Clarify DEST column in DNAT rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure.pl

@@ -100,7 +100,7 @@ if ( defined $vendor ) {
     } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ /^Cygwin/i ) {
+    } elsif ( `uname` =~ '^Cygwin' ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
     } else {

Shorewall-core/install.sh

@@ -187,7 +187,7 @@ INSTALLD='-D'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)

Shorewall-core/lib.cli

@@ -271,19 +271,6 @@ show_classifiers() {
 
 }
 
-#
-# Display blacklist chains
-#
-show_bl() {
-    $g_tool -L $g_ipt_options | \
-	awk 'BEGIN           {prnt=0; };
-            /^$/             {if (prnt == 1) print ""; prnt=0; };
-            /Chain .*~ /     {prnt=1; };
-            /Chain dynamic / {prnt=1; };
-            {if (prnt == 1)  print; };
-            END {if (prnt == 1 ) print "" };'
-}
-
 #
 # Watch the Firewall Log
 #
@@ -1202,13 +1189,7 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;
-	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
-	    echo
-	    show_bl;
-	    ;;
+	    ;;	    
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -2971,74 +2952,9 @@ show_status() {
 
 }
 
-interface_status() {
-    case $(cat $1) in
-	0)
-	    echo Enabled
-	    ;;
-	1)
-	    echo Disabled
-	    ;;
-	*)
-	    echo Unknown
-	    ;;
-    esac
-}
-
-show_interfaces() {
-    local f
-    local interface
-    local printed
-
-    for f in ${VARDIR}/*.status; do
-	interface=$(basename $f)
-	echo "   Interface ${interface%.status} is $(interface_status $f)"
-	printed=Yes
-    done
-
-    [ -n "$printed" ] && echo
-}
-
 status_command() {
-     local finished
-    finished=0
-    local option
-    local interfaces
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			i*)
-			    interfaces=Yes
-			    option=${option#i}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -eq 0 ] || usage 1
-
     [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
-    [ -n "$interfaces" ] && show_interfaces
     exit $status
 }
 
@@ -3515,14 +3431,6 @@ restart_command() {
     return $rc
 }
 
-run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
-    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
-    fi
-}
-
 #
 # Give Usage Information
 #
@@ -3554,12 +3462,10 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
-    echo "   run <command> [ <parameter> ... ]"
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
@@ -3582,8 +3488,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
-    echo "   status [ -i ]"
-    echo "   run <function> [ function ... ]"
+    echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3828,21 +3733,16 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	run)
-	    [ $# -gt 1 ] || fatal_error "Missing function name"
-	    get_config Yes
-	    run_command $@
-	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
     	    shift
     	    show_command $@
 	    ;;
 	status)
+	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    shift
-	    status_command $@
+	    status_command
 	    ;;
 	dump)
 	    get_config Yes No Yes

Shorewall-core/lib.common

@@ -172,7 +172,6 @@ run_it() {
 error_message() # $* = Error Message
 {
    echo "   $@" >&2
-   return 1
 }
 
 #

Shorewall-init/init.debian.sh

@@ -105,35 +105,24 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
       else
-	  echo_notdone
+	  echo echo_notdone
       fi
   done
 
   echo "done."
 
-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-
-      echo -n "Restoring ipsets: "
-
-      if ! ipset -R < "$SAVE_IPSETS"; then
-	  echo_notdone
-      fi
-
-      echo "done."
-  fi
-
   return 0
 }
 
@@ -146,27 +135,13 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 
   echo "done."
 
-  if [ -n "$SAVE_IPSETS" ]; then
-
-      echo "Saving ipsets: "
-
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      else
-	  echo_notdone
-      fi
-
-      echo "done."
-  fi
-
   return 0
 }
 

Shorewall-lite/install.sh

@@ -195,7 +195,7 @@ T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 
 case $BUILD in
-    cygwin*|CYGWIN*)
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;

Shorewall-lite/manpages/shorewall-lite.xml

@@ -317,21 +317,6 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>run</option></arg>
-
-      <arg choice="plain">function</arg>
-
-      <arg><replaceable>parameter ...</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -367,20 +352,6 @@
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -494,8 +465,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -837,23 +807,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.3. Executes
-          <replaceable>command</replaceable> in the context of the generated
-          script passing the supplied <replaceable>parameter</replaceable>s.
-          Normally, the <replaceable>command</replaceable> will be a function
-          declared in <filename>lib.private</filename>.</para>
-
-          <para>Before executing the <replaceable>command</replaceable>, the
-          script will detect the configuration, setting all SW_* variables and
-          will run your <filename>init</filename> extension script with
-          $COMMAND = 'run'.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">save</emphasis></term>
 
