Remove debugging code from Shorewall-init installer

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Load xt_LOG in both helpers files
2014-10-19 08:16:02 -07:00 · 2014-10-19 07:44:01 -07:00 · 2014-10-18 08:01:51 -07:00 · 2014-10-17 08:05:47 -07:00 · 2014-10-16 07:45:20 -07:00 · 2014-10-16 07:44:09 -07:00
71 changed files with 2086 additions and 559 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -367,6 +367,17 @@ resolve_arptables() {
    esac
 }

+#
+# Try to run the 'savesets' command
+#
+savesets() {
+    local supported
+
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
+}
+
 #
 # Save currently running configuration
 #
@@ -428,45 +439,47 @@ do_save() {
 	    ;;
    esac

-    case ${SAVE_IPSETS:=No} in
-	[Yy]es)
-	    case ${IPSET:=ipset} in
-		*/*)
-		    if [ ! -x "$IPSET" ]; then
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-			IPSET=
+    if ! savesets;  then
+	case ${SAVE_IPSETS:=No} in
+	    [Yy]es)
+		case ${IPSET:=ipset} in
+		    */*)
+			if [ ! -x "$IPSET" ]; then
+			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			    IPSET=
+			fi
+			;;
+		    *)
+			IPSET="$(mywhich $IPSET)"
+			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+			;;
+		esac
+
+		if [ -n "$IPSET" ]; then
+		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
+			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
+			hack='| grep -v /31'
+		    else
+			hack=
 		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-		    ;;
-	    esac

-	    if [ -n "$IPSET" ]; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-                    #
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-                    #
-		    hack='| grep -v /31'
-		else
-		    hack=
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+			#
+			# Don't save an 'empty' file
+			#
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		    fi
 		fi
-
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-                    #
-                    # Don't save an 'empty' file
-                    #
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		fi
-	    fi
-	    ;;
-	[Nn]o)
-	    ;;
-	*)
-	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-	    ;;
-    esac
+		;;
+	    [Nn]o)
+		;;
+	    *)
+		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+		;;
+	esac
+    fi

    return $status
 }
@@ -1470,10 +1483,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi

-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local count
+    local max

-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
+	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
+	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
+	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    else
+	heading "Conntrack Table"
+    fi

    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -3515,6 +3540,14 @@ restart_command() {
    return $rc
 }

+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -3546,6 +3579,7 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
@@ -3818,6 +3852,11 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	run)
+	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    get_config Yes
+	    run_command $@
+	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
+   return 1
 }

 #
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,7 +8,7 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -123,6 +123,17 @@ shorewall_start () {

  echo "done."

+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+      echo -n "Restoring ipsets: "
+
+      if ! ipset -R < "$SAVE_IPSETS"; then
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
  return 0
 }

@@ -142,6 +153,20 @@ shorewall_stop () {

  echo "done."

+  if [ -n "$SAVE_IPSETS" ]; then
+
+      echo "Saving ipsets: "
+
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      else
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
  return 0
 }

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'

 finished=0
+configure=1

 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
+
+    case "$option" in
 	-*)
 	    option=${option#-}

@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -176,6 +184,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

+[ -n "$SANDBOX" ] && configure=0
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 if [ -z "$BUILD" ]; then
@@ -191,7 +201,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)

 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +316,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -325,7 +336,7 @@ if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -366,14 +377,24 @@ if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+    elif [ $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi

-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
+	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	else
+	    mkdir -p ${DESTDIR}${CONFDIR}/default
+	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
+	fi
    fi

    IFUPDOWN=ifupdown.debian.sh
@@ -384,7 +405,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -415,17 +436,33 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
+	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    else
+	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi

 case $HOST in
    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	else
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
+	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
+	    if [ $configure -eq 0 ]; then
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+	    fi
+
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,7 +490,7 @@ case $HOST in
 esac

 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -505,7 +542,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -63,18 +63,19 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
      else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
      fi
  done
@@ -95,8 +96,8 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done

--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
-After=syslog.target
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-init $OPTIONS start
 ExecStop=/sbin/shorewall-init $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,6 +69,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -114,22 +150,29 @@ fi

 echo "Uninstalling Shorewall Init $VERSION"

+[ -n "$SANDBOX" ] && configure=0
+
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init

 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-init remove
-    elif mywhich insserv ; then
-        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-init
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
+	elif mywhich insserv ; then
+            insserv -r $INITSCRIPT
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $INITSCRIPT)
+	fi
    fi

    remove_file $INITSCRIPT
 fi

+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SYSTEMD/shorewall-init.service
+fi
+
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local

@@ -159,8 +202,9 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

+rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init

 echo "Shorewall Init Uninstalled"

--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
+configure=1

 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
+    option=$1
+
+    case "$option" in
 	-*)
 	    option=${option#-}

@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -186,6 +195,8 @@ done

 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}

+[ -n "$SANDBOX" ] && configure=0
+
 #
 # Determine where to install the firewall script
 #
@@ -206,7 +217,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -346,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

@@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -466,18 +478,18 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

    cd ..
@@ -499,7 +511,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -526,7 +538,7 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">function</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -352,6 +367,20 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -465,7 +494,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -807,6 +837,23 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>

@@ -829,6 +876,19 @@
          arguments:</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -1073,6 +1133,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
 After=network.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

@@ -69,6 +74,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,8 +153,12 @@ fi

 echo "Uninstalling Shorewall Lite $VERSION"

-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-   shorewall-lite clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+	shorewall-lite clear
+    fi
 fi

 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -123,28 +168,34 @@ elif [ -n "$INITFILE" ]; then
 fi

 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-lite remove
-    elif mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif [ mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-lite
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
    fi

    remove_file $FIREWALL
 fi

+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall-lite

-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
+rm -f ${MANDIR}/man5/shorewall-lite*
+rm -f ${MANDIR}/man8/shorewall-lite*

 echo "Shorewall Lite Uninstalled"

-
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Citrix/Goto Meeting macro
+#
+# /usr/share/shorewall/macro.Goto-Meeting
+#          by Eric Teeter
+#       This macro handles Citrix/Goto Meeting
+#       Assumes that ports 80 and 443 are already open
+#       If needed, use the macros that open Http and Https to reduce redundancy
+####################################################################################
+#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                                       PORT(S) PORT(S) LIMIT   GROUP
+PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;

-    $acctable = $config{ACCOUNTING_TABLE};
-
    $jumpchainref = 0;

    $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {

 	set_section_function( &process_section );

+	$acctable = $config{ACCOUNTING_TABLE};
+
 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
+                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
-		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -262,6 +262,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
+				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -793,6 +794,13 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }

+#
+# Mark an action as terminating
+#
+sub make_terminating( $ ) {
+    $terminating{$_[0]} = 1;
+}
+
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1654,7 +1662,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;

-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
+    my $ruleref  = {};

    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;

@@ -1673,7 +1682,15 @@ sub insert_irule( $$$$;@ ) {
    
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;

-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
+	#
+	# Avoid failure in spice if we insert beyond the end of the chain
+	#
+	$number = @$rulesref;
+	push @$rulesref, $ruleref;
+    } else {
+	splice( @$rulesref, $number, 0, $ruleref );
+    }

    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;

@@ -3503,7 +3520,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();

    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -7570,7 +7587,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }

@@ -7979,11 +7996,99 @@ sub ensure_ipset( $ ) {
    }
 }

+#
+# Generate the save_ipsets() function
+#
+sub create_save_ipsets() {
+    my @ipsets = all_ipsets;
+
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+	  'save_ipsets() {' );
+
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '    local file' ,
+	      '',
+	      '    file=$1'
+	    );
+
+	if ( @ipsets ) {
+	    emit '';
+	    ensure_ipset( $_ ) for @ipsets;
+	}
+
+	if ( $config{SAVE_IPSETS} ) {
+	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+		emit( '' ,
+		      '    rm -f $file' ,
+		      '    touch $file' ,
+		      '    local set' ,
+		    );
+
+		if ( @ipsets ) {
+		    emit '';
+		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
+		}
+
+		emit( '',
+		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		      "        \$IPSET save \$set >> \$file" ,
+		      "    done" );
+	    } else {
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+ 	    }
+
+	    emit("}\n" );
+	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    emit( '' ,
+		  '    rm -f ${VARDIR}/ipsets.tmp' ,
+		  '    touch ${VARDIR}/ipsets.tmp' ,
+		);
+
+	    if ( @ipsets ) {
+		emit '';
+		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    }
+
+	    emit( '' ,
+		  "    if qt \$IPSET list $_; then" ,
+		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
+		  '    else' ,
+		  "        error_message 'ipset $_ not saved (not found)'" ,
+		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+
+	    emit( '' ,
+		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  '' ,
+		  "}\n" );
+	}
+    } elsif ( $config{SAVE_IPSETS} ) {
+	emit( '    error_message "WARNING: No ipsets were saved"',
+	      "}\n" );
+    } else {
+	emit( '    true',
+	      "}\n" );
+    }
+}
+
 sub load_ipsets() {

    my @ipsets = all_ipsets;

-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8010,9 +8115,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    if ( @{$globals{SAVED_IPSETS}} ) {
+		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+	    }
 	}

 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8036,6 +8157,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET flush' ,
+		   '        $IPSET destroy' ,
+		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}

 	if ( @ipsets ) {
@@ -8043,36 +8170,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}

-	emit( 'elif [ "$COMMAND" = stop ]; then' );
-
-	if ( @ipsets ) {
-	    ensure_ipset( $_ ) for @ipsets;
-	    emit( '' );
-	}
-
-	if ( $family == F_IPV4 ) {
-	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		   '        #',
-		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		   '        #',
-		   '        hack=\'| grep -v /31\'' ,
-		   '    else' ,
-		   '        hack=' ,
-		   '    fi' ,
-		   '',
-		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	} else {
-	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	}
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
+	      '   save_ipsets'
+	    );

 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};

 	emit ( 'fi' ,
 	       '' );
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,42 +280,43 @@ sub generate_script_2() {

    if ( $global_variables ) {

-	emit( 'case $COMMAND in' );
-
-	push_indent;
-
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
-	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
-	}

-	push_indent;
+	    emit( 'case $COMMAND in' );

