	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+    if ( @rates == 2 ) {
-	    fatal_error "Invalid Rate ($3)" unless $4;
+	$rates[0] = 's:' . $rates[0];
-	    fatal_error "Invalid Burst ($7)" unless $7;
+	$rates[1] = 'd:' . $rates[1];
-	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+    } elsif ( @rates > 2 ) {
-	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+	fatal error "Only two rates may be specified";
-	    $limit .= ' --hashlimit-mode ';
+    }
-	    $units = $6;
-	} elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
-	    fatal_error "Invalid Rate ($3)" unless $4;
-	    $limit .= "--$match $3 --hashlimit-name ";
-	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
-	    $limit .= ' --hashlimit-mode ';
-	    $units = $6;
-	} else {
-	    fatal_error "Invalid rate ($rate)";
-	}
 
-	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+    my $limit = '';
 
-	if ( $units && $units ne 'sec' ) {
+    for my $rate ( @rates ) {
-	    my $expire = 60000; # 1 minute in milliseconds
+	#
+	# "-m hashlimit" match for the passed LIMIT/BURST
+	#
+	if ( $rate =~ /^([sd]):{1,2}/ ) {
+	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 
-	    if ( $units ne 'min' ) {
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-		$expire *= 60; #At least an hour
+	    my $units;
-		$expire *= 24 if $units eq 'day';
+
+	    $limit .= "-m hashlimit ";
+	    
+	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		fatal_error "Invalid Rate ($3)" unless $4;
+		fatal_error "Invalid Burst ($7)" unless $7;
+		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+		$limit .= ' --hashlimit-mode ';
+		$units = $6;
+	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
+		fatal_error "Invalid Rate ($3)" unless $4;
+		$limit .= "--$match $3 --hashlimit-name ";
+		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
+		$limit .= ' --hashlimit-mode ';
+		$units = $6;
+	    } else {
+		fatal_error "Invalid rate ($rate)";
 	    }
 
-	    $limit .= "--hashlimit-htable-expire $expire ";
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
-	}
 
-	$limit;
+	    if ( $units && $units ne 'sec' ) {
-    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		my $expire = 60000; # 1 minute in milliseconds
-	fatal_error "Invalid Rate ($1)" unless $2;
+
-	fatal_error "Invalid Burst ($5)" unless $5;
+		if ( $units ne 'min' ) {
-	"-m limit --limit $1 --limit-burst $5 ";
+		    $expire *= 60; #At least an hour
-    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+		    $expire *= 24 if $units eq 'day';
-	fatal_error "Invalid Rate (${1}${2})" unless $1;
+		}
-	"-m limit --limit $rate ";
+
-    } else {
+		$limit .= "--hashlimit-htable-expire $expire ";
-	fatal_error "Invalid rate ($rate)";
+	    }
+	} else {
+	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		fatal_error "Invalid Rate ($1)" unless $2;
+		fatal_error "Invalid Burst ($5)" unless $5;
+		$limit = "-m limit --limit $1 --limit-burst $5 ";
+	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+		fatal_error "Invalid Rate (${1}${2})" unless $1;
+		$limit = "-m limit --limit $rate ";
+	    } else {
+		fatal_error "Invalid rate ($rate)";
+	    }
+	}
     }
+
+    $limit;
 }
 
 #
@@ -6487,7 +6530,6 @@ sub set_chain_variables() {
 
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
-
 	emit( 'g_tool=$IPTABLES' );
     } else {
 	if ( $config{IP6TABLES} ) {
@@ -6502,7 +6544,6 @@ sub set_chain_variables() {
 
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
-
 	emit( 'g_tool=$IP6TABLES' );
     }
 
@@ -7570,7 +7611,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
 
@@ -7875,14 +7916,18 @@ sub emitr1( $$ ) {
 
 sub save_dynamic_chains() {
 
-    my $tool;
+    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
+    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
 
     emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
     push_indent;
 
-    if ( have_capability 'IPTABLES_S' ) {
+    emit( 'if [ -n "$g_counters" ]; then' ,
-	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
+	  "fi\n"
+	);
 
+    if ( have_capability 'IPTABLES_S' ) {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7902,6 +7947,7 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+
     } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
 
@@ -7979,11 +8025,99 @@ sub ensure_ipset( $ ) {
     }
 }
 
+#
+# Generate the save_ipsets() function
+#
+sub create_save_ipsets() {
+    my @ipsets = all_ipsets;
+
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+	  'save_ipsets() {' );
+
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '    local file' ,
+	      '',
+	      '    file=$1'
+	    );
+
+	if ( @ipsets ) {
+	    emit '';
+	    ensure_ipset( $_ ) for @ipsets;
+	}
+
+	if ( $config{SAVE_IPSETS} ) {
+	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+		emit( '' ,
+		      '    rm -f $file' ,
+		      '    touch $file' ,
+		      '    local set' ,
+		    );
+
+		if ( @ipsets ) {
+		    emit '';
+		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
+		}
+
+		emit( '',
+		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		      "        \$IPSET save \$set >> \$file" ,
+		      "    done" );
+	    } else {
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+ 	    }
+
+	    emit("}\n" );
+	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    emit( '' ,
+		  '    rm -f ${VARDIR}/ipsets.tmp' ,
+		  '    touch ${VARDIR}/ipsets.tmp' ,
+		);
+
+	    if ( @ipsets ) {
+		emit '';
+		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    }
+
+	    emit( '' ,
+		  "    if qt \$IPSET list $_; then" ,
+		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
+		  '    else' ,
+		  "        error_message 'ipset $_ not saved (not found)'" ,
+		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+
+	    emit( '' ,
+		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  '' ,
+		  "}\n" );
+	}
+    } elsif ( $config{SAVE_IPSETS} ) {
+	emit( '    error_message "WARNING: No ipsets were saved"',
+	      "}\n" );
+    } else {
+	emit( '    true',
+	      "}\n" );
+    }
+}
+
 sub load_ipsets() {
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8010,9 +8144,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    if ( @{$globals{SAVED_IPSETS}} ) {
+		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+	    }
 	}
 
 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8036,6 +8186,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET flush' ,
+		   '        $IPSET destroy' ,
+		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 
 	if ( @ipsets ) {
@@ -8043,36 +8199,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 
-	emit( 'elif [ "$COMMAND" = stop ]; then' );
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-
+	      '   save_ipsets'
-	if ( @ipsets ) {
+	    );
-	    ensure_ipset( $_ ) for @ipsets;
-	    emit( '' );
-	}
-
-	if ( $family == F_IPV4 ) {
-	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		   '        #',
-		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		   '        #',
-		   '        hack=\'| grep -v /31\'' ,
-		   '    else' ,
-		   '        hack=' ,
-		   '    fi' ,
-		   '',
-		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	} else {
-	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	}
 
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};
 
 	emit ( 'fi' ,
 	       '' );
@@ -8118,17 +8252,29 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{'
+	   '{',
-	   );
+	   '    local option',
+	);
 
     push_indent;
 
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
 
-    save_progress_message "Preparing $utility input...";
+    emit( '',
+	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
+	  '',
+	  '    progress_message "Reusing existing ruleset..."',
+	  '',
+	  'else'
+	);
 
-    emit '';
+    push_indent;
+
+    emit 'option=';
+
+    save_progress_message "Preparing $utility input...";
 
     emit "exec 3>\${VARDIR}/.${utility}-input";
 
@@ -8168,6 +8314,14 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
+	#
+	# SHA1SUM chains for handling 'restart -s'
+	#
+	if ( $table eq 'filter' ) {
+	    emit_unindented ':$g_sha1sum1 - [0:0]';
+	    emit_unindented ':$g_sha1sum2 - [0:0]';
+	}
+
 	#
 	# Then emit the rules
 	#
@@ -8182,20 +8336,24 @@ sub create_netfilter_load( $ ) {
     }
 
     enter_cmd_mode;
+
+    pop_indent, emit "fi\n";
     #
     # Now generate the actual ip[6]tables-restore command
     #
     emit(  'exec 3>&-',
-	   '',
+	   '' );
-	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
+
-	   '',
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
-	   'progress_message2 "Running $command..."',
+
-	   '',
+    emit( '',
-	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
+	  'progress_message2 "Running $command..."',
-	   'if [ $? != 0 ]; then',
+	  '',
-	   qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
-	   "fi\n"
+	  'if [ $? != 0 ]; then',
-	   );
+	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  "fi\n"
+	);
 
     pop_indent;
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -280,42 +280,43 @@ sub generate_script_2() {
 
     if ( $global_variables ) {
 
-	emit( 'case $COMMAND in' );
-
-	push_indent;
-
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
-	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
-	}
 
-	push_indent;
+	    emit( 'case $COMMAND in' );
 
-	set_global_variables(1);
+	    push_indent;
-
-	handle_optional_interfaces(0);
-
-	emit ';;';
-
-	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    pop_indent;
 
 	    emit 'restore)';
 
 	    push_indent;
 
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
+
+		handle_optional_interfaces(0);
+	    }
 
 	    emit ';;';
+
+	    pop_indent;
+
+	    emit '*)';
+
+	    push_indent;
 	}
 
-	pop_indent;
+	set_global_variables(1);
-	pop_indent;
 
-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(0);
+	    emit ';;';
+	    pop_indent;
+	    pop_indent;
+	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
+	}
     } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
     }
@@ -347,10 +348,12 @@ sub generate_script_3($) {
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
     create_chainlist_reload( $_[0] );
+    create_save_ipsets;
 
     emit "#\n# Start/Restart the Firewall\n#";
 
-    emit 'define_firewall() {';
+    emit( 'define_firewall() {',
+	  '    local options' );
 
     push_indent;
 
@@ -468,10 +471,12 @@ sub generate_script_3($) {
     emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then' );
+	  '    if [ -f $iptables_save_file ]; then',
+	  '        [ -n "$g_counters" ] && options=--counters'
+	);
 
     if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
 
 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -481,7 +486,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};
 
     } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
     }
 
     emit( '    else',
@@ -510,45 +515,41 @@ EOF
     #
     # Use a parameter list rather than 'here documents' to avoid an extra blank line
     #
-    emit(
+    emit( '    run_refreshed_exit',
-'    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
-'    do_iptables -N shorewall' );
 
     emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
 
     emit(
-"    set_state Started $config_dir",
+	"    set_state Started $config_dir",
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-'else',
+        'else',
-'    setup_netfilter'
+	'    setup_netfilter'
 	);
+
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
     pop_indent;
 
-    emit<<'EOF';
+    emit( "    conditionally_flush_conntrack\n" );
-    conditionally_flush_conntrack
+
-EOF
     push_indent;
     initialize_switches;
     setup_forwarding( $family , 0 );
     pop_indent;
 
-    emit<<"EOF";
+    emit( '    run_start_exit', 
-    run_start_exit
+	  '    do_iptables -N shorewall',
-    do_iptables -N shorewall
+	  '' );
-EOF
 
-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
 
-    emit<<"EOF";
+    emit( "    set_state Started $config_dir",
-    set_state Started $config_dir
+	  '    my_pathname=$(my_pathname)',
-    my_pathname=\$(my_pathname)
+	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
-    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
+	  '    run_started_exit',
-    run_started_exit
+	  "fi\n" );
-fi
-EOF
 
     emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -741,6 +742,8 @@ sub compiler {
     }
 
     setup_source_routing($family);
+
+    setup_log_backend($family);
     #
     # Proxy Arp/Ndp
     #
@@ -974,8 +977,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
+	    process_routestopped unless process_stoppedrules;
-	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities

Shorewall/Perl/Shorewall/Config.pm

@@ -40,6 +40,7 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
+use Digest::SHA qw(sha1_hex);
 
 our @ISA = qw(Exporter);
 #
@@ -88,6 +89,7 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
 
 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
+                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -741,6 +743,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
+	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -1105,7 +1108,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;
 
-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SAVED_IPSETS} = [];
 
     if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -1758,6 +1762,13 @@ sub create_temp_script( $$ ) {
 
 }
 
+# Generate the SHA1 digest of the (incomplete script)
+#
+sub generate_sha1() {
+    my $data = `cat $tempfile`;
+    sha1_hex $data;
+}
+
 #
 # Finalize the script file
 #
@@ -1767,6 +1778,19 @@ sub finalize_script( $ ) {
     $script = 0;
 
     if ( $file ne '-' ) {
+	my $sha1sum  = generate_sha1;
+	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+
+	@ARGV = ( $tempfile );
+	$^I = '';
+
+	while ( <> ) {
+	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+	    print;
+	}
+
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -3259,7 +3283,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
     }
 
-    if ( $actparms{0} ) {
+    if ( $chain ) {
+	#
+	# We're in an action body -- allow escaping at signs (@) for u32
+	#
+	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3296,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
+
+	$$lineref =~ s/\?\?/@/g;
     }
 }
 
@@ -3496,8 +3526,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
+sub default_yes_no ( $$;$ ) {
-    my ( $var, $val ) = @_;
+    my ( $var, $val, $other ) = @_;
+    my $result = 1;
 
     my $curval = $config{$var};
 
@@ -3506,12 +3537,31 @@ sub default_yes_no ( $$ ) {
 
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
+	} elsif ( defined( $other ) ) {
+	    if ( $other eq '*' ) {
+		if ( $curval eq 'yes' ) {
+		    $config{$var} = 'Yes';
+		} else {
+		    $result = 0;
+		}
+	    } elsif ( $curval eq $other ) {
+		#
+		# Downshift value for later comparison
+		#
+		$config{$var} = $curval;
+	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
+	    #
+	    # Make Case same as default
+	    #
+	    $config{$var} = 'Yes';
 	}
     } else {
 	$config{$var} = $val;
     }
+
+    $result;
 }
 
 sub default_yes_no_ipv4 ( $$ ) {
@@ -4118,7 +4168,7 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4190,7 @@ sub IPSet_Match_Nomatch() {
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {
@@ -4615,6 +4665,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
+	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4681,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
+	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
@@ -5026,15 +5078,23 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params() {
+sub get_params( $ ) {
+    my $export = $_[0];
+
     my $fn = find_file 'params';
 
     my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
 
     if ( -f $fn ) {
+	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
+
+	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
+
+	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
+
 	progress_message2 "Processing $fn ...";
 