@@ -876,19 +829,6 @@
           arguments:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to iptables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1133,10 +1073,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall/Macros/macro.Amanda

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 { helper=amanda }
+ PARAM	-	-	udp	10080 ; helper=amanda
 ?else
  PARAM	-	-	udp	10080
 ?endif

Shorewall/Macros/macro.FTP

@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 { helper=ftp }
+ PARAM	-	-	tcp	21 ; helper=ftp
 ?else
  PARAM	-	-	tcp	21
 ?endif

Shorewall/Macros/macro.ILO

@@ -1,23 +0,0 @@
-#
-# Shorewall version 4 - ILO Macro
-#
-# /usr/share/shorewall/macro.ILO
-#
-#	This macro handles console redirection with HP ILO 2+,
-#	Use this macro to open access to your ILO interface from management
-#	workstations.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	3002		# Raw serial data
-PARAM	-	-	tcp	9300		# Shared Remote Console
-PARAM	-	-	tcp	17988		# Virtual Media
-PARAM	-	-	tcp	17990		# Console Replay
-HTTP
-HTTPS
-RDP
-SSH
-Telnet						# Remote Console/Telnet

Shorewall/Macros/macro.IPMI

@@ -3,10 +3,7 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Asus (AMI),
-#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
-#	Use this macro to open access to your IPMI interface from management
-#	workstations.
+#	This macro handles IPMI used by Asus, Dell, MSI, and Supermicro.
 #
 ###############################################################################
 ?FORMAT 2
@@ -14,13 +11,9 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
-PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
-PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	tcp	8889		# WS-MAN
 PARAM	-	-	udp	623		# RMCP
+SSH
 HTTP
 HTTPS
-SNMP
-SSH						# Serial over Lan
-Telnet

Shorewall/Macros/macro.IRC

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 { helper=irc }
+ PARAM	-	-	tcp	6667 ; helper=irc
 ?else
  PARAM	-	-	tcp	6667
 ?endif

Shorewall/Macros/macro.PPtP

@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 { helper=pptp }
+ PARAM	-	-	tcp	1723 ; helper=pptp
 ?else
  PARAM	-	-	tcp	1723
 ?endif

Shorewall/Macros/macro.SANE

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 { helper=sane }
+ PARAM	-	-	tcp	6566 ; helper=sane
 ?else
  PARAM	-	-	tcp	6566
 ?endif

Shorewall/Macros/macro.SIP

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 { helper=sip }
+ PARAM	-	-	udp	5060 ; helper=sip
 ?else
  PARAM	-	-	udp	5060
 ?endif

Shorewall/Macros/macro.SMB

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139

Shorewall/Macros/macro.SMBBI

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
  PARAM	DEST	SOURCE	udp	138:139
 ?else
  PARAM	DEST	SOURCE	udp	137:139

Shorewall/Macros/macro.SNMP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 { helper=snmp }
+ PARAM	-	-  	udp     161 ; helper=snmp
 ?else
  PARAM	-	-	udp	161
 ?endif

Shorewall/Macros/macro.TFTP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 { helper=tftp }
+ PARAM	-	-	udp	69 ; helper=tftp
 ?else
  PARAM	-	-	udp	69
 ?endif

Shorewall/Perl/Shorewall/Chains.pm

@@ -3503,7 +3503,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -6723,25 +6723,20 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table, $mac ) = @_;
+sub get_interface_mac( $$$ ) {
+    my ( $ipaddr, $logical , $table ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
-    
-    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=$mac);
+
+    if ( interface_is_optional $logical ) {
+	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
     } else {
-	if ( interface_is_optional $logical ) {
-	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
-	} else {
-	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
-
-       }
     }
 
     "\$$variable";