-	set_global_variables(1);
-
-	handle_optional_interfaces(0);
-
-	emit ';;';
-
-	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    pop_indent;
+	    push_indent;

 	    emit 'restore)';

 	    push_indent;

-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {

-	    handle_optional_interfaces(0);
+		set_global_variables(0);
+
+		handle_optional_interfaces(0);
+	    }

 	    emit ';;';
+
+	    pop_indent;
+
+	    emit '*)';
+
+	    push_indent;
 	}

-	pop_indent;
-	pop_indent;
+	set_global_variables(1);

-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(0);
+	    emit ';;';
+	    pop_indent;
+	    pop_indent;
+	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
+	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -347,6 +348,7 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
+    create_save_ipsets;

    emit "#\n# Start/Restart the Firewall\n#";

@@ -741,6 +743,8 @@ sub compiler {
    }

    setup_source_routing($family);
+
+    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -974,8 +978,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
-	    process_stoppedrules;
+	    process_routestopped unless process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -741,6 +741,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
+	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -1105,7 +1106,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;

-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SAVED_IPSETS} = [];

    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -3259,7 +3261,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }

-    if ( $actparms{0} ) {
+    if ( $chain ) {
+	#
+	# We're in an action body -- allow escaping at signs (@) for u32
+	#
+	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3274,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
+
+	$$lineref =~ s/\?\?/@/g;
    }
 }

@@ -3496,8 +3504,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
-    my ( $var, $val ) = @_;
+sub default_yes_no ( $$;$ ) {
+    my ( $var, $val, $other ) = @_;
+    my $result = 1;

    my $curval = $config{$var};

@@ -3506,12 +3515,31 @@ sub default_yes_no ( $$ ) {

 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
+	} elsif ( defined( $other ) ) {
+	    if ( $other eq '*' ) {
+		if ( $curval eq 'yes' ) {
+		    $config{$var} = 'Yes';
+		} else {
+		    $result = 0;
+		}
+	    } elsif ( $curval eq $other ) {
+		#
+		# Downshift value for later comparison
+		#
+		$config{$var} = $curval;
+	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
+	    #
+	    # Make Case same as default
+	    #
+	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
+
+    $result;
 }

 sub default_yes_no_ipv4 ( $$ ) {
@@ -5543,7 +5571,16 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';

-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+	$val = $config{SAVE_IPSETS};
+	unless ( $val eq 'ipv4' ) {
+	    my @sets = split_list( $val , 'ipset' );
+	    $globals{SAVED_IPSETS} = \@sets;
+	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
+	    $config{SAVE_IPSETS} = '';
+	}
+    }
+
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5741,6 +5778,20 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';

+    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
+	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
+	    $val = 'ipt_ULOG';
+	} elsif ( $val eq 'netlink' ) {
+	    $val = 'nfnetlink_log';
+	} elsif ( $val eq 'LOG' ) {
+	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
+	} else {
+	    fatal_error "Invalid LOG Backend ($val)";
+	}
+
+	$config{LOG_BACKEND} = $val;
+    }
+
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
    my $result;

    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
-	    progress_message2("$doing $fn...");
+	first_entry sub () {
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
-		$config{ADMINISABSENTMINDED} = 'Yes';
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 	    }
 	};

@@ -994,7 +993,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();

 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];

 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -2606,42 +2606,11 @@ EOF

    my @ipsets = all_ipsets;

-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
-
-    case $IPSET in
-        */*)
-            if [ ! -x "$IPSET" ]; then
-                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-                IPSET=
-            fi
-	    ;;
-	*)
-	    IPSET="$(mywhich $IPSET)"
-	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-	    ;;
-    esac
-
-    if [ -n "$IPSET" ]; then
-        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-            #
-            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-            #
-            hack='| grep -v /31'
-        else
-            hack=
-        fi
-
-        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-            #
-            # Don't save an 'empty' file
-            #
-            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-        fi
-    fi
-EOF
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '',
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
    }
-
+	
    emit '

    set_state "Stopped"
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
+                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,23 @@ sub setup_interface_proc( $ ) {
    }
 }

+sub setup_log_backend($) {
+    if ( my $setting = $config{LOG_BACKEND} ) {
+	my $family   = shift;
+	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
+
+	emit( 'progress_message2 "Setting up log backend"',
+	      '',
+	      "if [ -f $file ]; then",
+	      "   if echo $setting > $file; then",
+	      "       progress_message 'Log Backend set to $setting'",
+	      '   else',
+	      "       error_message 'WARNING: Unable to set log backend to $setting'",
+	      '   fi',
+	      'else',
+	      "   error_message 'WARNING: $file does not exist - log backend not set'",
+	      "fi\n" );
+    }
+}

 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -454,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }

-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
+
+    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
+
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

-    my $physical    = get_physical $interface;
+    #
+    # Switch to the logical name if a physical name was passed
+    #
+    my $physical;
+
+    if ( $interface eq $interfaceref->{name} ) {
+	#
+	# The logical interface name was specified
+	#
+	$physical = $interfaceref->{physical};
+    } else {
+	#
+	# A Physical name was specified
+	#
+	$physical = $interface;
+	#
+	# Switch to the logical name unless it is a wildcard
+	#
+	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
+    } 
+
    my $gatewaycase = '';

    if ( $physical =~ /\+$/ ) {
@@ -1273,9 +1296,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}

-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';

-	emit "fi\n";
+	emit( 'else',
+	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
+	      "fi\n" );
    }

    emit  ( '#',
@@ -1872,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {

    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;

-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;

 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -818,9 +818,7 @@ sub apply_policy_rules() {
    progress_message2 'Applying Policies...';

    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
-
-	unless ( $policy eq 'NONE' ) {
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
+			       undef,
+			       1 );
 	}

 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches

-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
-	    my $raw      = 0;
-	    my $mangle   = 0;
-	    my $filter   = 0;
-	    my $nat      = 0;
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $noinline    = 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
+	    my $builtin     = 0;
+	    my $raw         = 0;
+	    my $mangle      = 0;
+	    my $filter      = 0;
+	    my $nat         = 0;
+	    my $terminating = 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
+		    } elsif ( $_ eq 'terminating' ) {
+			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
 		}

 		$targets{$action} = $actiontype;
+
+		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2374,7 +2379,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2392,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
+#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
+						       wildcard   => $wildcard,
 						     };

    if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {

    $physical =~ s/\+$//;

-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }

 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
+						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};

 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
@@ -2118,14 +2121,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
+    my %done;
+
+    for my $interface ( @interfaces ) {
+	my $value = $interfaces{$interface}{options}{$option};
+	if ( ! $interfaces{$interface}{zone} && $value ) {
+	    push @hosts, [ $interface, '', ALLIP , [], $value ];
+	    $done{$interface} = 1;
+	}
+    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
-			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+		    my $ipsec = $host->{ipsec};
+		    unless ( $done{$interface} ) { 
+			if ( my $value = $host->{options}{$option} ) {
+			    for my $net ( @{$host->{hosts}} ) {
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+			    }
 			}
 		    }
 		}
@@ -2133,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }

-    for my $interface ( @interfaces ) {
-	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
-	    push @hosts, [ $interface, 'none', ALLIP , [] ];
-	}
-    }
-
    \@hosts;
 }

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,8 +17,10 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
+    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
+    echo "   savesets <file>"
    echo "   version"
    echo
    echo "Options are:"
@@ -371,6 +373,24 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
+    run)
+	if [ $# -gt 1 ]; then
+	    shift
+	    detect_configuration
+	    run_init_exit
+	    eval $@
+	    status=$?
+	else
+	    error_message "ERROR: Missing command"
+	fi
+	;;
+    savesets)
+	if [ $# -eq 2 ]; then
+	    save_ipsets $2
+	else
+	    usage 2
+	fi
+	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+net	all		dhcp,physical=+,routeback
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -33,6 +33,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -0,0 +1,34 @@
+#
+# Shorewall 4 - DNS Amplification Action
+#
+#    /usr/share/shorewall/action.DNSAmp
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   DNSAmp[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?format 2
+
+DEFAULTS DROP
+
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""

--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -57,3 +57,13 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
+#
+# While not actually helpers, these are handy to have. Not
+# all of these will be found on any given system, since
+# some are aliases on later kernels.
+#
+loadmodule ipt_LOG
+loadmodule xt_LOG
+loadmodule xt_NFLOG
+loadmodule ipt_ULOG
+loadmodule nfnetlink_log
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -a"
+    echo "       $ME -n"
    exit $1
 }

@@ -118,6 +119,7 @@ T="-T"
 INSTALLD='-D'

 finished=0
+configure=1

 while [ $finished -eq 0 ]; do
    option=$1
@@ -147,6 +149,10 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -203,9 +209,11 @@ done

 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR

+[ -n "$SANDBOX" ] && configure=0
+
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +224,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -1120,7 +1128,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1167,7 +1175,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1615,6 +1615,15 @@ export_command() # $* = original arguments less the command.
    fi
 }

+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -1666,6 +1675,7 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ <file name> ]"
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,10 +71,17 @@
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                and are separated by commas; for example, "FOOBAR
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
+
+                <para>Beginning with Shorewall 4.6.4, you may specify the
+                <emphasis role="bold">terminating</emphasis> option with
+                <emphasis role="bold">builtin</emphasis> to indicate to the
+                Shorewall optimizer that the action is terminating (the
+                current packet will not be passed to the next rule in the
+                chain).</para>
              </listitem>
            </varlistentry>

@@ -133,6 +140,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>terminating</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.4. When used with
+                <replaceable>builtin</replaceable>, indicates that the
+                built-in action is termiating (i.e., if the action is jumped
+                to, the next rule in the chain is not evaluated).</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@

    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>

    <orderedlist numeration="loweralpha">
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -476,24 +476,32 @@
            </varlistentry>

            <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
-                error message will be issued:</para>
+                the <replaceable>iptables-target</replaceable> is not one
+                recognized by Shorewall, the following error message will be
+                issued:</para>

-                <simplelist>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>

                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
-                <ulink
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
+                as a builtin action in <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>iptables-target</replaceable>, the target of
+                  the rule will be the iptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,17 +309,22 @@
              <term>stoppedrules</term>