-	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5304,7 +5364,7 @@ sub get_configuration( $$$$$ ) {
 
     ensure_config_path;
 
-    get_params;
+    get_params( $export );
 
     process_shorewall_conf( $update, $annotate, $directives );
 
@@ -5541,7 +5601,16 @@ sub get_configuration( $$$$$ ) {
     unsupported_yes_no         'BRIDGING';
     unsupported_yes_no_warning 'RFC1918_STRICT';
 
-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+	$val = $config{SAVE_IPSETS};
+	unless ( $val eq 'ipv4' ) {
+	    my @sets = split_list( $val , 'ipset' );
+	    $globals{SAVED_IPSETS} = \@sets;
+	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
+	    $config{SAVE_IPSETS} = '';
+	}
+    }
+
     default_yes_no 'SAVE_ARPTABLES'             , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5739,6 +5808,20 @@ sub get_configuration( $$$$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
+    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
+	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
+	    $val = 'ipt_ULOG';
+	} elsif ( $val eq 'netlink' ) {
+	    $val = 'nfnetlink_log';
+	} elsif ( $val eq 'LOG' ) {
+	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
+	} else {
+	    fatal_error "Invalid LOG Backend ($val)";
+	}
+
+	$config{LOG_BACKEND} = $val;
+    }
+
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
     default_log_level 'SMURF_LOG_LEVEL',     '';

Shorewall/Perl/Shorewall/Misc.pm

@@ -690,11 +690,10 @@ sub process_stoppedrules() {
     my $result;
 
     if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
+	first_entry sub () {
-	    progress_message2("$doing $fn...");
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
-		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};
 
@@ -994,7 +993,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -2606,42 +2606,11 @@ EOF
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
+	emit( '',
-
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
-    case $IPSET in
-        */*)
-            if [ ! -x "$IPSET" ]; then
-                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-                IPSET=
-            fi
-	    ;;
-	*)
-	    IPSET="$(mywhich $IPSET)"
-	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-	    ;;
-    esac
-
-    if [ -n "$IPSET" ]; then
-        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-            #
-            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-            #
-            hack='| grep -v /31'
-        else
-            hack=
-        fi
-
-        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-            #
-            # Don't save an 'empty' file
-            #
-            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-        fi
-    fi
-EOF
     }
-
+	
     emit '
 
     set_state "Stopped"

Shorewall/Perl/Shorewall/Proc.pm

@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
+                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,43 @@ sub setup_interface_proc( $ ) {
     }
 }
 
+sub setup_log_backend($) {
+    if ( my $setting = $config{LOG_BACKEND} ) {
+	my $family   = shift;
+	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
+
+	emit( 'progress_message2 "Setting up log backend"',
+	      '',
+	      "if [ -f $file ]; then"
+	    );
+
+	if ( $setting =~ /ip6?t_log/i ) {
+	    my $alternative = 'nf_log_ipv' . $family;
+
+	    emit( "    setting=$setting",
+		  '',
+		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
+		  '',
+		  "    if echo \$setting > $file; then",
+		  '       progress_message "Log Backend set to $setting"',
+		  '   else',
+		  '       error_message "WARNING: Unable to set log backend to $setting"',
+		  '   fi',
+		  'else',
+		  "    error_message 'WARNING: $file does not exist - log backend not set'",
+		  "fi\n"
+		);
+	} else {
+	    emit( "    if echo $setting > $file; then",
+		  "        progress_message 'Log Backend set to $setting'",
+		  '    else',
+		  "        error_message 'WARNING: Unable to set log backend to $setting'",
+		  '    fi',
+		  'else',
+		  "    error_message 'WARNING: $file does not exist - log backend not set'",
+		  "fi\n" );
+	}
+    }
+}
 
 1;

Shorewall/Perl/Shorewall/Providers.pm

@@ -454,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
+
+    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
+
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $physical    = get_physical $interface;
+    #
+    # Switch to the logical name if a physical name was passed
+    #
+    my $physical;
+
+    if ( $interface eq $interfaceref->{name} ) {
+	#
+	# The logical interface name was specified
+	#
+	$physical = $interfaceref->{physical};
+    } else {
+	#
+	# A Physical name was specified
+	#
+	$physical = $interface;
+	#
+	# Switch to the logical name unless it is a wildcard
+	#
+	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
+    } 
+
     my $gatewaycase = '';
 
     if ( $physical =~ /\+$/ ) {
@@ -1273,9 +1296,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
 
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
 
-	emit "fi\n";
+	emit( 'else',
+	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
+	      "fi\n" );
     }
 
     emit  ( '#',
@@ -1872,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
 
     if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
 
-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#

Shorewall/Perl/Shorewall/Rules.pm

@@ -818,9 +818,7 @@ sub apply_policy_rules() {
     progress_message2 'Applying Policies...';
 
     for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
-
-	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
+			       undef,
+			       1 );
 	}
 
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
 
-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
+	    my $noinline    = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
+	    my $builtin     = 0;
-	    my $raw      = 0;
+	    my $raw         = 0;
-	    my $mangle   = 0;
+	    my $mangle      = 0;
-	    my $filter   = 0;
+	    my $filter      = 0;
-	    my $nat      = 0;
+	    my $nat         = 0;
+	    my $terminating = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
+		    } elsif ( $_ eq 'terminating' ) {
+			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
 		}
 
 		$targets{$action} = $actiontype;
+
+		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2374,7 +2379,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2392,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';

Shorewall/Perl/Shorewall/Tc.pm

@@ -229,9 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
-
-	$and_or ||= '';
 
 	if ( $params =~ /-/ ) {
 	    #
@@ -262,6 +260,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    $chain ||= $designator;
 	    $chain ||= $default_chain;
 
+	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
+
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
 
 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
@@ -765,7 +765,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	for ( @state ) {
 	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
     } else {
 	$state = 'ALL';

Shorewall/Perl/Shorewall/Zones.pm

@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
+#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
+						       wildcard   => $wildcard,
 						     };
 
     if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {
 
     $physical =~ s/\+$//;
 
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 
 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
+						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
     }
@@ -2118,14 +2121,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
     my $option = $_[0];
     my @hosts;
+    my %done;
+
+    for my $interface ( @interfaces ) {
+	my $value = $interfaces{$interface}{options}{$option};
+	if ( ! $interfaces{$interface}{zone} && $value ) {
+	    push @hosts, [ $interface, '', ALLIP , [], $value ];
+	    $done{$interface} = 1;
+	}
+    }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
+		    my $ipsec = $host->{ipsec};
-			for my $net ( @{$host->{hosts}} ) {
+		    unless ( $done{$interface} ) { 
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			if ( my $value = $host->{options}{$option} ) {
+			    for my $net ( @{$host->{hosts}} ) {
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+			    }
 			}
 		    }
 		}
@@ -2133,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
 	}
     }
 
-    for my $interface ( @interfaces ) {
-	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
-	    push @hosts, [ $interface, 'none', ALLIP , [] ];
-	}
-    }
-
     \@hosts;
 }
 

Shorewall/Perl/lib.core

@@ -17,7 +17,7 @@
 #
 #	Options are:
 #
-#	    -n				  Don't alter Routing
+#	    -n				  Do not alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
@@ -587,7 +587,7 @@ debug_restore_input() {
     done
 }
 
-interface_up() {
+interface_enabled() {
     return $(cat ${VARDIR}/$1.status)
 }
 
@@ -604,7 +604,7 @@ distribute_load() {
     totalload=0
 
     for interface in $@; do
-	if interface_up $interface; then
+	if interface_enabled $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
@@ -845,6 +845,7 @@ detect_dynamic_gateway() { # $1 = interface
     local GATEWAYS
     GATEWAYS=
     local gateway
+    local file
 
     gateway=$(run_findgw_exit $1);
 
@@ -852,14 +853,21 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
-	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f "${file}" ]; then
+	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+    for file in \
-	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+	"${VARLIB}/dhcp/dhclient-${1}.lease" \
-    fi
+	"${VARLIB}/dhcp/dhclient.${1}.leases"
+    do
+	[ -n "$gateway" ] && break
+	if [ -f "${file}" ]; then
+	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
+	fi
+    done
 
     [ -n "$gateway" ] && echo $gateway
 }

Shorewall/Perl/prog.footer

@@ -17,8 +17,10 @@ usage() {
     echo "   reset"
     echo "   refresh"
     echo "   restart"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   status"
     echo "   up <interface>"
+    echo "   savesets <file>"
     echo "   version"
     echo
     echo "Options are:"
@@ -27,6 +29,7 @@ usage() {
     echo "   -n               Don't update routing configuration"
     echo "   -p               Purge Conntrack Table"
     echo "   -t               Timestamp progress Messages"
+    echo "   -c               Save/restore iptables counters"
     echo "   -V <verbosity>   Set verbosity explicitly"
     echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
@@ -84,6 +87,17 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
+#
+# These two variables contain the high-order and low-order parts respectively of
+# an SHA1 digest of this file. The digest is generated before the two following
+# lines are updated to contain the value of that digest.
+#
+g_sha1sum1=
+g_sha1sum2=
+#
+# Other Globals
+#
+g_counters=
 
 initialize
 
@@ -135,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
+		    c*)
+			g_counters=Yes
+			option=${option#c}
+			;;
 		    V*)
 			option=${option#V}
 
@@ -371,6 +389,24 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
+    run)
+	if [ $# -gt 1 ]; then
+	    shift
+	    detect_configuration
+	    run_init_exit
+	    eval $@
+	    status=$?
+	else
+	    error_message "ERROR: Missing command"
+	fi
+	;;
+    savesets)
+	if [ $# -eq 2 ]; then
+	    save_ipsets $2
+	else
+	    usage 2
+	fi
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Samples/Universal/interfaces

@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+net	all		dhcp,physical=+,routeback

Shorewall/Samples/Universal/shorewall.conf

@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/one-interface/shorewall.conf

@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -33,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/action.DNSAmp

@@ -0,0 +1,34 @@
+#
+# Shorewall 4 - DNS Amplification Action
+#
+#    /usr/share/shorewall/action.DNSAmp
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   DNSAmp[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?format 2
+
+DEFAULTS DROP
+
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"

Shorewall/actions.std

@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets

Shorewall/configfiles/shorewall.conf

@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/default.debian

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
 

Shorewall/helpers

@@ -57,3 +57,15 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
+#
+# While not actually helpers, these are included here so that
+# LOG_BACKEND can work correctly. Not all of them will be
+# loaded, since at least one of them will be an alias on any
+# given system.
+#
+loadmodule ipt_LOG
+loadmodule nf_log_ipv4
+loadmodule xt_LOG
+loadmodule xt_NFLOG
+loadmodule ipt_ULOG
+loadmodule nfnetlink_log

Shorewall/init.fedora.sh

@@ -39,7 +39,7 @@ fi
 
 start() {
     echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
     echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile

Shorewall/init.slackware.shorewall.sh

@@ -10,15 +10,16 @@
 
 OPTIONS=""
 
-# Use /etc/default shorewall to specify $OPTIONS to run at startup, however this
+# Use /etc/default shorewall to specify $OPTIONS and STARTOPTIONS to
-# this might prevent shorewall from starting. use at your own risk
+# run at startup, however this this might prevent shorewall from
+# starting. use at your own risk
 if [ -f /etc/default/shorewall ] ; then
     . /etc/default/shorewall
 fi
 
 start() {
 	echo "Starting IPv4 shorewall rules..."
-	exec /sbin/shorewall $OPTIONS start
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 }
 
 stop() {
@@ -28,7 +29,7 @@ stop() {
 
 restart() {
 	echo "Restarting IPv4 shorewall rules..."
-	exec /sbin/shorewall restart
+	exec /sbin/shorewall restart $RESTARTOPTIONS
 }
 
 status() {

Shorewall/install.sh

@@ -35,6 +35,7 @@ usage() # $1 = exit status
     echo "       $ME -h"
     echo "       $ME -s"
     echo "       $ME -a"
+    echo "       $ME -n"
     exit $1
 }
 
@@ -118,6 +119,7 @@ T="-T"
 INSTALLD='-D'
 
 finished=0
+configure=1
 
 while [ $finished -eq 0 ]; do
     option=$1
@@ -147,6 +149,10 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -203,9 +209,11 @@ done
 
 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
 
+[ -n "$SANDBOX" ] && configure=0
+
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +224,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -315,6 +323,7 @@ if [ $PRODUCT = shorewall ]; then
 	    fi
 
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
+	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
     elif [ "$BUILD" = "$HOST" ]; then
         #
@@ -324,6 +333,7 @@ if [ $PRODUCT = shorewall ]; then
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
+		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
@@ -387,7 +397,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 if [ -n "$INITFILE" ]; then
     if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file $INITSOURCE "$initfile" 0544
 
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -417,12 +427,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 
 #
@@ -1120,7 +1134,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
     rm -f ${SHAREDIR}/$PRODUCT/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1167,8 +1181,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi

Shorewall/lib.cli-std

@@ -534,6 +534,10 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -570,14 +574,14 @@ start_command() {
     esac
 
     if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
+	if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
 	    #
-	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
+	    # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
 	    #
 	    object=firewall
 	else
 	    #
-	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
+	    # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
 	    #
 	    object=$RESTOREFILE
 	fi
@@ -943,6 +947,10 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1615,6 +1623,15 @@ export_command() # $* = original arguments less the command.
     fi
 }
 