Shorewall/Perl/Shorewall/Compiler.pm

@@ -280,42 +280,42 @@ sub generate_script_2() {
 
     if ( $global_variables ) {
 
+	emit( 'case $COMMAND in' );
+
+	push_indent;
+
 	if ( $global_variables & NOT_RESTORE ) {
-
-	    emit( 'case $COMMAND in' );
-
-	    push_indent;
-
-	    emit 'restore)';
-
-	    push_indent;
-
-	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-
-		set_global_variables(0);
-
-		handle_optional_interfaces(0);
-	    }
-
-	    emit ';;';
-
-	    pop_indent;
-
-	    emit '*)';
-
-	    push_indent;
+	    emit( 'start|restart|refresh|disable|enable)' );
+	} else {
+	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
 
+	push_indent;
+
 	set_global_variables(1);
 
 	handle_optional_interfaces(0);
 
-	if ( $global_variables & NOT_RESTORE ) {
+	emit ';;';
+
+	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
+	    pop_indent;
+
+	    emit 'restore)';
+
+	    push_indent;
+
+	    set_global_variables(0);
+
+	    handle_optional_interfaces(0);
+
 	    emit ';;';
-	    pop_indent;
-	    pop_indent;
-	    emit ( 'esac' );
 	}
+
+	pop_indent;
+	pop_indent;
+
+	emit ( 'esac' ) ,
     } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
     }

Shorewall/Perl/Shorewall/Config.pm

@@ -3259,11 +3259,7 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
     }
 
-    if ( $chain ) {
-	#
-	# We're in an action body -- allow escaping at signs (@) for u32
-	#
-	$$lineref =~ s/\\@/??/g;
+    if ( $actparms{0} ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3272,8 +3268,6 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
-
-	$$lineref =~ s/\?\?/@/g;
     }
 }
 
@@ -4124,7 +4118,7 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
+	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4146,7 +4140,7 @@ sub IPSet_Match_Nomatch() {
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
 }
 
 sub IPSET_V5() {
@@ -4621,7 +4615,6 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4637,7 +4630,6 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );

Shorewall/Perl/Shorewall/Nat.pm

@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 
 #
-# Called from process_rule to add a rule to the NAT table
+# Called from process_rule1 to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
@@ -687,11 +687,6 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
     }
-
-    #
-    # Check for list in $server
-    #
-    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
     #
     # Generate the target
     #

Shorewall/Perl/Shorewall/Providers.pm

@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -442,11 +442,10 @@ sub process_a_provider( $ ) {
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
-    ( $interface, my $address ) = split /:/, $interface, 2;
+    ( $interface, my $address ) = split /:/, $interface;
 
     my $shared = 0;
     my $noautosrc = 0;
-    my $mac = '';
 
     if ( defined $address ) {
 	validate_address $address, 0;
@@ -454,30 +453,10 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    my $interfaceref = known_interface( $interface );
-
-    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
-
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $physical;
-
-    if ( $interface eq $interfaceref->{name} ) {
-	#
-	# The logical interface name was specified
-	#
-	$physical = $interfaceref->{physical};
-    } else {
-	#
-	# A Physical name was specified
-	#
-	$physical = $interface;
-	#
-	# Switch to the logical name unless it is a wildcard
-	#
-	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
-    } 
-
+    my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
     if ( $physical =~ /\+$/ ) {
@@ -490,17 +469,7 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
     } elsif ( $gateway && $gateway ne '-' ) {
-	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
-
-	if ( defined $mac ) {
-	    $mac =~ tr/-/:/;
-	    $mac =~ s/^~//;
-	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	} else {
-	    $mac = '';
-	}
-
 	$gatewaycase = 'specified';
     } else {
 	$gatewaycase = 'none';
@@ -675,7 +644,6 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
-			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -752,7 +720,6 @@ sub add_a_provider( $$ ) {
     my $loose       = $providerref->{loose};
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
-    my $mac         = $providerref->{mac};
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
@@ -766,7 +733,7 @@ sub add_a_provider( $$ ) {
     my $realm = '';
 
     if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } elsif ( $pseudo ) {

Shorewall/Perl/Shorewall/Rules.pm

@@ -818,7 +818,9 @@ sub apply_policy_rules() {
     progress_message2 'Applying Policies...';
 
     for my $chainref ( @policy_chains ) {
-	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
+	my $policy      = $chainref->{policy};
+
+	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1671,11 +1673,9 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line2( 'action file',
+		= split_line1( 'action file',
 			       \%rulecolumns,
-			       $action_commands,
-			       undef,
-			       1 );
+			       $action_commands );
 	}
 