              <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
-                and the setting is ignored.</para>
-
-                <para>In addition to connections matching entries in
-                <filename>stoppedrules</filename>, existing connections
-                continue to work and all new connections from the firewall
-                system itself are allowed. To sever all existing connections
-                when the firewall is stopped, install the conntrack utility
-                and place the command <command>conntrack -F</command> in the
-                stopped user exit
+                <para>All existing connections continue to work. To sever all
+                existing connections when the firewall is stopped, install the
+                conntrack utility and place the command <command>conntrack
+                -F</command> in the stopped user exit
                (<filename>/etc/shorewall/stopped</filename>).</para>
+
+                <para>If ADMINISABSENTMINDED=No, only new connections matching
+                entries in <filename>stoppedrules</filename> are accepted when
+                Shorewall is stopped. Response packets and related connections
+                are automatically accepted.</para>
+
+                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
+                matching entries in <filename>stoppedrules</filename>, all new
+                connections from the firewall system itself are allowed when
+                the firewall is stopped. Response packets and related
+                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1306,6 +1311,45 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
+          backend to be used for the <command>iptrace</command> command (see
+          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
+
+          <para><replaceable>backend</replaceable> is one of:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>LOG</term>
+
+              <listitem>
+                <para>Use standard kernel logging.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>ULOG</term>
+
+              <listitem>
+                <para>Use ULOG logging to ulogd.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>netlink</term>
+
+              <listitem>
+                <para>Use netlink logging to ulogd version 2 or later.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -2425,7 +2469,8 @@ INLINE          -       -       -       ; -j REJECT

      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>

        <listitem>
          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2434,6 +2479,11 @@ INLINE          -       -       -       ; -j REJECT
          role="bold">shorewall save</emphasis> commands and restored by the
          <emphasis role="bold">shorewall start</emphasis> and <emphasis
          role="bold">shorewall restore</emphasis> commands.</para>
+
+          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
+          ipsets saved by specifying a setlist (a comma-separated list of ipv4
+          ipset names). You may also restrict the saved sets to just the ipv4
+          ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -457,6 +457,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall</command>

@@ -1114,11 +1129,10 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>

-          <para>The trace records are written to the kernel's log buffer with
-          facility = kernel and priority = warning, and they are routed from
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
-          Shorewall has no control over where the messages go; consult your
-          logging daemon's documentation.</para>
+          <para>The log message destination is determined by the
+          currently-selected IPv4 <ulink
+          url="/shorewall_logging.html#Backends">logging
+          backend</ulink>.</para>
        </listitem>
      </varlistentry>

@@ -1409,6 +1423,32 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued:</para>
+
+          <simplelist>
+            <member>WARNING: /var/lib/shorewall/firewall is not up to
+            date</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>

--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-After=syslog.target
 After=network.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall $OPTIONS start
 ExecStop=/sbin/shorewall $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

@@ -69,6 +74,43 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
@@ -110,24 +152,39 @@ fi

 echo "Uninstalling shorewall $VERSION"

-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
-   shorewall clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+	shorewall clear
+    fi
 fi

 rm -f ${SBINDIR}/shorewall

-if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d ${PRODUCT} remove
-    elif mywhich insserv ; then
-        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
-	systemctl disable ${PRODUCT}
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
+fi
+
+if [ -f "$FIREWALL" ]; then
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d ${PRODUCT} remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
    fi

-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
+fi
+
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall.service
 fi

 rm -rf ${SHAREDIR}/shorewall/version
@@ -139,8 +196,8 @@ if [ -n "$SYSCONFDIR" ]; then
 fi

 rm -rf ${VARDIR}/shorewall
-rm -rf ${PERLLIB}/Shorewall/*
-rm -rf ${LIBEXEC}/shorewall
+rm -rf ${PERLLIBDIR}/Shorewall/*
+rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">command</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -366,6 +381,20 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -465,7 +494,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -805,6 +835,23 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the command, the script will detect the
+          configuration, setting all SW_* variables and will run your
+          <filename>init</filename> extension script with $COMMAND =
+          'run'.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>

@@ -827,6 +874,19 @@
          arguments:</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to ip6tables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -1071,6 +1131,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-After=syslog.target
 After=network.target
+Conflicts=ip6tables.service firewalld.service

 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall6-lite

 usage() # $1 = exit status
 {
@@ -69,6 +70,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,38 +149,50 @@ fi

 echo "Uninstalling Shorewall Lite $VERSION"

-if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
-   ${SBINDIR}/shorewall6-lite clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/shorewall6-lite clear
+    fi
 fi

-if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
+if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi

 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall6-lite remove
-    elif mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall6-lite
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall6-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	elif mywhich systemctl ; then
+	    systemctl disable shorewall6-lite
+	fi
    fi

    remove_file $FIREWALL
 fi

+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall6-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
 rm -rf ${VARDIR}/shorewall6-lite
 rm -rf ${SHAREDIR}/shorewall6-lite
-rm -rf ${LIBEXEC}/shorewall6-lite
+rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 [ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service

+rm -f ${MANDIR}/man5/shorewall6-lite*
+rm -f ${MANDIR}/man8/shorewall6-lite*
+
 echo "Shorewall6 Lite Uninstalled"
-
-
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=Yes

 RESTORE_ROUTEMARKS=Yes

+SAVE_IPSETS=No
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No

 RESTORE_ROUTEMARKS=Yes

+SAVE_IPSETS=No
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No

 RESTORE_ROUTEMARKS=Yes

+SAVE_IPSETS=No
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No

 RESTORE_ROUTEMARKS=Yes

+SAVE_IPSETS=No
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/configfiles/nat
+++ b/Shorewall6/configfiles/nat
@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Nat File
+#
+# For information about entries in this file, type "man shorewall6-nat"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-nat.html
+#
+###############################################################################
+#EXTERNAL		INTERFACE		INTERNAL	ALL	LOCAL
+#						INTERFACES
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No

 RESTORE_ROUTEMARKS=Yes

+SAVE_IPSETS=No
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/helpers
+++ b/Shorewall6/helpers
@@ -34,3 +34,12 @@ loadmodule nf_conntrack_proto_sctp
 loadmodule nf_conntrack_sip
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
+#
+# While not actually helpers, these are handy to have. Not
+# all of these will be found on any given system, since
+# some are aliases on later kernels.
+#
+loadmodule ip6t_LOG
+loadmodule xt_LOG
+loadmodule xt_NFLOG
+loadmodule nfnetlink_log
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -71,10 +71,18 @@
                role="bold">mangle</emphasis> and <emphasis
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
-                table names follow builtin and are separated by commas; for
-                example, "FOOBAR,filter,mangle" would specify FOOBAR as a
-                builtin target that can be used in the filter and mangle
+                table names follow <emphasis role="bold">builtin</emphasis>
+                and are separated by commas; for example, "FOOBAR
+                builtin,filter,mangle" would specify FOOBAR as a builtin
+                target that can be used in the filter and mangle
                tables.</para>
+
+                <para>Beginning with Shorewall 4.6.4, you may specify the
+                <emphasis role="bold">terminating</emphasis> option with
+                <emphasis role="bold">builtin</emphasis> to indicate to the
+                Shorewall optimizer that the action is terminating (the
+                current packet will not be passed to the next rule in the
+                chain).</para>
              </listitem>
            </varlistentry>

@@ -133,6 +141,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>terminating</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.4. When used with
+                <replaceable>builtin</replaceable>, indicates that the
+                built-in action is termiating (i.e., if the action is jumped
+                to, the next rule in the chain is not evaluated).</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-nat.xml
+++ b/Shorewall6/manpages/shorewall6-nat.xml
@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-nat</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nat</refname>
+
+    <refpurpose>Shorewall6 one-to-one NAT file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/nat</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define one-to-one Network Address Translation
+    (NAT).</para>
+
+    <warning>
+      <para>If all you want to do is simple port forwarding, do NOT use this
+      file. See <ulink
+      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
+      </para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">EXTERNAL</emphasis> -
+        {<emphasis>address</emphasis>|[?]COMMENT}</term>
+
+        <listitem>
+          <para>External IP Address - this should NOT be the primary IP
+          address of the interface named in the next column and must not be a
+          DNS Name.</para>
+
+          <para>If you put COMMENT in this column, the rest of the line will
+          be attached as a comment to the Netfilter rule(s) generated by the
+          following entries in the file. The comment will appear delimited by
+          "/* ... */" in the output of "shorewall show nat"</para>
+
+          <para>To stop the comment from being attached to further rules,
+          simply include COMMENT on a line by itself.</para>
+
+          <note>
+            <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+            COMMENT and is preferred.</para>
+          </note>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interfacelist</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
+
+        <listitem>
+          <para>Interfaces that have the <emphasis
+          role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
+          <ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5),
+          Shorewall will automatically add the EXTERNAL address to this
+          interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
+          name with ":" and a <emphasis>digit</emphasis> to indicate that you
+          want Shorewall to add the alias with this name (e.g., "eth0:0").
+          That allows you to see the alias with ifconfig. <emphasis
+          role="bold">That is the only thing that this name is good for -- you
+          cannot use it anywhere else in your Shorewall configuration.
+          </emphasis></para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>If you want to override ADD_IP_ALIASES=Yes for a particular
+          entry, follow the interface name with ":" and no digit (e.g.,
+          "eth0:").</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERNAL</emphasis> -
+        <emphasis>address</emphasis></term>
+
+        <listitem>
+          <para>Internal Address (must not be a DNS Name).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
+        [<emphasis role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If Yes or yes, NAT will be effective from all hosts. If No or
+          no (or left empty) then NAT will be effective only through the
+          interface named in the <emphasis role="bold">INTERFACE</emphasis>
+          column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">LOCAL</emphasis> - [<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If <emphasis role="bold">Yes</emphasis> or <emphasis
+          role="bold">yes</emphasis>, NAT will be effective from the firewall
+          system</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/nat</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -450,24 +450,33 @@
            </varlistentry>

            <varlistentry>
-              <term>IP6TABLES({<replaceable>target</replaceable>
+              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
-                <para>This action allows you to specify an iptables target
-                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
-                If the target is not one recognized by Shorewall, the
-                following error message will be issued:</para>
+                <para>This action allows you to specify an ip6tables target
+                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
+                the <replaceable>ip6tables-target</replaceable> is not one
+                recognized by Shorewall, the following error message will be
+                issued:</para>