+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -1664,11 +1681,12 @@ usage() # $1 = exit status
     echo "   reject <address> ..."
     echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -1695,11 +1713,11 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
     echo "   status [ -i ]"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1

Shorewall/manpages/shorewall-actions.xml

@@ -71,10 +71,17 @@
                 role="bold">raw</emphasis>. If no table name(s) are given,
                 then <emphasis role="bold">filter</emphasis> is assumed. The
                 table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
+                and are separated by commas; for example, "FOOBAR
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                 target that can be used in the filter and mangle
                 tables.</para>
+
+                <para>Beginning with Shorewall 4.6.4, you may specify the
+                <emphasis role="bold">terminating</emphasis> option with
+                <emphasis role="bold">builtin</emphasis> to indicate to the
+                Shorewall optimizer that the action is terminating (the
+                current packet will not be passed to the next rule in the
+                chain).</para>
               </listitem>
             </varlistentry>
 
@@ -133,6 +140,17 @@
                 a subset of the rules.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>terminating</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.4. When used with
+                <replaceable>builtin</replaceable>, indicates that the
+                built-in action is termiating (i.e., if the action is jumped
+                to, the next rule in the chain is not evaluated).</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall-mangle.xml

@@ -27,7 +27,7 @@
 
     <para>This file was introduced in Shorewall 4.6.0 and is intended to
     replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
     <orderedlist numeration="loweralpha">
@@ -124,7 +124,7 @@
 
           <variablelist>
             <varlistentry>
-              <term>CHECKSUM</term>
+              <term><emphasis role="bold">CHECKSUM</emphasis></term>
 
               <listitem>
                 <para>Compute and fill in the checksum in a packet that lacks
@@ -139,7 +139,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
+              <term><emphasis
+              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>
 
               <listitem>
                 <para>A classification Id (classid) is of the form
@@ -189,7 +190,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>CONMARK({mark|range})</term>
+              <term><emphasis
+              role="bold">CONMARK({mark|range})</emphasis></term>
 
               <listitem>
                 <para>Identical to MARK with the exception that the mark is
@@ -322,7 +324,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term>IPMARK</term>
+              <term><emphasis role="bold">IPMARK</emphasis></term>
 
               <listitem>
                 <para>Assigns a mark to each matching packet based on the
@@ -430,8 +432,9 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term><emphasis
-              [<replaceable>option</replaceable> ...])</term>
+              role="bold">IPTABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</emphasis></term>
 
               <listitem>
                 <para>This action allows you to specify an iptables target
@@ -452,7 +455,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>
 
               <listitem>
                 <para>where <replaceable>mark</replaceable> is a packet mark

Shorewall/manpages/shorewall-policy.xml

@@ -242,13 +242,34 @@
 
       <varlistentry>
         <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [{<emphasis>s</emphasis>|<emphasis
+        [-|<replaceable>limit</replaceable>]</term>
-        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-        role="bold">/</emphasis>{<emphasis
-        role="bold">second</emphasis>|<emphasis
-        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
+          <para>where limit is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
           <para>If passed, specifies the maximum TCP connection
           <emphasis>rate</emphasis> and the size of an acceptable
           <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -261,9 +282,19 @@
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
           role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the
+          POLICY or rule specifies the same name, the connections counts for
-          policies are aggregated and the individual rates apply to the
+          the policies are aggregated and the individual rates apply to the
           aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-rules.xml

@@ -476,24 +476,32 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
                 <para>This action allows you to specify an iptables target
                 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
+                the <replaceable>iptables-target</replaceable> is not one
-                error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
+                issued:</para>
 
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
 
                 <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                <ulink
+                as a builtin action in <ulink
                 url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>iptables-target</replaceable>, the target of
+                  the rule will be the iptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
               </listitem>
             </varlistentry>
 
@@ -993,7 +1001,7 @@
           role="bold">DNAT-</emphasis>, the connections will be assigned to
           addresses in the range in a round-robin fashion.</para>
 
-          <para>If you kernel and iptables have ipset match support then you
+          <para>If your kernel and iptables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be
           optionally followed by a number from 1 to 6 enclosed in square
           brackets ([]) to indicate the number of levels of destination
@@ -1218,22 +1226,41 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
-        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        <replaceable>limit</replaceable></term>
-        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-        role="bold">/</emphasis>{<emphasis
-        role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>|<emphasis
-        role="bold">hour</emphasis>|<emphasis
-        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
+          <para>where <replaceable>limit</replaceable> is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
           <para>You may optionally rate-limit the rule by placing a value in
           this column:</para>
 
-          <para><emphasis>rate</emphasis> is the number of connections per
+          <para><emphasis>rate*</emphasis> is the number of connections per
           interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
           largest burst permitted. If no <emphasis>burst</emphasis> is given,
           a value of 5 is assumed. There may be no no white-space embedded in
           the specification.</para>
@@ -1242,15 +1269,28 @@
 
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable> may be chosen by
+          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifies a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one rule specifies the same name, the
+          assumed. Where more than one rule or POLICY specifies the same name,
-          connections counts for the rules are aggregated and the individual
+          the connections counts for the rules are aggregated and the
-          rates apply to the aggregated count.</para>
+          individual rates apply to the aggregated count.</para>
 
-          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+
+          <para>In this example, the 'client' hash table will be used to
+          enforce the per-source limit and the compiler will pick a unique
+          name for the hash table that tracks the per-destination
+          limit.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-tcfilters.xml

@@ -88,9 +88,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -105,9 +107,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -6,6 +6,8 @@
     <refentrytitle>shorewall-mangle</refentrytitle>
 
     <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -28,10 +30,10 @@
 
     <important>
       <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
 
       <para>If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
               <para>When using Shorewall's built-in traffic shaping tool, the
               <emphasis>major</emphasis> class is the device number (the first
               device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              major class 1, the second device is major class 2, and so on)
+              is major class 1, the second device is major class 2, and so on)
               and the <emphasis>minor</emphasis> class is the class's MARK
               value in <ulink
               url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
               [<replaceable>option</replaceable>] ...") after any matches
               specified at the end of the rule. If the target is not one known
               to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
+              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
               (5).</para>
 
               <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
 
               <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              third rule above can be specified as follows:</para>
+              then the third rule above can be specified as follows:</para>
 
               <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
             </listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -309,17 +309,22 @@
               <term>stoppedrules</term>
 
               <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                <para>All existing connections continue to work. To sever all
-                and the setting is ignored.</para>
+                existing connections when the firewall is stopped, install the
-
+                conntrack utility and place the command <command>conntrack
-                <para>In addition to connections matching entries in
+                -F</command> in the stopped user exit
-                <filename>stoppedrules</filename>, existing connections
-                continue to work and all new connections from the firewall
-                system itself are allowed. To sever all existing connections
-                when the firewall is stopped, install the conntrack utility
-                and place the command <command>conntrack -F</command> in the
-                stopped user exit
                 (<filename>/etc/shorewall/stopped</filename>).</para>
+
+                <para>If ADMINISABSENTMINDED=No, only new connections matching
+                entries in <filename>stoppedrules</filename> are accepted when
+                Shorewall is stopped. Response packets and related connections
+                are automatically accepted.</para>
+
+                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
+                matching entries in <filename>stoppedrules</filename>, all new
+                connections from the firewall system itself are allowed when
+                the firewall is stopped. Response packets and related
+                connections are automatically accepted.</para>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -1306,6 +1311,45 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
+          backend to be used for the <command>iptrace</command> command (see
+          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
+
+          <para><replaceable>backend</replaceable> is one of:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>LOG</term>
+
+              <listitem>
+                <para>Use standard kernel logging.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>ULOG</term>
+
+              <listitem>
+                <para>Use ULOG logging to ulogd.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>netlink</term>
+
+              <listitem>
+                <para>Use netlink logging to ulogd version 2 or later.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -2425,7 +2469,8 @@ INLINE          -       -       -       ; -j REJECT
 
       <varlistentry>
         <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
 
         <listitem>
           <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2434,6 +2479,11 @@ INLINE          -       -       -       ; -j REJECT
           role="bold">shorewall save</emphasis> commands and restored by the
           <emphasis role="bold">shorewall start</emphasis> and <emphasis
           role="bold">shorewall restore</emphasis> commands.</para>
+
+          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
+          ipsets saved by specifying a setlist (a comma-separated list of ipv4
+          ipset names). You may also restrict the saved sets to just the ipv4
+          ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -170,6 +170,8 @@
       <arg><option>-l</option></arg>
 
       <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -441,6 +443,8 @@
 
       <arg><option>-i</option></arg>
 
+      <arg><option>-C</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -452,11 +456,27 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>restore</option></arg>
+      <arg
+      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>
 
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -502,7 +522,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>save</option></arg>
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
 
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
@@ -514,7 +535,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-x</option></arg>
 
@@ -528,7 +549,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-b</option></arg>
 
@@ -550,7 +571,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-f</option></arg>
 
@@ -564,7 +585,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
       choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
@@ -577,7 +598,9 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg>-c</arg>
 
       <arg choice="plain"><option>event</option><arg
       choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -590,7 +613,21 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg choice="plain"><option>routing</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>macro</option><arg
       choice="plain"><replaceable>macro</replaceable></arg></arg>
@@ -603,11 +640,11 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-x</option></arg>
 
-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -617,7 +654,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
@@ -629,7 +666,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-m</option></arg>
 
@@ -656,6 +693,8 @@
 
       <arg><option>-T</option><arg><option>-i</option></arg></arg>
 
+      <arg><option>-C</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -753,7 +792,7 @@
     used for debugging. See <ulink
     url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
 
-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
     attempting to acquire the Shorewall lockfile. It is useful if you need to
     include <command>shorewall</command> commands in
     <filename>/etc/shorewall/started</filename>.</para>
@@ -856,11 +895,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -899,21 +938,21 @@
           compile -- -</command>) to suppress the 'Compiling...' message
           normally generated by <filename>/sbin/shorewall</filename>.</para>
 
-          <para>When -e is specified, the compilation is being performed on a
+          <para>When <option>-e</option> is specified, the compilation is
-          system other than where the compiled script will run. This option
+          being performed on a system other than where the compiled script
-          disables certain configuration options that require the script to be
+          will run. This option disables certain configuration options that
-          compiled where it is to be run. The use of -e requires the presence
+          require the script to be compiled where it is to be run. The use of
-          of a configuration file named <filename>capabilities</filename>
+          <option>-e</option> requires the presence of a configuration file
-          which may be produced using the command <emphasis
+          named <filename>capabilities</filename> which may be produced using
-          role="bold">shorewall-lite show -f capabilities &gt;
+          the command <command>shorewall-lite show -f capabilities &gt;
-          capabilities</emphasis> on a system with Shorewall Lite
+          capabilities</command> on a system with Shorewall Lite
           installed</para>
 
-          <para>The <emphasis role="bold">-c</emphasis> option was added in
+          <para>The <option>-c</option> option was added in Shorewall 4.5.17
-          Shorewall 4.5.17 and causes conditional compilation of a script. The
+          and causes conditional compilation of a script. The script specified
-          script specified by <replaceable>pathname</replaceable> (or implied
+          by <replaceable>pathname</replaceable> (or implied if <emphasis
-          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
+          role="bold">pathname</emphasis> is omitted) is compiled if it
-          if it doesn't exist or if there is any file in the
+          doesn't exist or if there is any file in the
           <replaceable>directory</replaceable> or in a directory on the
           CONFIG_PATH that has a modification time later than the file to be
           compiled. When no compilation is needed, a message is issued and an
@@ -930,11 +969,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -1000,12 +1039,16 @@
 
           <para>The <emphasis role="bold">-x</emphasis> option causes actual
           packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
+          counts are abbreviated.</para>
-          option causes any MAC addresses included in Shorewall log messages
+
-          to be displayed.</para>
+          <para>The <emphasis role="bold">-m</emphasis> option causes any MAC
+          addresses included in Shorewall log messages to be displayed.</para>
 
           <para>The <emphasis role="bold">-l</emphasis> option causes the rule
           number for each Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
         </listitem>
       </varlistentry>
 
@@ -1114,11 +1157,10 @@
           be one or more matches that may appear in both the raw table OUTPUT
           and raw table PREROUTING chains.</para>
 
-          <para>The trace records are written to the kernel's log buffer with
+          <para>The log message destination is determined by the
-          facility = kernel and priority = warning, and they are routed from
+          currently-selected IPv4 <ulink
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          url="/shorewall_logging.html#Backends">logging
-          Shorewall has no control over where the messages go; consult your
+          backend</ulink>.</para>
-          logging daemon's documentation.</para>
         </listitem>
       </varlistentry>
 
@@ -1168,11 +1210,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -1254,21 +1296,21 @@
           <para>The <option>-n</option> option was added in Shorewall 4.5.3
           causes Shorewall to avoid updating the routing table(s).</para>
 
-          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
           causes the compiler to run under the Perl debugger.</para>
 
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
-          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
           and causes Shorewall to look in the given
           <emphasis>directory</emphasis> first for configuration files.</para>
 
@@ -1330,11 +1372,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -1366,7 +1408,7 @@
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
 
-          <para>The <option>-d </option>option causes the compiler to run
+          <para>The <option>-d</option> option causes the compiler to run
           under the Perl debugger.</para>
 
           <para>The <option>-f</option> option suppresses the compilation step
@@ -1378,19 +1420,27 @@
           and performs the compilation step unconditionally, overriding the
           AUTOMAKE setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option>are present, the
+          both <option>-f</option> and <option>-c</option> are present, the
           result is determined by the option that appears last.</para>
 
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when AUTOMAKE=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
+          existing firewall script is used and if that script was the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
         </listitem>
       </varlistentry>
 