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -2374,7 +2374,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2387,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2950,7 +2950,7 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
-    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
+    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
 
     if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,8 +3023,6 @@ sub perl_action_tcp_helper($$) {
 
     $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
 
-    set_inline_matches( '' ) if $config{INLINE_MATCHES};
-
     if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued

Shorewall/Perl/Shorewall/Tc.pm

@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
 
     use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $params =~ s/^([|&])// ? $1 : '';
+	my $and_or = $1 if $params =~ s/^([|&])//;
 
 	if ( $params =~ /-/ ) {
 	    #
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$params} unless defined $dscp;
+		$dscp = $dscpmap{$1} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('', , HIGHMARK );
+		handle_mark_param('--set-mark', , HIGHMARK );
 	    },
 	},
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,7 +798,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
-					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -927,22 +926,21 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
     }
 
+    my ( $cmd, $rest );
+
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }
+
     unless ( $command ) {
 	{
-	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
-
-	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
+	    if ( $cmd =~ /^([A-Z]+)/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $1;
-		    if ( supplied $rest ) {
-			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
-			$mark = $rest;
-		    } elsif ( supplied $2 ) {
-			$mark = $2;
-		    } else {
-			$mark = '';
-		    }
+		    $command = $tccmd->{command} if $tccmd->{command};
 		}
 	    } else {
 		$command = 'MARK';
@@ -988,9 +986,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state,
-			      '-',
-	    );
+			      $state );
     }
 }
 
@@ -1050,9 +1046,9 @@ sub process_tc_rule( ) {
 }    
 
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1069,15 +1065,13 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14,
-			   time => 15,
-			 },
+			   state => 14 },
 			 {},
-			 16,
+			 15,
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1095,16 +1089,14 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15,
-			   time => 16,
-			 },
+			   state => 15 },
 			 {},
-			 17,
+			 16,
 	                 1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     }
 }
  

Shorewall/Perl/Shorewall/Zones.pm

@@ -193,7 +193,6 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
-#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1376,7 +1375,6 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
-						       wildcard   => $wildcard,
 						     };
 
     if ( $zone ) {
@@ -1499,7 +1497,7 @@ sub map_physical( $$ ) {
 
     $physical =~ s/\+$//;
 
-    $physical . substr( $name, length( $interfaceref->{root} ) );
+    $physical . substr( $name, length  $interfaceref->{root} );
 }
 
 #
@@ -1533,7 +1531,6 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
-						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1771,7 +1768,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
     }

Shorewall/Perl/prog.footer

@@ -17,7 +17,6 @@ usage() {
     echo "   reset"
     echo "   refresh"
     echo "   restart"
-    echo "   run <command> [ <parameter> ... ]"
     echo "   status"
     echo "   up <interface>"
     echo "   version"
@@ -372,17 +371,6 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
-    run)
-	if [ $# -gt 1 ]; then
-	    shift
-	    detect_configuration
-	    run_init_exit
-	    eval $@
-	    status=$?
-	else
-	    error_message "ERROR: Missing command"
-	fi
-	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Samples/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/shorewall.conf

@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2014,2007 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/action.DNSAmp

@@ -1,34 +0,0 @@
-#
-# Shorewall 4 - DNS Amplification Action
-#
-#    /usr/share/shorewall/action.DNSAmp
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   DNSAmp[([<action>])]
-#
-#       Default action is DROP
-#
-##########################################################################################
-?format 2
-
-DEFAULTS DROP
-
-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"

Shorewall/actions.std

@@ -31,7 +31,6 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
-DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets

Shorewall/configfiles/initdone

@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any permanent rules to the builtin chains.
+#	Shorewall has not yet added any perminent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm

Shorewall/install.sh

@@ -205,7 +205,7 @@ done
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -399,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

Shorewall/lib.cli-std

@@ -1615,15 +1615,6 @@ export_command() # $* = original arguments less the command.
     fi
 }
 
-run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
-	run_it ${VARDIR}/firewall $g_debugging $@
-    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
-    fi
-}
-
 #
 # Give Usage Information
 #
@@ -1675,13 +1666,11 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
-    echo "   run <command> [ <parameter> ... ]"
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
@@ -1706,7 +1695,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   status [ -i ]"
+    echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
     echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"