-                <simplelist>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>

-                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
-                <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
+                <para>This error message may be eliminated by adding
+                the<replaceable>
+                ip6tables-</replaceable><replaceable>target</replaceable> as a
+                builtin action in <ulink
+                url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>ip6tables-target</replaceable>, the target of
+                  the rule will be the i6ptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -220,9 +220,9 @@
        <listitem>
          <para>The value of this variable affects Shorewall's stopped state.
          The behavior differs depending on whether <ulink
-          url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or <ulink
-          url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
+          url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
          is used:</para>

          <variablelist>
@@ -245,17 +245,22 @@
              <term>stoppedrules</term>

              <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
-                and the setting is ignored.</para>
-
-                <para>In addition to connections matching entries in
-                <filename>stoppedrules</filename>, existing connections
-                continue to work and all new connections from the firewall
-                system itself are allowed. To sever all existing connections
-                when the firewall is stopped, install the conntrack utility
-                and place the command <command>conntrack -F</command> in the
-                stopped user exit
+                <para>All existing connections continue to work. To sever all
+                existing connections when the firewall is stopped, install the
+                conntrack utility and place the command <command>conntrack
+                -F</command> in the stopped user exit
                (<filename>/etc/shorewall6/stopped</filename>).</para>
+
+                <para>If ADMINISABSENTMINDED=No, only new connections matching
+                entries in <filename>stoppedrules</filename> are accepted when
+                Shorewall is stopped. Response packets and related connections
+                are automatically accepted.</para>
+
+                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
+                matching entries in <filename>stoppedrules</filename>, all new
+                connections from the firewall system itself are allowed when
+                the firewall is stopped. Response packets and related
+                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1157,6 +1162,38 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
+          backend to be used for the <command>iptrace</command> command (see
+          <ulink
+          url="manpages6/shorewall6.html">shorewall6(8)</ulink>).</para>
+
+          <para><replaceable>backend</replaceable> is one of:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>LOG</term>
+
+              <listitem>
+                <para>Use standard kernel logging.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>netlink</term>
+
+              <listitem>
+                <para>Use netlink logging to ulogd version 2 or later.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2085,6 +2122,25 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
+
+        <listitem>
+          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
+          current contents of your ipsets will be saved by the <emphasis
+          role="bold">shorewall stop</emphasis> and <emphasis
+          role="bold">shorewall save</emphasis> commands and restored by the
+          <emphasis role="bold">shorewall start</emphasis> and <emphasis
+          role="bold">shorewall restore</emphasis> commands.</para>
+
+          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
+          ipsets saved by specifying a setlist (a comma-separated list of ipv6
+          ipset names).</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -406,6 +406,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -997,11 +1012,10 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>

-          <para>The trace records are written to the kernel's log buffer with
-          facility = kernel and priority = warning, and they are routed from
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
-          Shorewall has no control over where the messages go; consult your
-          logging daemon's documentation.</para>
+          <para>The log message destination is determined by the
+          currently-selected IPv6 <ulink
+          url="/shorewall_logging.html#Backends">logging
+          backend</ulink>.</para>
        </listitem>
      </varlistentry>

@@ -1290,6 +1304,33 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued before the script's run command is
+          executed:</para>
+
+          <simplelist>
+            <member>WARNING: /var/lib/shorewall6/firewall is not up to
+            date</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>

--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-After=syslog.target
 After=network.target
+Conflicts=ip6tables.service firewalld.service

 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall6 $OPTIONS start
 ExecStop=/sbin/shorewall6 $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall6

 usage() # $1 = exit status
 {
@@ -69,6 +70,43 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
 # Read the RC file
 #
@@ -112,8 +150,12 @@ fi

 echo "Uninstalling shorewall6 $VERSION"

-if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
-   ${SBINDIR}/shorewall6 clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
+	${SBINDIR}/shorewall6 clear
+    fi
 fi

 if [ -L ${SHAREDIR}/shorewall6/init ]; then
@@ -123,23 +165,28 @@ elif [ -n "$INITFILE" ]; then
 fi

 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall6 remove
-    elif mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall6
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall6 remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
    fi

    remove_file $FIREWALL
 fi

+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall6.service
+fi
+
 rm -f ${SBINDIR}/shorewall6
 rm -rf ${CONFDIR}/shorewall6
 rm -rf ${VARDIR}/shorewall6
-rm -rf ${LIBEXEC}/shorewall6
+rm -rf ${LIBEXECDIR}/shorewall6
 rm -rf ${SHAREDIR}/shorewall6

 for f in ${MANDIR}/man5/shorewall6* ${SHAREDIR}/man/man8/shorewall6*; do
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -164,7 +164,7 @@
    <section>
      <title>build</title>

-      <para>This is the script that builds Shorewall 4.4 packages from
+      <para>This is the script that builds Shorewall 4.6 packages from
      Git.</para>

      <para>The script copies content from Git using the <command>git
@@ -220,7 +220,7 @@
      <para>You should ensure that you have the latest scripts. The scripts
      change periodically as we move through the release cycles.</para>

-      <para>The build44 script may need to be modified to fit your particular
+      <para>The build46 script may need to be modified to fit your particular
      environment. There are a number of variables that are set near the top
      of the file:</para>

@@ -270,10 +270,12 @@
      </variablelist>

      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
-      the appropriate directory and run the build script.</para>
+      directory</firstterm> per major release.</para>

-      <para>The general form of the build command is:</para>
+      <para>To build a release, you cd to the appropriate directory and run
+      the build46 script.</para>
+
+      <para>The general form of the build46 command is:</para>

      <blockquote>
        <para><command>build</command> [ -<replaceable>options</replaceable> ]
@@ -401,13 +403,13 @@
    </section>

    <section>
-      <title>build45</title>
+      <title>build45 and build46</title>

-      <para>This is the script that builds Shorewall 4.5 packages from
-      Git.</para>
+      <para>These are the scripts that respectively build Shorewall 4.5 and
+      Shorewall 4.6 packages from Git.</para>

-      <para>The script copies content from Git using the <command>git
-      archive</command> command. It then uses that content to build the
+      <para>The scripts copy content from Git using the <command>git
+      archive</command> command. They then use that content to build the
      packages. In addition to the usual Gnu utilities, the following software
      is required:</para>

@@ -451,7 +453,7 @@

          <listitem>
            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            that you have a recent version; I use 0.0.25.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -459,7 +461,7 @@
      <para>You should ensure that you have the latest scripts. The scripts
      change periodically as we move through the release cycles.</para>

-      <para>The build44 script may need to be modified to fit your particular
+      <para>The scripts may need to be modified to fit your particular
      environment. There are a number of variables that are set near the top
      of the file:</para>

@@ -509,14 +511,17 @@
      </variablelist>

      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
-      the appropriate directory and run the build script.</para>
+      directory</firstterm> per major release. Each build directory should
+      contain the empty file <filename>shorewall-pkg.config</filename>; that
+      file is no longer used but has been retained just as a guard against
+      initiating a build in an unintended directory. To build a release, you
+      cd to the appropriate directory and run the build script.</para>

      <para>The general form of the build command is:</para>

      <blockquote>
-        <para><command>build</command> [ -<replaceable>options</replaceable> ]
-        <replaceable>release</replaceable> [ <replaceable>prior
+        <para><command>build</command>4x [ -<replaceable>options</replaceable>
+        ] <replaceable>release</replaceable> [ <replaceable>prior
        release</replaceable> ]</para>
      </blockquote>

@@ -632,8 +637,8 @@
        </varlistentry>
      </variablelist>

-      <para>Example 1 - Build Shorewall 4.3.7 and generate patches against
-      4.3.6:</para>
+      <para>Example 1 - Build Shorewall 4.5.7 and generate patches against
+      4.5.6:</para>

      <blockquote>
        <para><command>build45 4.5.7 4.5.6</command></para>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -705,8 +705,9 @@ Knock                 net            $FW       tcp        22,1599-1601
    <section id="Stateful">
      <title>Stateful Port Knocking (knock with a sequence of ports)</title>

-      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
-      define portknocking sequences. Download <ulink
+      <para><ulink url="http://www.wiesinger.com/">Gerhard Wiesinger</ulink>
+      has contributed a Perl module that allows you to define portknocking
+      sequences. Download <ulink
      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
      module</ulink> and copy it into your site_perl directory.</para>

--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2309,10 +2309,26 @@ gateway:~# </programlisting>
      <title>(FAQ 103) Shorewall fails to start at boot but will start
      immediately after</title>

-      <para>Answer: This is usually associated with SELinux. <ulink
+      <para><emphasis role="bold">Answer:</emphasis> This is usually
+      associated with SELinux. <ulink
      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
      is an example.</para>
    </section>
+
+    <section id="faq104">
+      <title>(FAQ 104) I see <emphasis>kernel</emphasis> messages in my log
+      when I start or restart Shorewall or Shorewall6</title>
+
+      <para>Example: </para>
+
+      <programlisting>&gt; Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not support BROADCAST matching
+</programlisting>
+
+      <para><emphasis role="bold">Answer:</emphasis> These are harmless.
+      Shorewall attempts to execute various commands to determine the
+      capabiities of your system. If you system doesn't support a command, it
+      will generally issue a kernel log message.</para>
+    </section>
  </section>

  <section id="MultiISP">
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -294,9 +294,164 @@ xt_tcpudp               3328  0
    /etc/shorewall/shorewall.conf to point to that directory.</para>
  </section>