@@ -1406,6 +1456,53 @@
           <emphasis>filename</emphasis> is given then Shorewall will be
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
+          causes the connection tracking table to be flushed; the
+          <command>conntrack</command> utility must be installed to use this
+          option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during <emphasis
+          role="bold">shorewall save</emphasis>, then the counters saved by
+          that operation will be restored.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued:</para>
+
+          <simplelist>
+            <member>WARNING: /var/lib/shorewall/firewall is not up to
+            date</member>
+          </simplelist>
         </listitem>
       </varlistentry>
 
@@ -1468,6 +1565,10 @@
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the iptables packet and byte counters to be saved along with
+          the chains and rules.</para>
         </listitem>
       </varlistentry>
 
@@ -1494,7 +1595,7 @@
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                 along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                shorewall-blrules(5). The <emphasis role="bold">-x</emphasis>
                 option is passed directly through to iptables and causes
                 actual packet and byte counts to be displayed. Without this
                 option, those counts are abbreviated.</para>
@@ -1660,7 +1761,7 @@
 
               <listitem>
                 <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>. The
                 <emphasis role="bold">-x</emphasis> option is passed directly
                 through to iptables and causes actual packet and byte counts
                 to be displayed. Without this option, those counts are
@@ -1684,7 +1785,9 @@
               <term><emphasis role="bold">routing</emphasis></term>
 
               <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration.
+                The<option> -c</option> option causes the route cache to be
+                displayed along with the other routing information.</para>
               </listitem>
             </varlistentry>
 
@@ -1693,7 +1796,7 @@
 
               <listitem>
                 <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>. The
                 <emphasis role="bold">-x</emphasis> option is passed directly
                 through to iptables and causes actual packet and byte counts
                 to be displayed. Without this option, those counts are
@@ -1772,6 +1875,13 @@
           lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
           <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the <emphasis
+          role="bold">save</emphasis> command, then the packet and byte
+          counters will be restored.</para>
         </listitem>
       </varlistentry>
 

Shorewall/modules.essential

@@ -28,4 +28,3 @@ loadmodule iptable_nat
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
-loadmodule ipt_LOG

Shorewall/modules.extensions

@@ -32,7 +32,6 @@ loadmodule ipt_ipp2p
 loadmodule ipt_iprange
 loadmodule ipt_length
 loadmodule ipt_limit
-loadmodule ipt_LOG
 loadmodule ipt_mac
 loadmodule ipt_mark
 loadmodule ipt_MARK
@@ -58,4 +57,3 @@ loadmodule ipt_tos
 loadmodule ipt_TOS
 loadmodule ipt_ttl
 loadmodule ipt_TTL
-loadmodule ipt_ULOG

Shorewall/modules.xtables

@@ -31,7 +31,6 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
-loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev

Shorewall/shorewall.service

@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-After=syslog.target
 After=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall/shorewall.service.214

@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall/uninstall.sh

@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
@@ -69,6 +74,43 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
@@ -110,24 +152,39 @@ fi
 
 echo "Uninstalling shorewall $VERSION"
 
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall clear
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+	shorewall clear
+    fi
 fi
 
 rm -f ${SBINDIR}/shorewall
 
-if [ -f "$INITSCRIPT" ]; then
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    if mywhich updaterc.d ; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
-	updaterc.d ${PRODUCT} remove
+elif [ -n "$INITFILE" ]; then
-    elif mywhich insserv ; then
+    FIREWALL=${INITDIR}/${INITFILE}
-        insserv -r $INITSCRIPT
+fi
-    elif mywhich chkconfig ; then
+
-	chkconfig --del $(basename $INITSCRIPT)
+if [ -f "$FIREWALL" ]; then
-    elif mywhich systemctl ; then
+    if [ $configure -eq 1 ]; then
-	systemctl disable ${PRODUCT}
+	if mywhich updaterc.d ; then
+	    updaterc.d ${PRODUCT} remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
     fi
 
-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
+fi
+
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall.service
 fi
 
 rm -rf ${SHAREDIR}/shorewall/version
@@ -139,8 +196,8 @@ if [ -n "$SYSCONFDIR" ]; then
 fi
 
 rm -rf ${VARDIR}/shorewall
-rm -rf ${PERLLIB}/Shorewall/*
+rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXEC}/shorewall
+rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/

Shorewall6-lite/init.fedora.sh

@@ -39,7 +39,7 @@ fi
 
 start() {
     echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
     echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -116,6 +116,8 @@
       <arg><option>-l</option></arg>
 
       <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -301,6 +303,8 @@
 
       <arg><option>-p</option></arg>
 
+      <arg><option>-C</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -314,9 +318,26 @@
 
       <arg choice="plain"><option>restore</option></arg>
 
+      <arg><option>-C</option></arg>
+
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">command</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -327,6 +348,8 @@
 
       <arg choice="plain"><option>save</option></arg>
 
+      <arg><option>-C</option></arg>
+
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
@@ -337,7 +360,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-b</option></arg>
 
@@ -359,7 +382,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-f</option></arg>
 
@@ -373,7 +396,21 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
       choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -386,7 +423,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>event</option><arg
       choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -399,11 +436,11 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg><option>-x</option></arg>
+      <arg><option>-c</option></arg>
 
-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="plain"><option>routing</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -413,7 +450,21 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
@@ -425,7 +476,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-m</option></arg>
 
@@ -445,6 +496,10 @@
       <arg><option>-n</option></arg>
 
       <arg><option>-p</option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-C</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -465,7 +520,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -494,10 +550,11 @@
     used for debugging. See <ulink
     url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
 
-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
     attempting to acquire the shorewall6-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
+    need to include <command>shorewall</command> commands in the
-    <filename>/etc/shorewall/started</filename>.</para>
+    <filename>started</filename> <ulink
+    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
 
     <para>The <emphasis>options</emphasis> control the amount of output that
     the command produces. They consist of a sequence of the letters <emphasis
@@ -508,8 +565,8 @@
     role="bold">v</emphasis> adds one to the effective verbosity and each
     <emphasis role="bold">q</emphasis> subtracts one from the effective
     VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    white-space between <emphasis role="bold">v</emphasis> and the
     VERBOSITY.</para>
 
     <para>The <emphasis>options</emphasis> may also include the letter
@@ -530,19 +587,21 @@
           <para>Adds a list of hosts or subnets to a dynamic zone usually used
           with VPN's.</para>
 
-          <para>The <emphasis>interface</emphasis> argument names an interface
+          <para>The <replaceable>interface</replaceable> argument names an
-          defined in the <ulink
+          interface defined in the <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <emphasis>host-list</emphasis> is comma-separated list whose
+          file. A <replaceable>host-list</replaceable> is comma-separated list
-          elements are host or network addresses.<caution>
+          whose elements are host or network addresses.</para>
-              <para>The <command>add</command> command is not very robust. If
+
-              there are errors in the <replaceable>host-list</replaceable>,
+          <caution>
-              you may see a large number of error messages yet a subsequent
+            <para>The <command>add</command> command is not very robust. If
-              <command>shorewall6-lite show zones</command> command will
+            there are errors in the <replaceable>host-list</replaceable>, you
-              indicate that all hosts were added. If this happens, replace
+            may see a large number of error messages yet a subsequent
-              <command>add</command> by <command>delete</command> and run the
+            <command>shorewall6-lite show zones</command> command will
-              same command again. Then enter the correct command.</para>
+            indicate that all hosts were added. If this happens, replace
-            </caution></para>
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
         </listitem>
       </varlistentry>
 
@@ -551,10 +610,9 @@
 
         <listitem>
           <para>Re-enables receipt of packets from hosts previously
-          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
+          blacklisted by a <command>drop</command>,
-          role="bold">logdrop</emphasis>, <emphasis
+          <command>logdrop</command>, <command>reject</command>, or
-          role="bold">reject</emphasis>, or <emphasis
+          <command>logreject</command> command.</para>
-          role="bold">logreject</emphasis> command.</para>
         </listitem>
       </varlistentry>
 
@@ -568,10 +626,9 @@
           the firewall is causing connection problems.</para>
 
           <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
+          by the compiled script that executed the last successful
-          role="bold">start</emphasis>, <emphasis
+          <command>start</command>, <command>restart</command> or
-          role="bold">restart</emphasis> or <emphasis
+          <command>refresh</command> command if that script exists.</para>
-          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -579,14 +636,14 @@
         <term><emphasis role="bold">delete</emphasis></term>
 
         <listitem>
-          <para>The delete command reverses the effect of an earlier <emphasis
+          <para>The delete command reverses the effect of an earlier
-          role="bold">add</emphasis> command.</para>
+          <command>add</command> command.</para>
 
-          <para>The <emphasis>interface</emphasis> argument names an interface
+          <para>The <replaceable>interface</replaceable> argument names an
-          defined in the <ulink
+          interface defined in the <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <emphasis>host-list</emphasis> is comma-separated list whose
+          file. A <replaceable>host-list</replaceable> is comma-separated list
-          elements are a host or network address.</para>
+          whose elements are a host or network address.</para>
         </listitem>
       </varlistentry>
 
@@ -606,8 +663,8 @@
         <term><emphasis role="bold">drop</emphasis></term>
 
         <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          <para>Causes traffic from the listed
-          to be silently dropped.</para>
+          <replaceable>address</replaceable>es to be silently dropped.</para>
         </listitem>
       </varlistentry>
 
@@ -618,14 +675,18 @@
           <para>Produces a verbose report about the firewall configuration for
           the purpose of problem analysis.</para>
 
-          <para>The <emphasis role="bold">-x</emphasis> option causes actual
+          <para>The <option>-x</option> option causes actual packet and byte
-          packet and byte counts to be displayed. Without that option, these
+          counts to be displayed. Without that option, these counts are
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
+          abbreviated.</para>
-          option causes any MAC addresses included in shorewall6-lite log
-          messages to be displayed.</para>
 
-          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          <para>The <option>-m</option> option causes any MAC addresses
-          number for each Netfilter rule to be displayed.</para>
+          included in shorewall6-lite log messages to be displayed.</para>
+
+          <para>The <option>-l</option> option causes the rule number for each
+          Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
         </listitem>
       </varlistentry>
 
@@ -645,10 +706,11 @@
         <term><emphasis role="bold">forget</emphasis></term>
 
         <listitem>
-          <para>Deletes /var/lib/shorewall6-lite/<emphasis>filename</emphasis>
+          <para>Deletes
-          and /var/lib/shorewall6-lite/save. If no
+          <filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
-          <emphasis>filename</emphasis> is given then the file specified by
+          and <filename>/var/lib/shorewall6-lite/save</filename>. If no
-          RESTOREFILE in <ulink
+          <replaceable>filename</replaceable> is given then the file specified
+          by RESTOREFILE in <ulink
           url="shorewall.conf.html">shorewall6.conf</ulink>(5) is
           assumed.</para>
         </listitem>
@@ -714,10 +776,11 @@
         <term><emphasis role="bold">logdrop</emphasis></term>
 
         <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          <para>Causes traffic from the listed
-          to be logged then discarded. Logging occurs at the log level
+          <replaceable>address</replaceable>es to be logged then discarded.
-          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
-          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
+          setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
+          (5).</para>
         </listitem>
       </varlistentry>
 
@@ -728,15 +791,18 @@
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5) and
           produces an audible alarm when new shorewall6-lite messages are
-          logged. The <emphasis role="bold">-m</emphasis> option causes the
+          logged.</para>
-          MAC address of each packet source to be displayed if that
+
-          information is available. The
+          <para>The <option>-m</option> option causes the MAC address of each
-          <replaceable>refresh-interval</replaceable> specifies the time in
+          packet source to be displayed if that information is
-          seconds between screen refreshes. You can enter a negative number by
+          available.</para>
-          preceding the number with "--" (e.g., <command>shorewall6-lite
+
-          logwatch -- -30</command>). In this case, when a packet count
+          <para>The <replaceable>refresh-interval</replaceable> specifies the
-          changes, you will be prompted to hit any key to resume screen
+          time in seconds between screen refreshes. You can enter a negative
-          refreshes.</para>
+          number by preceding the number with "--" (e.g.,
+          <command>shorewall6-lite logwatch -- -30</command>). In this case,
+          when a packet count changes, you will be prompted to hit any key to
+          resume screen refreshes.</para>
         </listitem>
       </varlistentry>
 
@@ -744,10 +810,11 @@
         <term><emphasis role="bold">logreject</emphasis></term>
 
         <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          <para>Causes traffic from the listed
-          to be logged then rejected. Logging occurs at the log level
+          <replaceable>address</replaceable>es to be logged then rejected.
-          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
-          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
+          setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
+          (5).</para>
         </listitem>
       </varlistentry>
 
@@ -777,9 +844,17 @@
         <term><emphasis role="bold">restart</emphasis></term>
 
         <listitem>
-          <para>Restart is similar to <emphasis role="bold">shorewall6-lite
+          <para>Restart is similar to <command>shorewall6-lite start</command>
-          start</emphasis> except that it assumes that the firewall is already
+          except that it assumes that the firewall is already started.
-          started. Existing connections are maintained.</para>
+          Existing connections are maintained.</para>
+
+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
 
           <para>The <option>-n</option> option causes shorewall6-lite to avoid
           updating the routing table(s).</para>
@@ -787,6 +862,12 @@
           <para>The <option>-p</option> option causes the connection tracking
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
         </listitem>
       </varlistentry>
 
@@ -794,14 +875,38 @@
         <term><emphasis role="bold">restore</emphasis></term>
 