Shorewall/manpages/shorewall-mangle.xml

@@ -27,7 +27,7 @@
 
     <para>This file was introduced in Shorewall 4.6.0 and is intended to
     replace <ulink
-    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
+    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
     <orderedlist numeration="loweralpha">
@@ -1109,104 +1109,6 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.2.</para>
-
-          <para>May be used to limit the rule to a particular time period each
-          day, to particular days of the week or month, or to a range defined
-          by dates and times. Requires time match support in your kernel and
-          ip6tables.</para>
-
-          <para><replaceable>timeelement</replaceable> may be:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the starting time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the ending time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>utc</term>
-
-              <listitem>
-                <para>Times are expressed in Greenwich Mean Time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>localtz</term>
-
-              <listitem>
-                <para>Deprecated by the Netfilter team in favor of <emphasis
-                role="bold">kerneltz</emphasis>. Times are expressed in Local
-                Civil Time (default).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>kerneltz</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.2. Times are expressed in Local
-                Kernel Time (requires iptables 1.4.12 or later).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>weekdays=ddd[,ddd]...</term>
-
-              <listitem>
-                <para>where <replaceable>ddd</replaceable> is one of
-                <option>Mon</option>, <option>Tue</option>,
-                <option>Wed</option>, <option>Thu</option>,
-                <option>Fri</option>, <option>Sat</option> or
-                <option>Sun</option></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>monthdays=dd[,dd],...</term>
-
-              <listitem>
-                <para>where <replaceable>dd</replaceable> is an ordinal day of
-                the month</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the starting date and time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the ending date and time.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-masq.xml

@@ -143,10 +143,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        - Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
+        -
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall-providers.xml

@@ -129,15 +129,11 @@
 
       <varlistentry>
         <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
         role="bold">detect</emphasis>}</term>
 
         <listitem>
-          <para>The IP address of the provider's gateway router. Beginning
-          with Shorewall 4.6.2, you may also specify the MAC address of the
-          gateway when there are multiple providers serviced through the same
-          interface. When the MAC is not specified, Shorewall will detect the
-          MAC during firewall start or restart.</para>
+          <para>The IP address of the provider's gateway router.</para>
 
           <para>You can enter "detect" here and Shorewall will attempt to
           detect the gateway automatically.</para>

Shorewall/manpages/shorewall-rules.xml

@@ -476,32 +476,24 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>iptables-target</replaceable>
+              <term>IPTABLES({<replaceable>target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
                 <para>This action allows you to specify an iptables target
                 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the <replaceable>iptables-target</replaceable> is not one
-                recognized by Shorewall, the following error message will be
-                issued:</para>
+                the target is not one recognized by Shorewall, the following
+                error message will be issued:</para>
 
-                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
+                <simplelist>
+                  <member>ERROR: Unknown target
+                  (<replaceable>target</replaceable>)</member>
+                </simplelist>
 
                 <para>This error message may be eliminated by adding the
-                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                as a builtin action in <ulink
+                <replaceable>target</replaceable> as a builtin action in
+                <ulink
                 url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
-
-                <important>
-                  <para>If you specify REJECT as the
-                  <replaceable>iptables-target</replaceable>, the target of
-                  the rule will be the iptables REJECT target and not
-                  Shorewall's builtin 'reject' chain which is used when REJECT
-                  (see below) is specified as the
-                  <replaceable>target</replaceable> in the ACTION
-                  column.</para>
-                </important>
               </listitem>
             </varlistentry>
 
@@ -999,7 +991,10 @@
           When the <emphasis role="bold">ACTION</emphasis> is <emphasis
           role="bold">DNAT</emphasis> or <emphasis
           role="bold">DNAT-</emphasis>, the connections will be assigned to
-          addresses in the range in a round-robin fashion.</para>
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>
 
           <para>If you kernel and iptables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be

Shorewall/manpages/shorewall-tcfilters.xml

@@ -88,11 +88,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -107,11 +105,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -6,8 +6,6 @@
     <refentrytitle>shorewall-mangle</refentrytitle>
 
     <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -30,10 +28,10 @@
 
     <important>
       <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      evaluation of rules in this file will continue after a match. So the
-      final mark for each packet will be the one assigned by the LAST tcrule
-      that matches.</para>
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final mark for
+      each packet will be the one assigned by the LAST tcrule that
+      matches.</para>
 