+  <section>
+    <title>FTP with Kernel 3.5 and Later</title>
+
+    <para>Because of the potential for attackers to subvert Netfilter helpers
+    like the one for FTP, the Netfilter team are in the process of eliminating
+    the automatic association of helpers to connections. In the 3.5 kernel, it
+    is possible to disable this automatic association, and the team have
+    announced that automatic association will eventually be eliminated. While
+    it is certainly more secure to add explicit rules that create these
+    associations, for Shorewall to require users to add those rules would
+    present a gross inconvenience during a Shorewall upgrade. To make
+    Shorewall and kernel upgrades as smooth as possible, several new features
+    were added to the Shorewall 4.5.7:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Shorewall automatically disables the kernel's automatic
+        association of helpers to connections on kernel 3.5 and later.</para>
+      </listitem>
+
+      <listitem>
+        <para>An automatic association of helpers with connections that
+        performs the same function as in the pre-3.5 kernels has been added.
+        This automatic association is controlled by the AUTOHELPERS
+        shorewall.conf option which is set to 'Yes' by default.</para>
+      </listitem>
+
+      <listitem>
+        <para>A HELPERS column has been added to the /etc/shorewall/rules In
+        the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
+        specified helper is automatically associated with the
+        connection.</para>
+      </listitem>
+
+      <listitem>
+        <para>HELPERS may be specified in action files, macros and in the
+        rules file itself. In the RELATED section: The rule will only match
+        related connections that have the named helper attached. - The
+        standard Macros for applications requiring a helper (FTP, IRC, etc)
+        have been modified to automatically specify the correct helper in the
+        HELPER column.</para>
+      </listitem>
+
+      <listitem>
+        <para>HELPER is now a valid action in /etc/shorewall/rules. This
+        action requires that a helper be present in the HELPER column and
+        causes the specified helper to be associated with connections matching
+        the rule. No destination zone should be specified in HELPER rules.
+        HELPER rules allow specification of a helper for connections that are
+        ACCEPTed by the applicable policy.</para>
+
+        <para> Example (loc-&gt;net policy is ACCEPT) - In
+        /etc/shorewall/rules:</para>
+
+        <programlisting>#ACTION     SOURCE       DEST
+FTP(HELPER) loc          - </programlisting>
+
+        <para>or equivalently </para>
+
+        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
+#                                       PORT(S)
+HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
+      </listitem>
+
+      <listitem>
+        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+        HELPERS column) can be taylored using the new HELPERS option in
+        shorewall.conf. </para>
+      </listitem>
+    </itemizedlist>
+
+    <para>By making AUTOHELPERS=Yes the default, users can upgrade their
+    systems to a 3.5+ kernel without disrupting the operation of their
+    firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
+    follow one of two strategies:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Use the HELPERS column in the rules file to enable helpers as
+        needed (preferred); or</para>
+      </listitem>
+
+      <listitem>
+        <para>Taylor the conntrack file to enable helpers on only those
+        connections that are required.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>With either of these approaches, the list if available helpers can
+    be trimmed using the HELPERS option and rules can be added to the RELATED
+    section of the rules file to further restrict the effect of helpers. The
+    implementation of these new function places conditional rules in the
+    /etc/shorewall[6]/conntrack file. These rules are included conditionally
+    based in the setting of AUTOHELPERS.</para>
+
+    <para> Example:</para>
+
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+?if $AUTOHELPERS &amp;&amp; __CT_TARGET
+?if __FTP_HELPER
+CT:helper:ftp           all             -               tcp     21
+?endif
+...
+?endif</programlisting>
+
+    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+    and 'ftp' is not listed in that setting. For example, if you only need FTP
+    access from your 'loc' zone, then add this rule outside of the outer-most
+    ?if....?endif shown above.</para>
+
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+...
+CT:helper:ftp           loc             -               tcp     21</programlisting>
+
+    <para> For an overview of Netfilter Helpers and Shorewall's support for
+    dealing with them, see <ulink
+    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
+
+    <para>See <ulink
+    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
+    for additional information. </para>
+  </section>
+
  <section id="Ports">
    <title>FTP on Non-standard Ports</title>

+    <para>If you are running kernel 3.5 or later and Shorewall 4.5.7 or later,
+    then please read the preceding section. You can add appropriate entries
+    into <ulink url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>
+    or <ulink
+    url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink> to
+    associate the FTP helpers with a nonstandard port.</para>
+
+    <para>Examples using port 12345:</para>
+
+    <para><filename>/etc/shorewall/rules:</filename></para>
+
+    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
+#                                                             PORT(S)
+DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
+
+    <para>That entry will accept ftp connections on port 12345 from the net
+    and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
+
+    <para><filename>/etc/shorewall/conntrack:</filename></para>
+
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+...
+CT:helper:ftp           loc             -               tcp     12345</programlisting>
+
+    <para>That rule automatically associates the ftp helper with TCP port
+    12345 from the 'loc' zone.</para>
+
+    <para>Otherwise, read on.</para>
+
    <note>
      <para>If you are running <emphasis role="bold">kernel 2.6.19 or
      earlier</emphasis>, replace <emphasis
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -683,6 +683,56 @@

        <programlisting><command>./configure --vendor=redhat --systemd=</command></programlisting>
      </section>
+
+      <section>
+        <title>Install for Packaging.</title>
+
+        <para>If you build your own packages, then you will want to install
+        the Shorewall products into it's own directory tree. This is done by
+        adding DESTDIR to the installer's environment. For example, to install
+        a product for Debian into the /tmp/package directory:</para>
+
+        <programlisting>DESTDIR=/tmp/package ./install.sh shorewallrc.debian</programlisting>
+      </section>
+
+      <section>
+        <title>Install into a Sandbox</title>
+
+        <para>When DESTDIR is used, the resulting configuration is not
+        runnable, because all configuration pathnames are relative to
+        $DESTDIR. Beginning with Shorewall 4.6.4, you can create runnable
+        configurations separate from your main configuration. Here is a sample
+        shorewallrc file:</para>
+
+        <programlisting>                INSTALL_DIR=/usr/local/shorewall-custom
+                HOST=suse
+                PREFIX=${INSTALL_DIR}
+                SHAREDIR=${INSTALL_DIR}/share
+                LIBEXECDIR=${INSTALL_DIR}/lib
+                PERLLIBDIR=${INSTALL_DIR}/lib/perl5
+                CONFDIR=${INSTALL_DIR}/etc
+                SBINDIR=${INSTALL_DIR}/usr/sbin
+                MANDIR=${SHAREDIR}/man/
+                INITDIR=${INSTALL_DIR}/etc/init.d
+                INITSOURCE=init.suse.sh
+                INITFILE=${PRODUCT}
+                AUXINITSOURCE=
+                AUXINITFILE=
+                SYSTEMD=${INSTALL_DIR}/etc/systemd
+                SERVICEFILE=${PRODUCT}.service
+                SYSCONFFILE=sysconfig
+                SYSCONFDIR=${INSTALL_DIR}/etc/sysconfig
+                SPARSE=
+                ANNOTATED=
+                VARLIB=${INSTALL_DIR}/var/lib
+                VARDIR=${VARLIB}/${PRODUCT}
+                <emphasis role="bold">SANDBOX=Yes</emphasis></programlisting>
+
+        <para>The above shorewallrc creates a runnable configuration in
+        /usr/local/shorewall-custom. It is triggered by adding SANDBOX to the
+        shorewallrc file -- any non-empty value for that variable will prevent
+        the installer from replacing the current main configuraiton. </para>
+      </section>
    </section>

    <section>
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -87,6 +87,9 @@
        <member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
        - Specify which kernel modules to load.</member>

+        <member><ulink url="manpages6/shorewall6-nat.html">nat</ulink> -
+        (added in Shorewall 4.6.4) Specify 1:1 NAT</member>
+
        <member><ulink url="manpages6/shorewall6-nesting.html">nesting</ulink>
        - How to define nested zones.</member>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -710,7 +710,7 @@
      up.</para>
    </section>

-    <section>
+    <section id="masq">
      <title>./etc/shorewall/masq and Multi-ISP</title>

      <para>If you masquerade a local network, you will need to add masquerade
@@ -976,51 +976,6 @@ eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
    </section>

-    <section id="Local">
-      <title>Applications running on the Firewall -making them use a
-      particular provider</title>
-
-      <para>As <link linkend="Applications">noted above</link>, separate
-      entries in <filename>/etc/shorewall/mangle</filename> are required for
-      traffic originating from the firewall.</para>
-
-      <para>Experience has shown that in some cases, problems occur with
-      applications running on the firewall itself. This is especially true
-      when you have specified <emphasis role="bold">routefilter</emphasis> on
-      your external interfaces in /etc/shorewall/interfaces (see <link
-      linkend="Martians">above</link>). When this happens, it is suggested
-      that you have the application use specific local IP addresses rather
-      than 0.</para>
-
-      <para>Examples:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
-          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
-          interface that you want Squid to use.</para>
-        </listitem>
-
-        <listitem>
-          <para>In OpenVPN, set <emphasis role="bold">local
-          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
-          line) to the IP address that you want the server to receive
-          connections on.</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Note that some traffic originating on the firewall doesn't have a
-      SOURCE IP address before routing. At least one Shorewall user reports
-      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
-      in the SOURCE column seems to be the most reliable way to direct such
-      traffic to a particular ISP.</para>
-
-      <para>Example:</para>
-
-      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
-lo          -         shorewall       1000</programlisting>
-    </section>
-
    <section id="rtrules">
      <title>/etc/shorewall/rtrules (formerly
      /etc/shorewall/route_rules)</title>
@@ -1186,6 +1141,51 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
      </section>
    </section>

+    <section id="Local">
+      <title>Applications running on the Firewall - making them use a
+      particular provider</title>
+
+      <para>As <link linkend="Applications">noted above</link>, separate
+      entries in <filename>/etc/shorewall/mangle</filename> are required for
+      traffic originating from the firewall.</para>
+
+      <para>Experience has shown that in some cases, problems occur with
+      applications running on the firewall itself. This is especially true
+      when you have specified <emphasis role="bold">routefilter</emphasis> on
+      your external interfaces in /etc/shorewall/interfaces (see <link
+      linkend="Martians">above</link>). When this happens, it is suggested
+      that you have the application use specific local IP addresses rather
+      than 0.</para>
+
+      <para>Examples:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
+          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
+          interface that you want Squid to use.</para>
+        </listitem>
+
+        <listitem>
+          <para>In OpenVPN, set <emphasis role="bold">local
+          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
+          line) to the IP address that you want the server to receive
+          connections on.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Note that some traffic originating on the firewall doesn't have a
+      SOURCE IP address before routing. At least one Shorewall user reports
+      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
+      in the SOURCE column seems to be the most reliable way to direct such
+      traffic to a particular ISP.</para>
+
+      <para>Example:</para>
+
+      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
+lo          -         shorewall       1000</programlisting>
+    </section>
+
    <section id="routes">
      <title>/etc/shorewall/routes File</title>