         <listitem>
-          <para>Restore shorewall6-lite to a state saved using the <emphasis
+          <para>Restore shorewall6-lite to a state saved using the
-          role="bold">shorewall6-lite save</emphasis> command. Existing
+          <command>shorewall6-lite save</command> command. Existing
-          connections are maintained. The <emphasis>filename</emphasis> names
+          connections are maintained. The <replaceable>filename</replaceable>
-          a restore file in /var/lib/shorewall6-lite created using <emphasis
+          names a restore file in <filename
-          role="bold">shorewall6-lite save</emphasis>; if no
+          class="directory">/var/lib/shorewall6-lite</filename> created using
-          <emphasis>filename</emphasis> is given then shorewall6-lite will be
+          <command>shorewall6-lite save</command>; if no
-          restored from the file specified by the RESTOREFILE option in <ulink
+          <replaceable>filename</replaceable> is given then shorewall6-lite
+          will be restored from the file specified by the RESTOREFILE option
+          in <ulink
           url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during
+          <command>shorewall7-lite save</command>, then the counters saved by
+          that operation will be restored.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the command, the script will detect the
+          configuration, setting all SW_* variables and will run your
+          <filename>init</filename> extension script with $COMMAND =
+          'run'.</para>
         </listitem>
       </varlistentry>
 
@@ -810,12 +915,17 @@
 
         <listitem>
           <para>The dynamic blacklist is stored in
-          /var/lib/shorewall6-lite/save. The state of the firewall is stored
+          <filename>/var/lib/shorewall6-lite/save</filename>. The state of the
-          in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
+          firewall is stored in
-          the <emphasis role="bold">shorewall6-lite restore</emphasis>. If
+          <filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
-          <emphasis>filename</emphasis> is not given then the state is saved
+          for use by the <command>shorewall6-lite restore</command> command.
-          in the file specified by the RESTOREFILE option in <ulink
+          If <replaceable>filename</replaceable> is not given then the state
+          is saved in the file specified by the RESTOREFILE option in <ulink
           url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the ip6tables packet and byte counters to be saved along with
+          the chains and rules.</para>
         </listitem>
       </varlistentry>
 
@@ -827,14 +937,27 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall6-blrules(5).The <option>-x</option> option is passed
+                directly through to ip6tables and causes actual packet and
+                byte counts to be displayed. Without this option, those counts
+                are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
               <listitem>
                 <para>Displays your kernel/iptables capabilities. The
-                <emphasis role="bold">-f</emphasis> option causes the display
+                <option>-f</option> option causes the display to be formatted
-                to be formatted as a capabilities file for use with <emphasis
+                as a capabilities file for use with <command>compile
-                role="bold">compile -e</emphasis>.</para>
+                -e</command>.</para>
               </listitem>
             </varlistentry>
 
@@ -848,25 +971,26 @@
                 -L</emphasis> <emphasis>chain</emphasis> <emphasis
                 role="bold">-n -v</emphasis> command. If no
                 <emphasis>chain</emphasis> is given, all of the chains in the
-                filter table are displayed. The <emphasis
+                filter table are displayed.</para>
-                role="bold">-x</emphasis> option is passed directly through to
+
-                iptables and causes actual packet and byte counts to be
+                <para>The <option>-x</option> option is passed directly
-                displayed. Without this option, those counts are abbreviated.
+                through to iptables and causes actual packet and byte counts
-                The <emphasis role="bold">-t</emphasis> option specifies the
+                to be displayed. Without this option, those counts are
-                Netfilter table to display. The default is <emphasis
+                abbreviated.</para>
+
+                <para>The <option>-t</option> option specifies the Netfilter
+                table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
-                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                <para>The <option>-b</option> ('brief') option causes rules
-                causes rules which have not been used (i.e. which have zero
+                which have not been used (i.e. which have zero packet and byte
-                packet and byte counts) to be omitted from the output. Chains
+                counts) to be omitted from the output. Chains with no rules
-                with no rules displayed are also omitted from the
+                displayed are also omitted from the output.</para>
-                output.</para>
 
-                <para>The <emphasis role="bold">-l</emphasis> option causes
+                <para>The <option>-l</option> option causes the rule number
-                the rule number for each Netfilter rule to be
+                for each Netfilter rule to be displayed.</para>
-                displayed.</para>
 
-                <para>If the <emphasis role="bold">t</emphasis> option and the
+                <para>If the <option>-t</option> option and the
                 <option>chain</option> keyword are both omitted and any of the
                 listed <replaceable>chain</replaceable>s do not exist, a usage
                 message is displayed.</para>
@@ -944,10 +1068,11 @@
               <listitem>
                 <para>Displays the last 20 shorewall6-lite messages from the
                 log file specified by the LOGFILE option in <ulink
-                url="shorewall.conf.html">shorewall6.conf</ulink>(5). The
+                url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
-                <emphasis role="bold">-m</emphasis> option causes the MAC
+
-                address of each packet source to be displayed if that
+                <para>The <option>-m</option> option causes the MAC address of
-                information is available.</para>
+                each packet source to be displayed if that information is
+                available.</para>
               </listitem>
             </varlistentry>
 
@@ -966,10 +1091,10 @@
 
               <listitem>
                 <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
+                <command>iptables -t nat -L -n -v</command>.The
-                <emphasis role="bold">-x</emphasis> option is passed directly
+                <option>-x</option> option is passed directly through to
-                through to iptables and causes actual packet and byte counts
+                iptables and causes actual packet and byte counts to be
-                to be displayed. Without this option, those counts are
+                displayed. Without this option, those counts are
                 abbreviated.</para>
               </listitem>
             </varlistentry>
@@ -990,7 +1115,9 @@
               <term><emphasis role="bold">routing</emphasis></term>
 
               <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
               </listitem>
             </varlistentry>
 
@@ -999,10 +1126,10 @@
 
               <listitem>
                 <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <command>iptables -t raw -L -n -v</command>.The
-                <emphasis role="bold">-x</emphasis> option is passed directly
+                <option>-x</option> option is passed directly through to
-                through to iptables and causes actual packet and byte counts
+                iptables and causes actual packet and byte counts to be
-                to be displayed. Without this option, those counts are
+                displayed. Without this option, those counts are
                 abbreviated.</para>
               </listitem>
             </varlistentry>
@@ -1032,7 +1159,7 @@
         <term><emphasis role="bold">start</emphasis></term>
 
         <listitem>
-          <para>Start Shorewall Lite. Existing connections through
+          <para>Start Shorewall6 Lite. Existing connections through
           shorewall6-lite managed interfaces are untouched. New connections
           will be allowed only if they are allowed by the firewall rules or
           policies.</para>
@@ -1040,6 +1167,22 @@
           <para>The <option>-p</option> option causes the connection tracking
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
+
+          <para>The <option>-m</option> option prevents the firewall script
+          from modifying the current routing configuration.</para>
+
+          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
+          If the RESTOREFILE named in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
+          executable and is not older than the current filewall script, then
+          that saved configuration is restored.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the
+          <command>save</command> command, then the packet and byte counters
+          will be restored.</para>
         </listitem>
       </varlistentry>
 
@@ -1058,10 +1201,9 @@
           or by ADMINISABSENTMINDED.</para>
 
           <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
+          by the compiled script that executed the last successful
-          role="bold">start</emphasis>, <emphasis
+          <command>start</command>, <command>restart</command> or
-          role="bold">restart</emphasis> or <emphasis
+          <command>refresh</command> command if that script exists.</para>
-          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1071,6 +1213,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/shorewall6-lite.service

@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-After=syslog.target
 After=network.target
+Conflicts=ip6tables.service firewalld.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall6-lite/shorewall6-lite.service.214

@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv6 firewall (lite)
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall6-lite/uninstall.sh

@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall6-lite
 
 usage() # $1 = exit status
 {
@@ -69,6 +70,42 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,38 +149,50 @@ fi
 
 echo "Uninstalling Shorewall Lite $VERSION"
 
-if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
+[ -n "$SANDBOX" ] && configure=0
-   ${SBINDIR}/shorewall6-lite clear
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/shorewall6-lite clear
+    fi
 fi
 
-if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
+if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
 
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall6-lite remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall6-lite remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall6-lite
+	elif mywhich systemctl ; then
+	    systemctl disable shorewall6-lite
+	fi
     fi
 
     remove_file $FIREWALL
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall6-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
 rm -rf ${VARDIR}/shorewall6-lite
 rm -rf ${SHAREDIR}/shorewall6-lite
-rm -rf ${LIBEXEC}/shorewall6-lite
+rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 [ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
 
+rm -f ${MANDIR}/man5/shorewall6-lite*
+rm -f ${MANDIR}/man8/shorewall6-lite*
+
 echo "Shorewall6 Lite Uninstalled"
-
-

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_ROUTEMARKS=Yes
 
+SAVE_IPSETS=No
+
 TC_ENABLED=No
 
 TC_EXPERT=No

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_ROUTEMARKS=Yes
 
+SAVE_IPSETS=No
+
 TC_ENABLED=No
 
 TC_EXPERT=No

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_ROUTEMARKS=Yes
 
+SAVE_IPSETS=No
+
 TC_ENABLED=No
 
 TC_EXPERT=No

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_ROUTEMARKS=Yes
 
+SAVE_IPSETS=No
+
 TC_ENABLED=No
 
 TC_EXPERT=No

Shorewall6/configfiles/nat

@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Nat File
+#
+# For information about entries in this file, type "man shorewall6-nat"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-nat.html
+#
+###############################################################################
+#EXTERNAL		INTERFACE		INTERNAL	ALL	LOCAL
+#						INTERFACES

Shorewall6/configfiles/shorewall6.conf

@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_ROUTEMARKS=Yes
 
+SAVE_IPSETS=No
+
 TC_ENABLED=No
 
 TC_EXPERT=No

Shorewall6/helpers

@@ -34,3 +34,14 @@ loadmodule nf_conntrack_proto_sctp
 loadmodule nf_conntrack_sip
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
+#
+# While not actually helpers, these are included here so that
+# LOG_BACKEND can work correctly. Not all of them will be
+# loaded, since at least one of them will be an alias on any
+# given system.
+#
+loadmodule ip6t_LOG
+loadmodule nf_log_ipv6
+loadmodule xt_LOG
+loadmodule xt_NFLOG
+loadmodule nfnetlink_log

Shorewall6/init.fedora.sh

@@ -39,7 +39,7 @@ fi
 
 start() {
     echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
     echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
 	touch $lockfile

Shorewall6/init.slackware.shorewall6.sh

@@ -10,8 +10,9 @@
 
 OPTIONS=""
 
-# Use /etc/default shorewall6 to specify $OPTIONS to run at startup, however this
+# Use /etc/default shorewall6 to specify $OPTIONS and STARTOPTIONS to
-# this might prevent shorewall6 from starting. use at your own risk
+# run at startup, however this this might prevent shorewall6 from
+# starting. use at your own risk
 if [ -f /etc/default/shorewall6 ] ; then
     . /etc/default/shorewall6
 fi
@@ -19,7 +20,7 @@ fi
 
 start() {
 	echo "Starting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 $OPTIONS start
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 }
 
 stop() {
@@ -29,7 +30,7 @@ stop() {
 
 restart() {
 	echo "Restarting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 restart
+	exec /sbin/shorewall6 restart $RESTARTOPTIONS
 }
 
 status() {

Shorewall6/manpages/shorewall6-actions.xml

@@ -71,10 +71,18 @@
                 role="bold">mangle</emphasis> and <emphasis
                 role="bold">raw</emphasis>. If no table name(s) are given,
                 then <emphasis role="bold">filter</emphasis> is assumed. The
-                table names follow builtin and are separated by commas; for
+                table names follow <emphasis role="bold">builtin</emphasis>
-                example, "FOOBAR,filter,mangle" would specify FOOBAR as a
+                and are separated by commas; for example, "FOOBAR
-                builtin target that can be used in the filter and mangle
+                builtin,filter,mangle" would specify FOOBAR as a builtin
+                target that can be used in the filter and mangle
                 tables.</para>
+
+                <para>Beginning with Shorewall 4.6.4, you may specify the
+                <emphasis role="bold">terminating</emphasis> option with
+                <emphasis role="bold">builtin</emphasis> to indicate to the
+                Shorewall optimizer that the action is terminating (the
+                current packet will not be passed to the next rule in the
+                chain).</para>
               </listitem>
             </varlistentry>
 
@@ -133,6 +141,17 @@
                 a subset of the rules.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>terminating</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.4. When used with
+                <replaceable>builtin</replaceable>, indicates that the
+                built-in action is termiating (i.e., if the action is jumped
+                to, the next rule in the chain is not evaluated).</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6-mangle.xml

@@ -125,7 +125,7 @@
 
           <variablelist>
             <varlistentry>
-              <term>CHECKSUM</term>
+              <term><emphasis role="bold">CHECKSUM</emphasis></term>
 
               <listitem>
                 <para>Compute and fill in the checksum in a packet that lacks
@@ -140,7 +140,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
+              <term><emphasis
+              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>
 
               <listitem>
                 <para>A classification Id (classid) is of the form
@@ -190,7 +191,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>CONMARK({mark|range})</term>
+              <term><emphasis
+              role="bold">CONMARK({mark|range})</emphasis></term>
 
               <listitem>
                 <para>Identical to MARK with the exception that the mark is
@@ -323,7 +325,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term>IPMARK</term>
+              <term><emphasis role="bold">IPMARK</emphasis></term>
 
               <listitem>
                 <para>Assigns a mark to each matching packet based on the
@@ -431,8 +433,9 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term>IP6TABLES({<replaceable>target</replaceable>
+              <term><emphasis
-              [<replaceable>option</replaceable> ...])</term>
+              role="bold">IP6TABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</emphasis></term>
 
               <listitem>
                 <para>This action allows you to specify an iptables target
@@ -453,7 +456,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>
 
               <listitem>
                 <para>where <replaceable>mark</replaceable> is a packet mark