       <para>If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -313,8 +311,8 @@
               <para>When using Shorewall's built-in traffic shaping tool, the
               <emphasis>major</emphasis> class is the device number (the first
               device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              is major class 1, the second device is major class 2, and so on)
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              major class 1, the second device is major class 2, and so on)
               and the <emphasis>minor</emphasis> class is the class's MARK
               value in <ulink
               url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -489,8 +487,7 @@
               [<replaceable>option</replaceable>] ...") after any matches
               specified at the end of the rule. If the target is not one known
               to Shorewall, then it must be defined as a builtin action in
-              <ulink
-              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
               (5).</para>
 
               <para>The following rules are equivalent:</para>
@@ -503,8 +500,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
 
               <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              then the third rule above can be specified as follows:</para>
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              third rule above can be specified as follows:</para>
 
               <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
             </listitem>

Shorewall/manpages/shorewall.xml

@@ -457,21 +457,6 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>run</option></arg>
-
-      <arg choice="plain">function</arg>
-
-      <arg><replaceable>parameter ...</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -522,20 +507,6 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -693,8 +664,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1424,32 +1394,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.3. Executes
-          <replaceable>command</replaceable> in the context of the generated
-          script passing the supplied <replaceable>parameter</replaceable>s.
-          Normally, the <replaceable>command</replaceable> will be a function
-          declared in <filename>lib.private</filename>.</para>
-
-          <para>Before executing the <replaceable>command</replaceable>, the
-          script will detect the configuration, setting all SW_* variables and
-          will run your <filename>init</filename> extension script with
-          $COMMAND = 'run'.</para>
-
-          <para>If there are files in the CONFIG_PATH that were modified after
-          the current firewall script was generated, the following warning
-          message is issued:</para>
-
-          <simplelist>
-            <member>WARNING: /var/lib/shorewall/firewall is not up to
-            date</member>
-          </simplelist>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">safe-restart</emphasis></term>
 
@@ -1529,19 +1473,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to iptables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1844,10 +1775,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -317,21 +317,6 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>run</option></arg>
-
-      <arg choice="plain">command</arg>
-
-      <arg><replaceable>parameter ...</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -381,20 +366,6 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -494,8 +465,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -835,23 +805,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.3. Executes
-          <replaceable>command</replaceable> in the context of the generated
-          script passing the supplied <replaceable>parameter</replaceable>s.
-          Normally, the <replaceable>command</replaceable> will be a function
-          declared in <filename>lib.private</filename>.</para>
-
-          <para>Before executing the command, the script will detect the
-          configuration, setting all SW_* variables and will run your
-          <filename>init</filename> extension script with $COMMAND =
-          'run'.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">save</emphasis></term>
 
@@ -874,19 +827,6 @@
           arguments:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to ip6tables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1131,10 +1071,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006-2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/manpages/shorewall6-mangle.xml

@@ -1194,104 +1194,6 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.2.</para>
-
-          <para>May be used to limit the rule to a particular time period each
-          day, to particular days of the week or month, or to a range defined
-          by dates and times. Requires time match support in your kernel and
-          ip6tables.</para>
-
-          <para><replaceable>timeelement</replaceable> may be:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the starting time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the ending time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>utc</term>
-
-              <listitem>
-                <para>Times are expressed in Greenwich Mean Time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>localtz</term>
-
-              <listitem>
-                <para>Deprecated by the Netfilter team in favor of <emphasis
-                role="bold">kerneltz</emphasis>. Times are expressed in Local
-                Civil Time (default).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>kerneltz</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.2. Times are expressed in Local
-                Kernel Time (requires iptables 1.4.12 or later).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>weekdays=ddd[,ddd]...</term>
-
-              <listitem>
-                <para>where <replaceable>ddd</replaceable> is one of
-                <option>Mon</option>, <option>Tue</option>,
-                <option>Wed</option>, <option>Thu</option>,
-                <option>Fri</option>, <option>Sat</option> or
-                <option>Sun</option></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>monthdays=dd[,dd],...</term>
-
-              <listitem>
-                <para>where <replaceable>dd</replaceable> is an ordinal day of
-                the month</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the starting date and time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the ending date and time.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall6/manpages/shorewall6-masq.xml

@@ -116,9 +116,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
           <para>Set of hosts that you wish to SNAT; one or more host or