@@ -2123,6 +2123,11 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
          later.</para>
        </warning>

+        <para><filename>/etc/shorewall/params:</filename></para>
+
+        <programlisting>EXT_IF=eth0
+COM_IF=eth1</programlisting>
+
        <para><filename>/etc/shorewall/isusable</filename>:</para>

        <programlisting>local status=0
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -388,122 +388,31 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
    details.</para>
  </section>

-  <section id="COMMENT">
-    <title>Attach Comment to Netfilter Rules</title>
+  <section id="capabilities">
+    <title>Capabilities</title>

-    <para>If you kernel and iptables contain comment match support (see the
-    output of <command>shorewall show capabilities</command>), then you can
-    attach comments to Netfilter rules. This feature is available in the
-    following files:</para>
+    <para>Shorewall probes your system to determine the features that it
+    supports. The result of this probing is a set of
+    <firstterm>capabilities</firstterm>. This probing is normally done each
+    time that the compiler is run but can also be done by executing the
+    <command>shorewall show capabilities</command> command. Regardless of
+    whether the compiler or the command does the probing, this probing may
+    produce error messages in your system log. These log messages are to be
+    expected and do not represent a problem; they merely indicate that
+    capabilities that are being probed are not supported on your
+    system.</para>

-    <itemizedlist>
-      <listitem>
-        <para><filename>/etc/shorewall/conntrack</filename> (formerly
-        <filename>/etc/shorewall/notrack</filename>)</para>
-      </listitem>
+    <para>Probing may be suppressed by using a <firstterm>capabilities
+    file</firstterm>. A capabilities file may be generated using this
+    command:</para>

-      <listitem>
-        <para><filename>/etc/shorewall/accounting</filename></para>
-      </listitem>
+    <programlisting><command>shorewall show -f capabilities &gt; /etc/shorewall/capabilities</command></programlisting>

-      <listitem>
-        <para><filename>/etc/shorewall/masq</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/nat</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/rules</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/secmarks</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/tcrules</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/tunnels</filename></para>
-      </listitem>
-
-      <listitem>
-        <para>Action definition files
-        (<filename>/etc/shorewall/action.*</filename>)</para>
-      </listitem>
-
-      <listitem>
-        <para>Macro definition files (/etc/shorewall/macro.*)</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>To attach a comment to one or more rules, insert a record above the
-    rules that begins with the word ?COMMENT (must be in all caps). The
-    remainder of the line is treated as a comment -- that comment will appear
-    delimited by "/* ... */" in the output of the <command>shorewall[-lite]
-    show</command> and <command>shorewall[-lite] dump</command> commands. The
-    comment will be attached to each generated rule until another ?COMMENT
-    line appears. To stop attaching comments to rules, simply insert a line
-    that contains the single word ?COMMENT.</para>
-
-    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
-
-    <programlisting>?COMMENT Stop NETBIOS noise
-
-REJECT          loc                             net                     tcp     137,445
-REJECT          loc                             net                     udp     137:139
-
-?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
-
-DROP            loc:!192.168.0.0/22             net
-
-?COMMENT</programlisting>
-
-    <para>Here's the corresponding output from
-    <filename>/sbin/shorewall-lite</filename>:</para>
-
-    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
-Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
-
-Counters reset Mon Oct 16 14:52:17 PDT 2006
-
-Chain loc-net (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
-    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
-    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
-    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
-    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
-        role="bold">/* Stop NETBIOS noise */</emphasis>
-    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
-        role="bold">/* Stop NETBIOS noise */</emphasis>
-    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
-        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
-    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
-gateway:~ #
-
-</programlisting>
-
-    <para>?COMMENT lines in macro files work somewhat differently from other
-    files. ?COMMENT lines in macros are ignored if COMMENT support is not
-    available or if there was a COMMENT in use when the top-level macro was
-    invoked. This allows the following:</para>
-
-    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
-
-    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
-#                          PORT(S) PORT(S) LIMIT GROUP
-?COMMENT SSH
-PARAM   -      -     tcp   22 </programlisting>
-    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
-SSH(ACCEPT)    net:$MYIP      $FW
-?COMMENT</programlisting>The comment line in macro.SSH will not override the
-    ?COMMENT line in the rules file and the generated rule will show <emphasis
-    role="bold">/* Allow SSH from home */</emphasis> when displayed through
-    the Shorewall show and dump commands.</para>
+    <important>
+      <para>If you use a capabilities file, be sure to regenerate it after you
+      have performed a Shorewall upgrade to ensure that all current
+      capabilities have been recorded in your file.</para>
+    </important>
  </section>

  <section id="BlankColumn">
@@ -626,9 +535,11 @@ ACCEPT      net:\
          port:1024</emphasis></member>
        </simplelist>

-        <para>That usage is deprecated beginning with Shorewall 4.6.0. See the
-        INLINE_MATCHES option in <ulink
-        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        <important>
+          <para>That usage is deprecated beginning with Shorewall 4.6.0. See
+          the INLINE_MATCHES option in <ulink
+          url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </important>
      </listitem>
    </itemizedlist>

@@ -979,7 +890,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
      <listitem>
        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc::[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
+        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
      </listitem>

      <listitem>
@@ -1180,7 +1091,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
  <section>
    <title>?FORMAT Directive</title>

-    <para>A number of different files support multiple formats. Prior to
+    <para>A number of configuration files support multiple formats. Prior to
    Shorewall 4.5.11, the format was specified by a line having 'FORMAT' as
    the first token. This requires each of the file processors to handle
    FORMAT separately.</para>
@@ -1284,11 +1195,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    centralize processing of COMMENT directives. The old entries, while still
    supported, are now deprecated.</para>

+    <para>Use of this directive requires Comment support in your kernel and
+    iptables - see the output of <command><link
+    linkend="capabilities">shorewall show
+    capabilities</link></command>.</para>
+
    <para>The ?COMMENT directive is as follows:</para>

    <variablelist>
      <varlistentry>
-        <term>COMMENT [ <replaceable>comment</replaceable> ]</term>
+        <term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>

        <listitem>
          <para>If <replaceable>comment</replaceable> is present, it will
@@ -1299,13 +1215,69 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
        </listitem>
      </varlistentry>
    </variablelist>
+
+    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
+
+    <programlisting>?COMMENT Stop NETBIOS noise
+
+REJECT          loc                             net                     tcp     137,445
+REJECT          loc                             net                     udp     137:139
+
+?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
+
+DROP            loc:!192.168.0.0/22             net
+
+?COMMENT</programlisting>
+
+    <para>Here's the corresponding output from
+    <filename>/sbin/shorewall-lite</filename>:</para>
+
+    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
+Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
+
+Counters reset Mon Oct 16 14:52:17 PDT 2006
+
+Chain loc-net (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
+    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
+    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
+    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
+    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
+        role="bold">/* Stop NETBIOS noise */</emphasis>
+    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
+        role="bold">/* Stop NETBIOS noise */</emphasis>
+    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
+        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
+    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+gateway:~ #
+
+</programlisting>
+
+    <para>?COMMENT lines in macro files work somewhat differently from other
+    files. ?COMMENT lines in macros are ignored if COMMENT support is not
+    available or if there was a COMMENT in use when the top-level macro was
+    invoked. This allows the following:</para>
+
+    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
+
+    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
+#                          PORT(S) PORT(S) LIMIT GROUP
+?COMMENT SSH
+PARAM   -      -     tcp   22 </programlisting>
+    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
+SSH(ACCEPT)    net:$MYIP      $FW
+?COMMENT</programlisting>The comment line in macro.SSH will not override the
+    ?COMMENT line in the rules file and the generated rule will show <emphasis
+    role="bold">/* Allow SSH from home */</emphasis> when displayed through
+    the Shorewall show and dump commands.</para>
  </section>

  <section id="CONFIG_PATH">
    <title>CONFIG_PATH</title>

    <para>The CONFIG_PATH option in shorewall.conf determines where the
-    compiler searches for files. The default setting is
+    compiler searches for configuration files. The default setting is
    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
    compiler first looks in /etc/shorewall and if it doesn't find the file, it
    then looks in /usr/share/shorewall.</para>
@@ -2150,8 +2122,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>

-    <para>Perl scripts run in the context of the compiler process using
-    Perl's eval() function. Perl scripts are implicitly prefixed by the
+    <para>Perl scripts run in the context of the compiler process using Perl's
+    eval() function. Perl scripts are implicitly prefixed by the
    following:</para>

    <programlisting>package Shorewall::User;
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -154,6 +154,22 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
        firewall is first stopped.</para>
      </listitem>
    </orderedlist>
+
+    <para>Beginning with Shorewall 4.6.4, you can save selective ipsets by
+    setting SAVE_IPSETS to a comma-separated list of ipset names. You can also
+    restrict the group of sets saved to ipv4 sets by setting
+    SAVE_IPSETS=ipv4.</para>
+
+    <para>With Shorewall 4.6.4, the SAVE_IPSETS option may specify a list of
+    ipsets to be saved. When such a list is specified, only those ipsets
+    together with the ipsets supporting dynamic zones are saved. Shorewall6
+    support for the SAVE_IPSETS option was also added in 4.6.4. When
+    SAVE_IPSETS=Yes in <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, only ipv6
+    ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
+    ipv4 ipsets are saved. Both features require ipset version 5 or
+    later.</para>
  </section>

  <section>
@@ -161,17 +177,28 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>