Shorewall6/manpages/shorewall6-nat.xml

@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-nat</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nat</refname>
+
+    <refpurpose>Shorewall6 one-to-one NAT file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/nat</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define one-to-one Network Address Translation
+    (NAT).</para>
+
+    <warning>
+      <para>If all you want to do is simple port forwarding, do NOT use this
+      file. See <ulink
+      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
+      </para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">EXTERNAL</emphasis> -
+        {<emphasis>address</emphasis>|[?]COMMENT}</term>
+
+        <listitem>
+          <para>External IP Address - this should NOT be the primary IP
+          address of the interface named in the next column and must not be a
+          DNS Name.</para>
+
+          <para>If you put COMMENT in this column, the rest of the line will
+          be attached as a comment to the Netfilter rule(s) generated by the
+          following entries in the file. The comment will appear delimited by
+          "/* ... */" in the output of "shorewall show nat"</para>
+
+          <para>To stop the comment from being attached to further rules,
+          simply include COMMENT on a line by itself.</para>
+
+          <note>
+            <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+            COMMENT and is preferred.</para>
+          </note>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interfacelist</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
+
+        <listitem>
+          <para>Interfaces that have the <emphasis
+          role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
+          <ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5),
+          Shorewall will automatically add the EXTERNAL address to this
+          interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
+          name with ":" and a <emphasis>digit</emphasis> to indicate that you
+          want Shorewall to add the alias with this name (e.g., "eth0:0").
+          That allows you to see the alias with ifconfig. <emphasis
+          role="bold">That is the only thing that this name is good for -- you
+          cannot use it anywhere else in your Shorewall configuration.
+          </emphasis></para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>If you want to override ADD_IP_ALIASES=Yes for a particular
+          entry, follow the interface name with ":" and no digit (e.g.,
+          "eth0:").</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERNAL</emphasis> -
+        <emphasis>address</emphasis></term>
+
+        <listitem>
+          <para>Internal Address (must not be a DNS Name).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
+        [<emphasis role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If Yes or yes, NAT will be effective from all hosts. If No or
+          no (or left empty) then NAT will be effective only through the
+          interface named in the <emphasis role="bold">INTERFACE</emphasis>
+          column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">LOCAL</emphasis> - [<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If <emphasis role="bold">Yes</emphasis> or <emphasis
+          role="bold">yes</emphasis>, NAT will be effective from the firewall
+          system</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/nat</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+  </refsect1>
+</refentry>

Shorewall6/manpages/shorewall6-policy.xml

@@ -242,13 +242,34 @@
 
       <varlistentry>
         <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [{<emphasis>s</emphasis>|<emphasis
+        [-|<replaceable>limit</replaceable>]</term>
-        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-        role="bold">/</emphasis>{<emphasis
-        role="bold">second</emphasis>|<emphasis
-        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
+          <para>where limit is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
           <para>If passed, specifies the maximum TCP connection
           <emphasis>rate</emphasis> and the size of an acceptable
           <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -261,9 +282,19 @@
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
           role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the
+          POLICY or rule specifies the same name, the connections counts for
-          policies are aggregated and the individual rates apply to the
+          the policies are aggregated and the individual rates apply to the
           aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -450,24 +450,33 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IP6TABLES({<replaceable>target</replaceable>
+              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
-                <para>This action allows you to specify an iptables target
+                <para>This action allows you to specify an ip6tables target
-                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
+                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                If the target is not one recognized by Shorewall, the
+                the <replaceable>ip6tables-target</replaceable> is not one
-                following error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
+                issued:</para>
 
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
 
-                <para>This error message may be eliminated by adding the
+                <para>This error message may be eliminated by adding
-                <replaceable>target</replaceable> as a builtin action in
+                the<replaceable>
-                <ulink
+                ip6tables-</replaceable><replaceable>target</replaceable> as a
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
+                builtin action in <ulink
+                url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>ip6tables-target</replaceable>, the target of
+                  the rule will be the i6ptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
               </listitem>
             </varlistentry>
 
@@ -934,7 +943,7 @@
           <para>Restriction: MAC addresses are not allowed (this is a
           Netfilter restriction).</para>
 
-          <para>If you kernel and ip6tables have ipset match support then you
+          <para>If your kernel and ip6tables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be
           optionally followed by a number from 1 to 6 enclosed in square
           brackets ([]) to indicate the number of levels of destination
@@ -1118,22 +1127,41 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
-        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        <replaceable>limit</replaceable></term>
-        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-        role="bold">/</emphasis>{<emphasis
-        role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>|<emphasis
-        role="bold">hour</emphasis>|<emphasis
-        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
+          <para>where <replaceable>limit</replaceable> is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
           <para>You may optionally rate-limit the rule by placing a value in
           this column:</para>
 
-          <para><emphasis>rate</emphasis> is the number of connections per
+          <para><emphasis>rate*</emphasis> is the number of connections per
           interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
           largest burst permitted. If no <emphasis>burst</emphasis> is given,
           a value of 5 is assumed. There may be no no white-space embedded in
           the specification.</para>
@@ -1142,13 +1170,28 @@
 
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable> may be chosen by
+          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifies a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one POLICY specifies the same name, the
+          assumed. Where more than one rule or POLICY specifies the same name,
-          connections counts for the rules are aggregated and the individual
+          the connections counts for the rules are aggregated and the
-          rates apply to the aggregated count.</para>
+          individual rates apply to the aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+
+          <para>In this example, the 'client' hash table will be used to
+          enforce the per-source limit and the compiler will pick a unique
+          name for the hash table that tracks the per-destination
+          limit.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-tcfilters.xml

@@ -88,9 +88,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch </firstterm>capability. The ipset name may optionally be
+          Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -105,9 +107,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>

Shorewall6/manpages/shorewall6.conf.xml

@@ -220,9 +220,9 @@
         <listitem>
           <para>The value of this variable affects Shorewall's stopped state.
           The behavior differs depending on whether <ulink
-          url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
           or <ulink
-          url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
+          url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           is used:</para>
 
           <variablelist>
@@ -245,17 +245,22 @@
               <term>stoppedrules</term>
 
               <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                <para>All existing connections continue to work. To sever all
-                and the setting is ignored.</para>
+                existing connections when the firewall is stopped, install the
-
+                conntrack utility and place the command <command>conntrack
-                <para>In addition to connections matching entries in
+                -F</command> in the stopped user exit
-                <filename>stoppedrules</filename>, existing connections
-                continue to work and all new connections from the firewall
-                system itself are allowed. To sever all existing connections
-                when the firewall is stopped, install the conntrack utility
-                and place the command <command>conntrack -F</command> in the
-                stopped user exit
                 (<filename>/etc/shorewall6/stopped</filename>).</para>
+
+                <para>If ADMINISABSENTMINDED=No, only new connections matching
+                entries in <filename>stoppedrules</filename> are accepted when
+                Shorewall is stopped. Response packets and related connections
+                are automatically accepted.</para>
+
+                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
+                matching entries in <filename>stoppedrules</filename>, all new
+                connections from the firewall system itself are allowed when
+                the firewall is stopped. Response packets and related
+                connections are automatically accepted.</para>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -1157,6 +1162,38 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
+          backend to be used for the <command>iptrace</command> command (see
+          <ulink
+          url="manpages6/shorewall6.html">shorewall6(8)</ulink>).</para>
+
+          <para><replaceable>backend</replaceable> is one of:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>LOG</term>
+
+              <listitem>
+                <para>Use standard kernel logging.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>netlink</term>
+
+              <listitem>
+                <para>Use netlink logging to ulogd version 2 or later.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2085,6 +2122,25 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
+
+        <listitem>
+          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
+          current contents of your ipsets will be saved by the <emphasis
+          role="bold">shorewall stop</emphasis> and <emphasis
+          role="bold">shorewall save</emphasis> commands and restored by the
+          <emphasis role="bold">shorewall start</emphasis> and <emphasis
+          role="bold">shorewall restore</emphasis> commands.</para>
+
+          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
+          ipsets saved by specifying a setlist (a comma-separated list of ipv6
+          ipset names).</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>

Shorewall6/manpages/shorewall6.xml

@@ -163,6 +163,8 @@
       <arg><option>-l</option></arg>
 
       <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -308,6 +310,18 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg
+      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -388,7 +402,7 @@
 
       <arg><option>-T</option></arg>
 
-      <arg><option>-i</option></arg>
+      <arg><option>-i</option><arg><option>-C</option></arg></arg>
 
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
@@ -401,11 +415,27 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>restore</option></arg>
+      <arg
+      choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>
 
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -447,7 +477,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>save</option></arg>
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
 
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
@@ -459,7 +490,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-x</option></arg>
 
@@ -473,7 +504,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-b</option></arg>
 
@@ -495,7 +526,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-f</option></arg>
 
@@ -509,7 +540,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
       choice="req"><option>actions|classifiers|connections|config|events|filters|ip|macros|zones|policies|tc|marks</option></arg>
@@ -522,7 +553,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>event</option><arg
       choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -535,7 +566,35 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg choice="plain"><option>routing</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
@@ -547,7 +606,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg><option>-m</option></arg>
 
@@ -572,7 +631,7 @@
 
       <arg><option>-T</option></arg>
 
-      <arg><option>-i</option></arg>
+      <arg><option>-i</option><arg><option>-C</option></arg></arg>
 
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
@@ -670,7 +729,7 @@
     used for debugging. See <ulink
     url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
 
-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
     attempting to acquire the Shorewall6 lockfile. It is useful if you need to
     include <command>shorewall6</command> commands in
     <filename>/etc/shorewall6/started</filename>.</para>
@@ -750,13 +809,14 @@
           <para>Compiles the configuration in the specified
           <emphasis>directory</emphasis> and discards the compiled output
           script. If no <emphasis>directory</emphasis> is given, then
-          /etc/shorewall6 is assumed.</para>
+          <filename class="directory">/etc/shorewall6</filename> is
+          assumed.</para>
 
-          <para>The <emphasis role="bold">-e</emphasis> option causes the
+          <para>The <option>-e</option> option causes the compiler to look for
-          compiler to look for a file named capabilities. This file is
+          a file named capabilities. This file is produced using the command
-          produced using the command <emphasis role="bold">shorewall6-lite
+          <command>shorewall6-lite show -f capabilities &gt;
-          show -f capabilities &gt; capabilities</emphasis> on a system with
+          capabilities</command> on a system with Shorewall6 Lite
-          Shorewall6 Lite installed.</para>
+          installed.</para>
 
           <para>The <option>-d</option> option causes the compiler to be run
           under control of the Perl debugger.</para>
@@ -773,11 +833,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
         </listitem>
       </varlistentry>
@@ -809,21 +869,21 @@
           compile -- -</command>) to suppress the 'Compiling...' message
           normally generated by <filename>/sbin/shorewall6</filename>.</para>
 
-          <para>When -e is specified, the compilation is being performed on a
+          <para>When <option>-e</option> is specified, the compilation is
-          system other than where the compiled script will run. This option
+          being performed on a system other than where the compiled script
-          disables certain configuration options that require the script to be
+          will run. This option disables certain configuration options that
-          compiled where it is to be run. The use of -e requires the presence
+          require the script to be compiled where it is to be run. The use of
-          of a configuration file named <filename>capabilities</filename>
+          <option>-e</option> requires the presence of a configuration file
-          which may be produced using the command <emphasis
+          named <filename>capabilities</filename> which may be produced using
-          role="bold">shorewall6-lite show -f capabilities &gt;
+          the command <command>shorewall6-lite show -f capabilities &gt;
-          capabilities</emphasis> on a system with Shorewall6 Lite
+          capabilities</command> on a system with Shorewall6 Lite
           installed.</para>
 
-          <para>The <emphasis role="bold">-c</emphasis> option was added in
+          <para>The <option>-c</option> option was added in Shorewall 4.5.17
-          Shorewall 4.5.17 and causes conditional compilation of a script. The
+          and causes conditional compilation of a script. The script specified
-          script specified by <replaceable>pathname</replaceable> (or implied
+          by <replaceable>pathname</replaceable> (or implied if <emphasis
-          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
+          role="bold">pathname</emphasis> is omitted) is compiled if it
-          if it doesn't exist or if there is any file in the
+          doesn't exist or if there is any file in the
           <replaceable>directory</replaceable> or in a directory on the
           CONFIG_PATH that has a modification time later than the file to be
           compiled. When no compilation is needed, a message is issued and an
@@ -840,11 +900,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
         </listitem>
       </varlistentry>
@@ -909,14 +969,18 @@
           <para>Produces a verbose report about the firewall configuration for
           the purpose of problem analysis.</para>
 
-          <para>The <emphasis role="bold">-x</emphasis> option causes actual
+          <para>The <option>-x</option> option causes actual packet and byte
-          packet and byte counts to be displayed. Without that option, these
+          counts to be displayed. Without that option, these counts are
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
+          abbreviated.</para>
-          option causes any MAC addresses included in Shorewall6 log messages
-          to be displayed.</para>
 
-          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          <para>The <option>-m</option> option causes any MAC addresses
-          number for each Netfilter rule to be displayed.</para>
+          included in Shorewall6 log messages to be displayed.</para>
+
+          <para>The <option>-l</option> option causes the rule number for each
+          Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
         </listitem>
       </varlistentry>
 
@@ -969,9 +1033,10 @@
         <term><emphasis role="bold">forget</emphasis></term>
 
         <listitem>
-          <para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
+          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
-          /var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
+          </replaceable></filename> and <filename>/var/lib/shorewall6/save
-          given then the file specified by RESTOREFILE in <ulink
+          </filename>. If no <emphasis>filename</emphasis> is given then the
+          file specified by RESTOREFILE in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
           assumed.</para>
         </listitem>
@@ -997,11 +1062,10 @@
           be one or more matches that may appear in both the raw table OUTPUT
           and raw table PREROUTING chains.</para>
 