Shorewall6/manpages/shorewall6-rules.xml

@@ -450,33 +450,24 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
+              <term>IP6TABLES({<replaceable>target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
-                <para>This action allows you to specify an ip6tables target
-                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the <replaceable>ip6tables-target</replaceable> is not one
-                recognized by Shorewall, the following error message will be
-                issued:</para>
+                <para>This action allows you to specify an iptables target
+                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
+                If the target is not one recognized by Shorewall, the
+                following error message will be issued:</para>
 
-                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
+                <simplelist>
+                  <member>ERROR: Unknown target
+                  (<replaceable>target</replaceable>)</member>
+                </simplelist>
 
-                <para>This error message may be eliminated by adding
-                the<replaceable>
-                ip6tables-</replaceable><replaceable>target</replaceable> as a
-                builtin action in <ulink
-                url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
-
-                <important>
-                  <para>If you specify REJECT as the
-                  <replaceable>ip6tables-target</replaceable>, the target of
-                  the rule will be the i6ptables REJECT target and not
-                  Shorewall's builtin 'reject' chain which is used when REJECT
-                  (see below) is specified as the
-                  <replaceable>target</replaceable> in the ACTION
-                  column.</para>
-                </important>
+                <para>This error message may be eliminated by adding the
+                <replaceable>target</replaceable> as a builtin action in
+                <ulink
+                url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -943,6 +934,17 @@
           <para>Restriction: MAC addresses are not allowed (this is a
           Netfilter restriction).</para>
 
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>
+
           <para>If you kernel and ip6tables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be
           optionally followed by a number from 1 to 6 enclosed in square

Shorewall6/manpages/shorewall6-tcfilters.xml

@@ -88,11 +88,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch </firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -107,11 +105,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>

Shorewall6/manpages/shorewall6.xml

@@ -123,7 +123,7 @@
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>shorewall6</command>
+      <command>shorewall</command>
 
       <arg
       choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -166,7 +166,7 @@
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>shorewall6</command>
+      <command>shorewall</command>
 
       <arg
       choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -406,21 +406,6 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>run</option></arg>
-
-      <arg choice="plain">function</arg>
-
-      <arg><replaceable>parameter ...</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -467,20 +452,6 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -610,8 +581,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1305,33 +1275,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.3. Executes
-          <replaceable>command</replaceable> in the context of the generated
-          script passing the supplied <replaceable>parameter</replaceable>s.
-          Normally, the <replaceable>command</replaceable> will be a function
-          declared in <filename>lib.private</filename>.</para>
-
-          <para>Before executing the <replaceable>command</replaceable>, the
-          script will detect the configuration, setting all SW_* variables and
-          will run your <filename>init</filename> extension script with
-          $COMMAND = 'run'.</para>
-
-          <para>If there are files in the CONFIG_PATH that were modified after
-          the current firewall script was generated, the following warning
-          message is issued before the script's run command is
-          executed:</para>
-
-          <simplelist>
-            <member>WARNING: /var/lib/shorewall6/firewall is not up to
-            date</member>
-          </simplelist>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">safe-restart</emphasis></term>
 
@@ -1411,19 +1354,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to ip6tables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1681,10 +1611,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall6-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

docs/Anatomy.xml

@@ -504,7 +504,7 @@
     <section id="sbin-lite">
       <title>/sbin</title>
 
-      <para>The <filename>/sbin/shorewall-lite</filename> shell program is used
+      <para>The <filename>/sbin/shorewall-lite</filename> shell program is use
       to interact with Shorewall lite. See <ulink
       url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
     </section>

docs/Build.xml

@@ -134,7 +134,7 @@
       <para>Added in Shorewall 4.4.22, this directory contains the files that
       contain release-dependent information (change.txt, releasenotes.txt,
       .spec files, etc). This is actually a symbolic link to ../release which
-      has its own Git repository.</para>
+      has it's own Git repository.</para>
     </section>
   </section>
 
@@ -164,7 +164,7 @@
     <section>
       <title>build</title>
 
-      <para>This is the script that builds Shorewall 4.6 packages from
+      <para>This is the script that builds Shorewall 4.4 packages from
       Git.</para>
 
       <para>The script copies content from Git using the <command>git
@@ -220,7 +220,7 @@
       <para>You should ensure that you have the latest scripts. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build46 script may need to be modified to fit your particular
+      <para>The build44 script may need to be modified to fit your particular
       environment. There are a number of variables that are set near the top
       of the file:</para>
 