    <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>

-    <para>Unlike iptables, which has separate configurations for IPv4 and
-    IPv6, ipset has a single configuration that handles both. This means the
-    SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf won't work correctly
-    because . To work around this issue, Shorewall-init is now capable
-    restoring ipset contents during 'start' and saving them during 'stop'. To
-    direct Shorewall-init to save/restore ipset contents, set the SAVE_IPSETS
-    option in /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on
-    Debian and derivatives). The value of the option is a file name where the
-    contents of the ipsets will be save to and restored from. Shorewall-init
-    will create any necessary directories during the first 'save' operation.
-    If you configure Shorewall-init to save/restore ipsets, be sure to set
-    SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
+    <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
+    to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
+    by setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
+
+    <para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work
+    correctly because it saves both IPv4 and IPv6 ipsets. To work around this
+    issue, Shorewall-init is capable restoring ipset contents during 'start'
+    and saving them during 'stop'. To direct Shorewall-init to save/restore
+    ipset contents, set the SAVE_IPSETS option in
+    /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and
+    derivatives). The value of the option is a file name where the contents of
+    the ipsets will be save to and restored from. Shorewall-init will create
+    any necessary directories during the first 'save' operation.</para>
+
+    <para>If you configure Shorewall-init to save/restore ipsets, be sure to
+    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
+
+    <para>If you configure SAVE_IPSETS in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> then do
+    not set SAVE_IPSETS in shorewall-init.</para>
  </section>
 </article>
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -466,6 +466,12 @@ cat -</programlisting>
          </listitem>
        </itemizedlist>
      </listitem>
+
+      <listitem>
+        <para>Shell variables used in extension scripts must follow the same
+        rules as those in<filename> /etc/shorewall/params</filename>. See
+        <ulink url="???">this article</ulink>.</para>
+      </listitem>
    </itemizedlist>

    <para></para>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -320,6 +320,76 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis
    </section>
  </section>