-          <para>The trace records are written to the kernel's log buffer with
+          <para>The log message destination is determined by the
-          facility = kernel and priority = warning, and they are routed from
+          currently-selected IPv6 <ulink
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          url="/shorewall_logging.html#Backends">logging
-          Shorewall has no control over where the messages go; consult your
+          backend</ulink>.</para>
-          logging daemon's documentation.</para>
         </listitem>
       </varlistentry>
 
@@ -1031,15 +1095,15 @@
           Shorewall6 Lite on <replaceable>system</replaceable> is started via
           ssh.</para>
 
-          <para>If <emphasis role="bold">-s</emphasis> is specified and the
+          <para>If <option>-s</option> is specified and the <emphasis
-          <emphasis role="bold">start</emphasis> command succeeds, then the
+          role="bold">start</emphasis> command succeeds, then the remote
-          remote Shorewall6-lite configuration is saved by executing <emphasis
+          Shorewall6-lite configuration is saved by executing
-          role="bold">shorewall6-lite save</emphasis> via ssh.</para>
+          <command>shorewall6-lite save</command> via ssh.</para>
 
-          <para>if <emphasis role="bold">-c</emphasis> is included, the
+          <para>if <option>-c</option> is included, the command
-          command <emphasis role="bold">shorewall6-lite show capabilities -f
+          <command>shorewall6-lite show capabilities -f &gt;
-          &gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
+          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
-          via ssh then the generated file is copied to
+          then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -1051,11 +1115,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -1080,14 +1144,13 @@
           <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
           produces an audible alarm when new Shorewall6 messages are logged.
-          The <emphasis role="bold">-m</emphasis> option causes the MAC
+          The <option>-m</option> option causes the MAC address of each packet
-          address of each packet source to be displayed if that information is
+          source to be displayed if that information is available. The
-          available. The <replaceable>refresh-interval</replaceable> specifies
+          <replaceable>refresh-interval</replaceable> specifies the time in
-          the time in seconds between screen refreshes. You can enter a
+          seconds between screen refreshes. You can enter a negative number by
-          negative number by preceding the number with "--" (e.g.,
+          preceding the number with "--" (e.g., <command>shorewall6 logwatch
-          <command>shorewall6 logwatch -- -30</command>). In this case, when a
+          -- -30</command>). In this case, when a packet count changes, you
-          packet count changes, you will be prompted to hit any key to resume
+          will be prompted to hit any key to resume screen refreshes.</para>
-          screen refreshes.</para>
         </listitem>
       </varlistentry>
 
@@ -1124,11 +1187,11 @@
           performed by <command>refresh</command> with the exception that
           <command>refresh</command> only recreates the chains specified in
           the command while <command>restart</command> recreates the entire
-          Netfilter ruleset.When no chain name is given to the <emphasis
+          Netfilter ruleset.When no chain name is given to the
-          role="bold">refresh</emphasis> command, the mangle table is
+          <command>refresh</command> command, the mangle table is refreshed
-          refreshed along with the blacklist chain (if any). This allows you
+          along with the blacklist chain (if any). This allows you to modify
-          to modify <filename>/etc/shorewall6/tcrules</filename>and install
+          <filename>/etc/shorewall6/tcrules</filename>and install the changes
-          the changes using <emphasis role="bold">refresh</emphasis>.</para>
+          using <command>refresh</command>.</para>
 
           <para>The listed chains are assumed to be in the filter table. You
           can refresh chains in other tables by prefixing the chain name with
@@ -1140,25 +1203,31 @@
           <para>The <option>-n</option> option was added in Shorewall 4.5.3
           causes Shorewall to avoid updating the routing table(s).</para>
 
-          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
           causes the compiler to run under the Perl debugger.</para>
 
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
 
           <para>The -<option>D</option> option was added in Shorewall 4.5.3
           and causes Shorewall to look in the given
           <emphasis>directory</emphasis> first for configuration files.</para>
 
-          <para>Example:<programlisting><command>shorewall6 refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
+          <example>
+            <title>Refresh the 'net-fw' chain in the filter table and the
+            'net_dnat' chain in the nat table</title>
+
+            <programlisting><command>shorewall6 refresh net-fw nat:net_dnat
+            </command></programlisting>
+          </example>
         </listitem>
       </varlistentry>
 
@@ -1188,17 +1257,17 @@
           Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
           ssh.</para>
 
-          <para>If <emphasis role="bold">-s</emphasis> is specified and the
+          <para>If <option>-s</option> is specified and the
-          <emphasis role="bold">restart</emphasis> command succeeds, then the
+          <command>restart</command> command succeeds, then the remote
-          remote Shorewall6-lite configuration is saved by executing <emphasis
+          Shorewall6-lite configuration is saved by executing
-          role="bold">shorewall6-lite save</emphasis> via ssh.</para>
+          <command>shorewall6-lite save</command> via ssh.</para>
 
-          <para>if <emphasis role="bold">-c</emphasis> is included, the
+          <para>if <option>-c</option> is included, the command
-          command <emphasis role="bold">shorewall6-lite show capabilities -f
+          <command>shorewall6-lite show capabilities -f &gt;
-          &gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
+          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
-          via ssh then the generated file is copied to
+          then the generated file is copied to <emphasis>directory</emphasis>
-          <emphasis>directory</emphasis> using scp. This step is performed
+          using scp. This step is performed before the configuration is
-          before the configuration is compiled.</para>
+          compiled.</para>
 
           <para>If <option>-r</option> is included, it specifies that the root
           user on <replaceable>system</replaceable> is named
@@ -1208,11 +1277,11 @@
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -1233,9 +1302,9 @@
         <term><emphasis role="bold">restart</emphasis></term>
 
         <listitem>
-          <para>Restart is similar to <emphasis role="bold">shorewall6
+          <para>Restart is similar to <command>shorewall6 start</command>
-          start</emphasis> except that it assumes that the firewall is already
+          except that it assumes that the firewall is already started.
-          started. Existing connections are maintained. If a
+          Existing connections are maintained. If a
           <emphasis>directory</emphasis> is included in the command,
           Shorewall6 will look in that <emphasis>directory</emphasis> first
           for configuration files.</para>
@@ -1247,31 +1316,40 @@
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
 
-          <para>The <option>-d </option>option causes the compiler to run
+          <para>The <option>-d</option> option causes the compiler to run
           under the Perl debugger.</para>
 
           <para>The <option>-f</option> option suppresses the compilation step
           and simply reused the compiled script which last started/restarted
-          Shorewall, provided that /etc/shorewall6 and its contents have not
+          Shorewall, provided that <filename class="directory">/etc/shorewall6
-          been modified since the last start/restart.</para>
+          </filename> and its contents have not been modified since the last
+          start/restart.</para>
 
           <para>The <option>-c</option> option was added in Shorewall 4.4.20
           and performs the compilation step unconditionally, overriding the
           AUTOMAKE setting in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          When both <option>-f</option> and <option>-c </option>are present,
+          When both <option>-f</option> and <option>-c</option> are present,
           the result is determined by the option that appears last.</para>
 
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when AUTOMAKE=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
+          an existing firewall script is used and if that script was the one
+          that generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
         </listitem>
       </varlistentry>
 
@@ -1279,14 +1357,50 @@
         <term><emphasis role="bold">restore</emphasis></term>
 
         <listitem>
-          <para>Restore Shorewall6 to a state saved using the <emphasis
+          <para>Restore Shorewall6 to a state saved using the
-          role="bold">shorewall6 save</emphasis> command. Existing connections
+          <command>shorewall6 save</command> command. Existing connections are
-          are maintained. The <emphasis>filename</emphasis> names a restore
+          maintained. The <emphasis>filename</emphasis> names a restore file
-          file in /var/lib/shorewall6 created using <emphasis
+          in <filename class="directory">/var/lib/shorewall6</filename>
-          role="bold">shorewall6 save</emphasis>; if no
+          created using <command>shorewall6 save</command>; if no
           <emphasis>filename</emphasis> is given then Shorewall6 will be
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during
+          <command>shorewall6 save</command>, then the counters saved by that
+          operation will be restored.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued before the script's run command is executed:
+          <screen>WARNING: /var/lib/shorewall6/firewall is not up to
+          date</screen></para>
         </listitem>
       </varlistentry>
 
@@ -1295,15 +1409,16 @@
 
         <listitem>
           <para>Only allowed if Shorewall6 is running. The current
-          configuration is saved in /var/lib/shorewall6/safe-restart (see the
+          configuration is saved in <filename>/var/lib/shorewall6/safe-restart
-          save command below) then a <emphasis role="bold">shorewall6
+          </filename> (see the <emphasis role="bold">save</emphasis> command
-          restart</emphasis> is done. You will then be prompted asking if you
+          below) then a <command>shorewall6 restart</command> is done. You
-          want to accept the new configuration or not. If you answer "n" or if
+          will then be prompted asking if you want to accept the new
-          you fail to answer within 60 seconds (such as when your new
+          configuration or not. If you answer "n" or if you fail to answer
-          configuration has disabled communication with your terminal), the
+          within 60 seconds (such as when your new configuration has disabled
-          configuration is restored from the saved configuration. If a
+          communication with your terminal), the configuration is restored
-          directory is given, then Shorewall6 will look in that directory
+          from the saved configuration. If a directory is given, then
-          first when opening configuration files.</para>
+          Shorewall6 will look in that directory first when opening
+          configuration files.</para>
 
           <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
@@ -1341,14 +1456,19 @@
         <term><emphasis role="bold">save</emphasis></term>
 
         <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall6/save.
+          <para>The dynamic blacklist is stored in <filename>
-          The state of the firewall is stored in
+          /var/lib/shorewall6/save</filename>. The state of the firewall is
-          /var/lib/shorewall6/<emphasis>filename</emphasis> for use by the
+          stored in <filename>
-          <emphasis role="bold">shorewall6 restore</emphasis> and <emphasis
+          /var/lib/shorewall6/<replaceable>filename</replaceable></filename>
-          role="bold">shorewall6 -f start</emphasis> commands. If
+          for use by the <command>shorewall6 restore</command> and <command>
-          <emphasis>filename</emphasis> is not given then the state is saved
+          shorewall6 -f start</command> commands. If <emphasis>filename
-          in the file specified by the RESTOREFILE option in <ulink
+          </emphasis> is not given then the state is saved in the file
+          specified by the RESTOREFILE option in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the ip6tables packet and byte counters to be saved along with
+          the chains and rules.</para>
         </listitem>
       </varlistentry>
 
@@ -1375,10 +1495,10 @@
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                 along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                shorewall-blrules(5).The <option>-x</option> option is passed
-                option is passed directly through to ip6tables and causes
+                directly through to ip6tables and causes actual packet and
-                actual packet and byte counts to be displayed. Without this
+                byte counts to be displayed. Without this option, those counts
-                option, those counts are abbreviated.</para>
+                are abbreviated.</para>
               </listitem>
             </varlistentry>
 
@@ -1387,9 +1507,9 @@
 
               <listitem>
                 <para>Displays your kernel/ip6tables capabilities. The
-                <emphasis role="bold">-f</emphasis> option causes the display
+                <option>-f</option> option causes the display to be formatted
-                to be formatted as a capabilities file for use with <emphasis
+                as a capabilities file for use with <command>shorewall6
-                role="bold">compile -e</emphasis>.</para>
+                compile -e</command>.</para>
               </listitem>
             </varlistentry>
 
@@ -1399,32 +1519,29 @@
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
-                displayed using the <emphasis role="bold">ip6tables
+                displayed using the <command>ip6tables -L</command>
-                -L</emphasis> <emphasis>chain</emphasis> <emphasis
+                <emphasis>chain</emphasis> <emphasis role="bold">-n
-                role="bold">-n -v</emphasis> command. If no
+                -v</emphasis> command. If no <emphasis>chain</emphasis> is
-                <emphasis>chain</emphasis> is given, all of the chains in the
+                given, all of the chains in the filter table are displayed.
-                filter table are displayed. The <emphasis
+                The <option>-x</option> option is passed directly through to
-                role="bold">-x</emphasis> option is passed directly through to
                 ip6tables and causes actual packet and byte counts to be
                 displayed. Without this option, those counts are abbreviated.
-                The <emphasis role="bold">-t</emphasis> option specifies the
+                The <option>-t</option> option specifies the Netfilter table
-                Netfilter table to display. The default is <emphasis
+                to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
-                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                <para>The <option>-b</option> ('brief') option causes rules
-                causes rules which have not been used (i.e. which have zero
+                which have not been used (i.e. which have zero packet and byte
-                packet and byte counts) to be omitted from the output. Chains
+                counts) to be omitted from the output. Chains with no rules
-                with no rules displayed are also omitted from the
+                displayed are also omitted from the output.</para>
-                output.</para>
 
-                <para>The <emphasis role="bold">-l</emphasis> option causes
+                <para>The <option>-l</option> option causes the rule number
-                the rule number for each Netfilter rule to be
+                for each Netfilter rule to be displayed.</para>
-                displayed.</para>
 
-                <para>If the <emphasis role="bold">-t</emphasis> option and
+                <para>If the <option>-t</option> option and the
-                the <option>chain</option> keyword are both omitted and any of
+                <option>chain</option> keyword are both omitted and any of the
-                the listed <replaceable>chain</replaceable>s do not exist, a
+                listed <replaceable>chain</replaceable>s do not exist, a usage
-                usage message is displayed.</para>
+                message is displayed.</para>
               </listitem>
             </varlistentry>
 
@@ -1489,9 +1606,9 @@
                 <para>Displays the last 20 Shorewall6 messages from the log
                 file specified by the LOGFILE option in <ulink
                 url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-                The <emphasis role="bold">-m</emphasis> option causes the MAC
+                The <option>-m</option> option causes the MAC address of each
-                address of each packet source to be displayed if that
+                packet source to be displayed if that information is
-                information is available.</para>
+                available.</para>
               </listitem>
             </varlistentry>
 
@@ -1509,11 +1626,11 @@
 
               <listitem>
                 <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">ip6tables -t mangle -L -n
+                <command>ip6tables -t mangle -L -n -v</command>.The
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
+                <option>-x</option> option is passed directly through to
-                is passed directly through to ip6tables and causes actual
+                ip6tables and causes actual packet and byte counts to be
-                packet and byte counts to be displayed. Without this option,
+                displayed. Without this option, those counts are
-                those counts are abbreviated.</para>
+                abbreviated.</para>
               </listitem>
             </varlistentry>
 
@@ -1540,10 +1657,12 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">Routing</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>
 
               <listitem>
-                <para>Displays the system's IPv6 routing configuration.</para>
+                <para>Displays the system's IPv6 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
               </listitem>
             </varlistentry>
 
@@ -1577,22 +1696,22 @@
           only if they are allowed by the firewall rules or policies. If a
           <replaceable>directory</replaceable> is included in the command,
           Shorewall6 will look in that <emphasis>directory</emphasis> first
-          for configuration files. If <emphasis role="bold">-f</emphasis> is
+          for configuration files. If <option>-f</option> is specified, the
-          specified, the saved configuration specified by the RESTOREFILE
+          saved configuration specified by the RESTOREFILE option in <ulink
-          option in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
           will be restored if that saved configuration exists and has been
-          modified more recently than the files in /etc/shorewall6. When
+          modified more recently than the files in <filename
-          <emphasis role="bold">-f</emphasis> is given, a
+          class="directory">/etc/shorewall6</filename>. When <option>-f
-          <replaceable>directory</replaceable> may not be specified.</para>
+          </option> is given, a <replaceable>directory</replaceable> may not
+          be specified.</para>
 
           <para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
           was added to <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
           When LEGACY_FASTSTART=No, the modification times of files in
-          /etc/shorewall6 are compared with that of
+          <filename class="directory">/etc/shorewall6</filename> are compared
-          /var/lib/shorewall6/firewall (the compiled script that last
+          with that of <filename>/var/lib/shorewall6/firewall </filename> (the
-          started/restarted the firewall).</para>
+          compiled script that last started/restarted the firewall).</para>
 
           <para>The <option>-n</option> option causes Shorewall6 to avoid
           updating the routing table(s).</para>
@@ -1601,19 +1720,26 @@
           and performs the compilation step unconditionally, overriding the
           AUTOMAKE setting in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          When both <option>-f</option> and <option>-c </option>are present,
+          When both <option>-f</option> and <option>-c</option> are present,
           the result is determined by the option that appears last.</para>
 
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the
+          <command>save</command> command, then the packet and byte counters
+          will be restored along with the chains and rules.</para>
         </listitem>
       </varlistentry>
 
@@ -1640,7 +1766,7 @@
           <para>Produces a short report about the state of the
           Shorewall6-configured firewall.</para>
 
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          <para>The <option>-i</option> option was added in Shorewall 4.6.2
           and causes the status of each optional or provider interface to be
           displayed.</para>
         </listitem>
@@ -1659,19 +1785,18 @@
           role="bold">start</emphasis> command is performed using the
           specified configuration <replaceable>directory</replaceable>. if an
           error occurs during the compilation phase of the <emphasis
-          role="bold">restart</emphasis> or <emphasis
+          role="bold">restart</emphasis> or <emphasis role="bold">start
-          role="bold">start</emphasis>, the command terminates without
+          </emphasis>, the command terminates without changing the Shorewall6
-          changing the Shorewall6 state. If an error occurs during the
+          state. If an error occurs during the <emphasis role="bold">restart
-          <emphasis role="bold">restart</emphasis> phase, then a <emphasis
+          </emphasis> phase, then a <command>shorewall6 restore</command> is
-          role="bold">shorewall6 restore</emphasis> is performed using the
+          performed using the saved configuration. If an error occurs during
-          saved configuration. If an error occurs during the <emphasis
+          the <emphasis role="bold">start</emphasis> phase, then Shorewall6 is
-          role="bold">start</emphasis> phase, then Shorewall6 is cleared. If
+          cleared. If the <emphasis role="bold">start</emphasis>/ <emphasis
-          the <emphasis role="bold">start</emphasis>/<emphasis
           role="bold">restart</emphasis> succeeds and a
           <replaceable>timeout</replaceable> is specified then a <emphasis
-          role="bold">clear</emphasis> or <emphasis
+          role="bold">clear</emphasis> or <emphasis role="bold">restore
-          role="bold">restore</emphasis> is performed after
+          </emphasis> is performed after <replaceable>timeout</replaceable>
-          <replaceable>timeout</replaceable> seconds.</para>
+          seconds.</para>
 
           <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1692,7 +1817,7 @@
           options with non-defaults to a deprecated options section at the
           bottom of the file. Your existing
           <filename>shorewall6.conf</filename> file is renamed
-          <filename>shorewall6.conf.bak.</filename></para>
+          <filename>shorewall6.conf.bak</filename>.</para>
 
           <para>The <option>-a</option> option causes the updated
           <filename>shorewall6.conf</filename> file to be annotated with
@@ -1718,11 +1843,11 @@
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
           url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
 
           <para>The <option>-t</option> option was added in Shorewall 4.6.0.

Shorewall6/modules.essential

@@ -24,4 +24,3 @@ loadmodule nf_conntrack_ipv6
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ip6t_REJECT
-loadmodule ip6t_LOG

Shorewall6/modules.xtables

@@ -30,7 +30,6 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
-loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev

Shorewall6/shorewall6.service

@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-After=syslog.target
 After=network.target
+Conflicts=ip6tables.service firewalld.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall6 $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall6/shorewall6.service.214

@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall6/uninstall.sh

@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall6
 
 usage() # $1 = exit status
 {
@@ -69,6 +70,43 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
 # Read the RC file
 #
@@ -112,8 +150,12 @@ fi
 
 echo "Uninstalling shorewall6 $VERSION"
 
-if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
+[ -n "$SANDBOX" ] && configure=0
-   ${SBINDIR}/shorewall6 clear
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
+	${SBINDIR}/shorewall6 clear
+    fi
 fi
 
 if [ -L ${SHAREDIR}/shorewall6/init ]; then
@@ -123,23 +165,28 @@ elif [ -n "$INITFILE" ]; then
 fi
 
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall6 remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall6 remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall6
+	fi
     fi
 
     remove_file $FIREWALL
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall6.service
+fi
+
 rm -f ${SBINDIR}/shorewall6
 rm -rf ${CONFDIR}/shorewall6
 rm -rf ${VARDIR}/shorewall6
-rm -rf ${LIBEXEC}/shorewall6
+rm -rf ${LIBEXECDIR}/shorewall6
 rm -rf ${SHAREDIR}/shorewall6
 
 for f in ${MANDIR}/man5/shorewall6* ${SHAREDIR}/man/man8/shorewall6*; do

docs/Accounting.xml

@@ -612,4 +612,102 @@ gateway:~#
     <para>The <command>shorewall show nfacct</command> command is a thin
     wrapper around the <command>nfacct list</command> command.</para>
   </section>
+
+  <section>
+    <title>Preserving Counters over Restart and Reboot</title>
+
+    <para>Beginning with Shorewall 4.6.5, it is possible to preserve
+    <emphasis>all</emphasis> ip[6]tables packet and byte counters over
+    restarts and reboots through use of the <option>-C</option> option. This
+    option is available in several commands.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>save</term>
+
+        <listitem>
+          <para> Causes the packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>restore</term>
+
+        <listitem>
+          <para>Causes the packet and byte counters (if saved) to be restored
+          along with the chains and rules. </para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were detected when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>start</term>
+
+        <listitem>
+          <para>With Shorewall and Shorewall6, the -C option only has an
+          effect if the <option>-f </option>option is also specified. If a
+          previously-saved configuration is restored, then the packet and byte
+          counters (if saved) will be restored along with the chains and
+          rules. </para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <option>-C</option> will use the values
+            that were detected when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>restart</term>
+
+        <listitem>
+          <para>If an existing compiled script is used (no recompilation
+          required) and if that script generated the current running
+          configuration, then the current netfilter configuration is reloaded
+          as is so as to preserve the current packet and byte counters.</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <option>-C</option> will use the values
+            that were detected when the ruleset was previously started, which
+            may be different from the current values.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para> If you wish to (approximately) preserve the counters over a
+    possibly unexpected reboot, then: </para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Create a cron job that periodically executes 'shorewall save
+        <option>-C</option>'.</para>
+      </listitem>
+
+      <listitem>
+        <para>Specify the<option> -C</option> and <option>-f</option> options
+        in the STARTOPTIONS variable in either
+        <filename>/etc/default/shorewall</filename> (
+        <filename>/etc/default/shorewall6</filename>, etc.) or
+        <filename>/etc/sysconfig/shorewall</filename>
+        (<filename>/etc/sysconfig/shorewall</filename>6, etc.), whichever is
+        supported by your distribution. Note that not all distributions
+        include these files so you may have to create the one(s) you
+        need.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>

docs/Build.xml

@@ -164,7 +164,7 @@
     <section>
       <title>build</title>
 
-      <para>This is the script that builds Shorewall 4.4 packages from
+      <para>This is the script that builds Shorewall 4.6 packages from
       Git.</para>
 
       <para>The script copies content from Git using the <command>git
@@ -220,7 +220,7 @@
       <para>You should ensure that you have the latest scripts. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The build46 script may need to be modified to fit your particular
       environment. There are a number of variables that are set near the top
       of the file:</para>
 
@@ -270,10 +270,12 @@
       </variablelist>
 
       <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release.</para>
-      the appropriate directory and run the build script.</para>
 
-      <para>The general form of the build command is:</para>
+      <para>To build a release, you cd to the appropriate directory and run
+      the build46 script.</para>
+
+      <para>The general form of the build46 command is:</para>
 
       <blockquote>
         <para><command>build</command> [ -<replaceable>options</replaceable> ]
@@ -401,13 +403,13 @@
     </section>
 
     <section>
-      <title>build45</title>
+      <title>build45 and build46</title>
 
-      <para>This is the script that builds Shorewall 4.5 packages from
+      <para>These are the scripts that respectively build Shorewall 4.5 and
-      Git.</para>
+      Shorewall 4.6 packages from Git.</para>
 
-      <para>The script copies content from Git using the <command>git
+      <para>The scripts copy content from Git using the <command>git
-      archive</command> command. It then uses that content to build the
+      archive</command> command. They then use that content to build the
       packages. In addition to the usual Gnu utilities, the following software
       is required:</para>
 
@@ -451,7 +453,7 @@
 
           <listitem>
             <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            that you have a recent version; I use 0.0.25.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -459,7 +461,7 @@
       <para>You should ensure that you have the latest scripts. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The scripts may need to be modified to fit your particular
       environment. There are a number of variables that are set near the top
       of the file:</para>
 
@@ -509,14 +511,17 @@
       </variablelist>
 
       <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release. Each build directory should
-      the appropriate directory and run the build script.</para>
+      contain the empty file <filename>shorewall-pkg.config</filename>; that
+      file is no longer used but has been retained just as a guard against
+      initiating a build in an unintended directory. To build a release, you
+      cd to the appropriate directory and run the build script.</para>
 
       <para>The general form of the build command is:</para>
 
       <blockquote>
-        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <para><command>build</command>4x [ -<replaceable>options</replaceable>
-        <replaceable>release</replaceable> [ <replaceable>prior
+        ] <replaceable>release</replaceable> [ <replaceable>prior
         release</replaceable> ]</para>
       </blockquote>
 
@@ -632,8 +637,8 @@
         </varlistentry>
       </variablelist>
 
-      <para>Example 1 - Build Shorewall 4.3.7 and generate patches against
+      <para>Example 1 - Build Shorewall 4.5.7 and generate patches against
-      4.3.6:</para>
+      4.5.6:</para>
 
       <blockquote>
         <para><command>build45 4.5.7 4.5.6</command></para>

docs/Events.xml

@@ -705,8 +705,9 @@ Knock                 net            $FW       tcp        22,1599-1601
     <section id="Stateful">
       <title>Stateful Port Knocking (knock with a sequence of ports)</title>
 
-      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
+      <para><ulink url="http://www.wiesinger.com/">Gerhard Wiesinger</ulink>
-      define portknocking sequences. Download <ulink
+      has contributed a Perl module that allows you to define portknocking
+      sequences. Download <ulink
       url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
       module</ulink> and copy it into your site_perl directory.</para>
 

docs/FAQ.xml

@@ -2309,10 +2309,26 @@ gateway:~# </programlisting>
       <title>(FAQ 103) Shorewall fails to start at boot but will start
       immediately after</title>
 
-      <para>Answer: This is usually associated with SELinux. <ulink
+      <para><emphasis role="bold">Answer:</emphasis> This is usually
+      associated with SELinux. <ulink
       url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
       is an example.</para>
     </section>
+
+    <section id="faq104">
+      <title>(FAQ 104) I see <emphasis>kernel</emphasis> messages in my log
+      when I start or restart Shorewall or Shorewall6</title>
+
+      <para>Example: </para>
+
+      <programlisting>&gt; Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not support BROADCAST matching
+</programlisting>
+
+      <para><emphasis role="bold">Answer:</emphasis> These are harmless.
+      Shorewall attempts to execute various commands to determine the
+      capabiities of your system. If you system doesn't support a command, it
+      will generally issue a kernel log message.</para>
+    </section>
   </section>
 
   <section id="MultiISP">