+  <section>
+    <title id="Backends">Log Backends</title>
+
+    <para>Netfilter logging allows configuration of multiple backends. Logging
+    backends provide the The low-level forward of log messages. There are
+    currently three backends:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>LOG (ipt_LOG and ip6t_LOG).</term>
+
+        <listitem>
+          <para>Normal kernel-based logging to a syslog daemon.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ULOG (ipt_ULOG)</term>
+
+        <listitem>
+          <para>ULOG logging as described ablve. Only available for
+          IPv4.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>netlink (nfnetlink_log)</term>
+
+        <listitem>
+          <para>The logging backend behind NFLOG, defined above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The currently-available and currently-selected IPv4 and IPv6
+    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
+
+    <programlisting>cat /proc/net/netfilter/nf_log
+ 0 NONE (nfnetlink_log)
+ 1 NONE (nfnetlink_log)
+ 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
+ 3 NONE (nfnetlink_log)
+ 4 NONE (nfnetlink_log)
+ 5 NONE (nfnetlink_log)
+ 6 NONE (nfnetlink_log)
+ 7 NONE (nfnetlink_log)
+ 8 NONE (nfnetlink_log)
+ 9 NONE (nfnetlink_log)
+10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
+11 NONE (nfnetlink_log)
+12 NONE (nfnetlink_log)</programlisting>
+
+    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
+    is 2 and AF_INET6 is 10).</para>
+
+    <para>The name immediately following the number is the currently-selected
+    backend, and the ones in parantheses are the ones that are available. You
+    can change the currently selected backend by echoing it's name into
+    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
+
+    <para>Example - change the IPv4 backend to LOG:</para>
+
+    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
+
+    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
+    the LOG_BACKEND option in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+  </section>
+
  <section id="Syslog-ng">
    <title>Syslog-ng</title>
Author	SHA1	Message	Date
Tom Eastep	8e761c2111	Remove debugging code from Shorewall-init installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-19 08:16:02 -07:00
Tom Eastep	cc44880467	Load xt_LOG in both helpers files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-19 07:44:01 -07:00
Tom Eastep	b5b0785440	Correct IPv4 Helpers file - Change xt_ULOG to ipt_ULOG Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-18 08:01:51 -07:00
Tom Eastep	299fd15984	Correct Shorewall6 helpers file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-17 08:05:47 -07:00
Tom Eastep	a67debafb3	Revert "Correct last patch" This reverts commit `b528625329`.	2014-10-16 07:45:20 -07:00
Tom Eastep	b528625329	Correct last patch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-16 07:44:09 -07:00
Tom Eastep	49d1c64c00	ipt_LOG in helpers file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-15 18:06:15 -07:00
Tom Eastep	f4e36a9ecf	Remove 'optional' from the Universal interfaces file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-11 07:34:44 -07:00
Tom Eastep	74c4980c91	Merge branch '4.6.4' of ssh://git.code.sf.net/p/shorewall/code into 4.6.4	2014-10-10 16:00:34 -07:00
Tom Eastep	56afdb6419	Avoid confusing output when 4.6.4 CLI executes a 'save' - If a down-rev firewall is running, the savesets command produces confusing usage output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-10 15:57:48 -07:00
Tom Eastep	478e72451a	Reinstate IPv6 DropSmurfs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-10 09:42:23 -07:00
Tom Eastep	54da615be0	Allow the Shorewall-init installer to create SBINDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-09 12:43:40 -07:00
Tom Eastep	2d948246c3	Revert "Adjust the .service files" This reverts commit `77015ebb4d`. Conflicts: Shorewall-init/shorewall-init.service Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-09 07:17:54 -07:00
Tom Eastep	8e9d769723	Add iptables.service to Shorewall-init conflicts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-08 18:24:53 -07:00
Tom Eastep	77015ebb4d	Adjust the .service files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-08 17:33:33 -07:00
Tom Eastep	7771e5d48f	More ipset article tweaks Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 13:37:56 -07:00
Tom Eastep	0cd694370e	Add nat link from Shorewall6 manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 12:21:44 -07:00
Tom Eastep	5fd7c573fc	Clarify Shorewall-init SAVE_IPSETS setting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 11:41:57 -07:00
Tom Eastep	80c024c4aa	Amplify the 4.6.4 SAVE_IPSETS changes in the ipset article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 09:52:15 -07:00
Tom Eastep	3bae6e61cf	Eliminate syntax errors in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 07:53:26 -07:00
Tom Eastep	5204cbc95f	Suppress 'No ipsets were saved' warning when SAVE_IPSETS=No Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 07:50:12 -07:00
Tom Eastep	ea1b8ac63a	Correct handling of empty LOG_BACKEND Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-07 07:34:55 -07:00
Tuomo Soini	a31fd20f22	Shorewall6/nat: clearly make it ipv6 specific	2014-10-07 12:42:57 +03:00
Tom Eastep	2c7ffb525d	Updagte Shorewall6-nat manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-05 20:09:18 -07:00
Tom Eastep	316866482b	Add ipv6 nat file and manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-05 19:54:19 -07:00
Tom Eastep	6c6a1d82d9	Make Debian installation work with SANDBOX Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-05 16:52:59 -07:00
Tom Eastep	a72a1ef7a6	Update the install document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-05 13:30:28 -07:00
Tom Eastep	4398fb23d1	Create INITDIR in the Shorewall init installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 18:49:55 -07:00
Tom Eastep	e3a7a4fc98	Fix typo in the -lite installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 17:48:20 -07:00
Tom Eastep	e36b34ce15	Fix -lite installer for MANDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 14:26:12 -07:00
Tom Eastep	178d1fbc26	Correct typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 14:19:48 -07:00
Tom Eastep	c9fd390782	Final cleanup of the uninstallers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 14:07:33 -07:00
Tom Eastep	3206021278	Another round of uninstall fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 13:50:39 -07:00
Tom Eastep	8571e0dca0	Another round of uninstall fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 13:29:51 -07:00
Tom Eastep	9dc2bba025	More uninstall corrections. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 09:39:03 -07:00
Tom Eastep	2fce05b3ab	Correct a couple of errors Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 09:11:29 -07:00
Tom Eastep	70bb9147cd	Correct Shorewall-init installer handling of SANDBOX Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 09:00:12 -07:00
Tom Eastep	00b0489047	Implement SANDBOX variable in the installers/uninstallers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-04 07:50:30 -07:00
Tom Eastep	f9a21bd90e	Add -n option to the uninstallers. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-03 17:10:36 -07:00
Tom Eastep	5e81bdfe19	Another install script fix Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-03 17:07:03 -07:00
Tom Eastep	f2cc68b93b	Correct -lite installer and uninstaller Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-03 16:41:27 -07:00
Tom Eastep	8a5e71a56f	Implement the -n option in the installers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-03 07:59:41 -07:00
Tom Eastep	483ea3e437	Create INITDIR in -lite installs. - Also don't link the init script if it isn't installed. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-02 17:42:08 -07:00
Tom Eastep	2ec3adcc44	Don't link the init script if SYSTEMD is set. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-02 16:23:26 -07:00
Tom Eastep	205dd6e250	Add FAQ 104 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-01 19:47:56 -07:00
Tom Eastep	770a505cd2	Delete DropSmurfs from IPv6 actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-30 16:16:53 -07:00
Tom Eastep	4071b9d337	Update SuSE shorewallrc for SBINDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-30 16:16:33 -07:00
Tom Eastep	820c769499	Correct silly bug in last change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-29 07:08:39 -07:00
Tom Eastep	e6b0666ac9	Save ipsets during normal stop (duh) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 18:43:11 -07:00
Tom Eastep	2a463e06aa	More documentation changes regarding SAVE_IPSETS. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 17:10:45 -07:00
Tom Eastep	3174454300	Correct SAVE_IPSETS logic in Config.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 14:38:01 -07:00
Tom Eastep	ce1c367d1d	Re-commit the fix that saves only the appropriate family Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 14:09:20 -07:00
Tom Eastep	3e2c903a41	Revert "Only save ipsets of the proper family" This reverts commit `b053cab630`.	2014-09-28 13:32:32 -07:00
Tom Eastep	b053cab630	Only save ipsets of the proper family Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 12:58:52 -07:00
Tom Eastep	6f7d063921	Remove the target file before saving ipsets in the savesets command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 11:53:52 -07:00
Tom Eastep	cbcb1ff7e1	Add SAVE_IPSETS to shorewall6.conf. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 11:37:24 -07:00
Tom Eastep	3858683e94	Allow saving a specified list of ipsets Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-28 11:19:41 -07:00
Tom Eastep	38a18ac9ac	Allow indefinite alternative to 'yes' and 'no' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-27 15:06:18 -07:00
Tom Eastep	a09484356c	Support 'yes', 'no, <other> values for simple config options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-27 07:57:46 -07:00
Tom Eastep	bc8588a68e	Fix rule numbers in trace output - Don't increment $number needlessly when not tracing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-27 07:57:09 -07:00
Tom Eastep	10df9d31c4	Correct typo in the actions manpages (4.6.5 s/b 4.6.4). Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-25 14:47:27 -07:00
Tom Eastep	4989f694cd	Correct trace output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-25 14:47:00 -07:00
Tom Eastep	b84a9e16e6	Correct typo in the config basics document - SOURCE/DEST example had extra colon Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-25 10:59:18 -07:00
Tom Eastep	053df2a5fb	Go back to original insert_irule() fix. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-25 09:21:20 -07:00
Tom Eastep	976a1f3deb	Merge branch '4.6.3' Conflicts: Shorewall/Perl/Shorewall/Misc.pm	2014-09-25 08:06:16 -07:00
Tom Eastep	ea40068c10	Fix ADMINISABSENTMINDED=No used with stoppedrules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-25 08:03:35 -07:00
Tom Eastep	56649e2183	Don't compile routestopped during check if there is stoppedrules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-24 19:24:13 -07:00
Tom Eastep	520d21c056	Another tweak to LOG_BACKEND Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-24 17:12:05 -07:00
Tom Eastep	540eff24aa	Correctons to LOG_BACKEND implementation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-24 16:35:41 -07:00
Tom Eastep	580e00dabd	Implement LOG_BACKEND option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-24 15:26:13 -07:00
Tom Eastep	4815f7eba3	Correct warning message in stoppedrules processing. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-24 11:05:15 -07:00
Tom Eastep	a7b57ad32c	Clarify iptrace logging. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-24 09:14:38 -07:00
Tom Eastep	ba7f88c912	Re-apply 'terminating' changes to the actions manpages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-23 09:33:57 -07:00
Tom Eastep	7481514a97	Implement the 'terminating' action option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-23 09:29:13 -07:00
Tom Eastep	20c68dddf2	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-09-23 09:24:44 -07:00
Tom Eastep	35e60aa10c	Fix actions manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-23 09:24:32 -07:00
Tom Eastep	1f5439257a	Revert "Implement the 'terminating' action option" This reverts commit `6851744cb7`.	2014-09-23 07:39:25 -07:00
Tom Eastep	4495ed687b	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2014-09-23 07:10:46 -07:00
Tom Eastep	d97d45f4ad	Merge branch '4.6.3'	2014-09-23 07:10:17 -07:00
Tom Eastep	a69cec5228	Add link to Events article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-23 07:09:56 -07:00
Tuomo Soini	a03f00bf0f	systemd services: multi-user is not same as old runlevel 3 so use basic add conflicts to obviously conflicting services remove old version number from init files remove legacy syslog.target which is not needed on modern systems fix formatting of email address onold Copyright text Signed-off-by: Tuomo Soini <tis@foobar.fi>	2014-09-23 16:44:03 +03:00
Tuomo Soini	8f05d0f16d	install.sh: support install on centos7 and foobar7 Signed-off-by: Tuomo Soini <tis@foobar.fi>	2014-09-23 13:19:09 +03:00
Tom Eastep	f9d98b74a2	Merge branch '4.6.2' into 4.6.3 Conflicts: Shorewall/Perl/Shorewall/Providers.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-16 08:09:20 -07:00
Tom Eastep	0d23b9c542	Don't verify required interfaces during 'stop' or 'clear'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-14 09:29:04 -07:00
Tom Eastep	a7bdfcc47b	Refine the rule reduction fix Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-11 20:58:01 -07:00
Tom Eastep	988ee64621	Eliminate Redundant Rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-11 10:17:01 -07:00
Tom Eastep	9947f4d968	Re-enable SECTION PREROUTING in the accounting file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-10 12:53:08 -07:00
Tom Eastep	feb747260d	Add /etc/shorewall/params to the multi-ISP LSM example Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-03 06:59:37 -07:00
Tom Eastep	fc58dab66d	Remove redundant 'run' command from help output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-02 12:57:04 -07:00
Tom Eastep	9e039e30e5	Issue warning message when /etc/iproute2/rt_tables is not writeable Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-02 08:11:33 -07:00
Tom Eastep	771e487b02	Merge branch '4.6.3'	2014-09-01 09:10:55 -07:00
Tom Eastep	0b66c475a7	Make <command> replacable in the run synopsis Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-01 09:10:03 -07:00
Tom Eastep	8727a6f1d8	Correct 'run' command synopsis in the shorewall[6] manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-01 08:52:09 -07:00
Tom Eastep	f9a62e1650	Correct builtin example in the actions manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-01 08:29:29 -07:00
Tom Eastep	6851744cb7	Implement the 'terminating' action option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-09-01 08:16:42 -07:00
Tom Eastep	f963adccf5	Correct silly typo in Chains.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-31 16:57:24 -07:00
Tom Eastep	48549b35ac	Correct inaccuracy in default.debian Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-30 08:25:58 -07:00
Tom Eastep	9001643996	Merge branch 'master' into 4.6.3	2014-08-30 07:18:55 -07:00
Tom Eastep	4bacfced82	Another attempt to fix formatting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-24 11:59:51 -07:00
Tom Eastep	7c1bbd4dc7	Fix formatting in shorewall[6]-rules(5) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-24 11:29:44 -07:00
Tom Eastep	4347190f82	Clarify REJECT handling in IP[6]TABLE rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-24 09:10:10 -07:00
Tom Eastep	fa8c3b3b6c	Correct typo in error messages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-24 08:34:33 -07:00
Tom Eastep	045d5ac048	Correct typo in error messages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-24 08:34:04 -07:00
Tom Eastep	e4a8cb31ba	Clean up the Goto Meeting macro a bit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-24 08:16:11 -07:00
Tom Eastep	9e6fffc231	Goto-Meeting Macro from Eric Teeter Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-23 16:05:38 -07:00
Tom Eastep	aaa561c831	Mention shell variable rules in the extension script article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-21 16:00:58 -07:00
Tom Eastep	3030219740	Tighten the check for DNSAmp Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-21 10:36:44 -07:00
Tom Eastep	602ecad712	Cleaner code in expand_variables() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-20 11:25:49 -07:00
Tom Eastep	96102623ee	Apply Thomas D's patch for SAVE_IPSET in the debian shorewall-init script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-14 09:49:18 -07:00
Tom Eastep	aa6bd2819c	Update the Build document - Add build46 - Mention shorewall-pkg.config Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-14 08:03:31 -07:00
Tom Eastep	8236ce572e	Apply Louis Lagendijk's patch for Shorewall-init Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-12 16:39:52 -07:00
Tom Eastep	bf5be7198b	Make dump work correctly on RHEL5 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-12 16:18:42 -07:00
Tom Eastep	6f777098d7	Add 'wildcard' member to the interface table Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-12 06:51:17 -07:00
Tom Eastep	e545329eb9	Modify the preceding fix to work with wildcard interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-12 06:50:59 -07:00
Tom Eastep	aedd9b5a76	Add 'wildcard' member to the interface table Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-11 08:30:44 -07:00
Tom Eastep	cf33bac318	Revert most of last change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 12:15:08 -07:00
Tom Eastep	0005bb697b	Describe a way to improve provider selection from the firewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 09:50:21 -07:00
Tom Eastep	c5549ff21e	Update the Configuration File Basics document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 08:09:31 -07:00
Tom Eastep	427f38109e	Some cosmetic cleanup Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 07:20:23 -07:00
Tom Eastep	0e1a1a3f44	Modify the preceding fix to work with wildcard interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-08 10:34:29 -07:00
Tom Eastep	b6161b8be7	Merge branch '4.6.2'	2014-08-08 08:30:04 -07:00
Tom Eastep	d3209ca624	Correct handling of a physical name in the provider INTERFACE column Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-08 08:15:26 -07:00
Tom Eastep	34ecbb9074	Correct Cygwin64 detection in the Shorewall installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-07 07:17:34 -07:00
Tom Eastep	beb70854ef	Correct Cygwin64 detection in the Shorewall installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-07 06:40:34 -07:00
Tom Eastep	7030fad572	Revert "Install the core components along with Shorewall" This reverts commit `c653a04a43`.	2014-08-07 06:36:23 -07:00
Tom Eastep	c653a04a43	Install the core components along with Shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-06 12:59:12 -07:00
Tom Eastep	5ef5aa8cdb	Allow inline matches in an action file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-05 07:34:24 -07:00
Tom Eastep	0ca12bd86f	Correct syntax error caused by replacing '%%' with '??' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-03 15:29:58 -07:00
Tom Eastep	a2f1c57246	Add DNSAmp action - Allow escaping '@' allowing u32 in action body - Allow inline matches in actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-03 15:11:25 -07:00
Tom Eastep	fd42fa9f74	Make 'detect_configuration' work in the 'run' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-01 07:34:40 -07:00
Tom Eastep	e49832f4b5	Run the 'init' script in the 'run' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-30 10:25:00 -07:00
Tom Eastep	0bf80c15d8	Detect missing <commmand> in the generated scrip Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-29 11:35:32 -07:00
Tom Eastep	4e9a0b989d	Update 'run' help text Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-29 10:46:28 -07:00
Tom Eastep	31e5aeeaea	Refine the 'run' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-29 10:30:07 -07:00
Tom Eastep	eb5026d3b7	Merge branch '4.6.2'	2014-07-28 14:47:23 -07:00
Tom Eastep	a799d74901	Correct typo and link in the shorewall-mangle manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 08:39:07 -07:00
Tom Eastep	7a41981487	Bring the -lite manpages up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 08:31:43 -07:00
Tom Eastep	aae23d7a9e	Bring the -lite manpages up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 08:31:20 -07:00
Tom Eastep	a7b18ca875	Implement 'run' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 07:04:56 -07:00
Tom Eastep	ad6c91bcbd	Allow optimize level 8 to work with Perl 5.20.0. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 21:03:48 -07:00
Tom Eastep	8c0fe063a7	Another tweak to the FTP module documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 09:03:23 -07:00
Tom Eastep	dbf78d7dd0	Merge branch '4.6.2'	2014-07-25 09:02:48 -07:00
Tom Eastep	bea2b49eb0	More FTP module documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 08:38:46 -07:00
Tom Eastep	3b4012b60a	Document FTP helpers on kernel 3.5 and later in the FTP document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 08:15:58 -07:00