@@ -270,12 +270,10 @@
       </variablelist>
 
       <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release.</para>
+      directory</firstterm> per major release. To build a release, you cd to
+      the appropriate directory and run the build script.</para>
 
-      <para>To build a release, you cd to the appropriate directory and run
-      the build46 script.</para>
-
-      <para>The general form of the build46 command is:</para>
+      <para>The general form of the build command is:</para>
 
       <blockquote>
         <para><command>build</command> [ -<replaceable>options</replaceable> ]
@@ -403,13 +401,13 @@
     </section>
 
     <section>
-      <title>build45 and build46</title>
+      <title>build45</title>
 
-      <para>These are the scripts that respectively build Shorewall 4.5 and
-      Shorewall 4.6 packages from Git.</para>
+      <para>This is the script that builds Shorewall 4.5 packages from
+      Git.</para>
 
-      <para>The scripts copy content from Git using the <command>git
-      archive</command> command. They then use that content to build the
+      <para>The script copies content from Git using the <command>git
+      archive</command> command. It then uses that content to build the
       packages. In addition to the usual Gnu utilities, the following software
       is required:</para>
 
@@ -453,7 +451,7 @@
 
           <listitem>
             <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.25.</para>
+            that you have a recent version; I use 0.0.23.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -461,7 +459,7 @@
       <para>You should ensure that you have the latest scripts. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The scripts may need to be modified to fit your particular
+      <para>The build44 script may need to be modified to fit your particular
       environment. There are a number of variables that are set near the top
       of the file:</para>
 
@@ -511,17 +509,14 @@
       </variablelist>
 
       <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. Each build directory should
-      contain the empty file <filename>shorewall-pkg.config</filename>; that
-      file is no longer used but has been retained just as a guard against
-      initiating a build in an unintended directory. To build a release, you
-      cd to the appropriate directory and run the build script.</para>
+      directory</firstterm> per major release. To build a release, you cd to
+      the appropriate directory and run the build script.</para>
 
       <para>The general form of the build command is:</para>
 
       <blockquote>
-        <para><command>build</command>4x [ -<replaceable>options</replaceable>
-        ] <replaceable>release</replaceable> [ <replaceable>prior
+        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <replaceable>release</replaceable> [ <replaceable>prior
         release</replaceable> ]</para>
       </blockquote>
 
@@ -637,8 +632,8 @@
         </varlistentry>
       </variablelist>
 
-      <para>Example 1 - Build Shorewall 4.5.7 and generate patches against
-      4.5.6:</para>
+      <para>Example 1 - Build Shorewall 4.3.7 and generate patches against
+      4.3.6:</para>
 
       <blockquote>
         <para><command>build45 4.5.7 4.5.6</command></para>

docs/ConnectionRate.xml

@@ -67,7 +67,7 @@
     by 1 but is not allowed to exceed its initial setting (5).</para>
 
     <para>By default, the aggregate connection rate is limited. If the
-    specification is preceded by "<option>s:</option>" or
+    specification is preceeded by "<option>s:</option>" or
     "<option>d:</option>", then the rate is limited per SOURCE or per
     DESTINATION IP address respectively.</para>
 

docs/Dynamic.xml

@@ -49,8 +49,7 @@
     support is based on <ulink
     url="http://ipset.netfilter.org/">ipset</ulink>. Most current
     distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.
-    </para>
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
   </section>
 
   <section id="xtables-addons">
@@ -211,9 +210,9 @@
 net          ipv4
 rsyncok:loc  ipv4             <emphasis role="bold">dynamic_shared</emphasis></programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-loc         eth0           -                …
-loc         eth1           -                …</programlisting>
+      <programlisting>#ZONE       INTERFACE      OPTIONS
+loc         eth0           …
+loc         eth1           …</programlisting>
 
       <para><filename>/etc/shorewall/hosts</filename>:</para>
 
@@ -308,9 +307,8 @@ rsyncok:
 loc          ipv4
 webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-loc         eth0           -                …
-</programlisting>
+        <programlisting>#ZONE       INTERFACE      OPTIONS
+loc         eth0           …</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename>:</para>
 

docs/Events.xml

@@ -35,7 +35,7 @@
   </articleinfo>
 
   <caution>
-    <para>This article applies to Shorewall 4.5.19 and later and supersedes
+    <para>This article applies to Shorewall 4.5.19 and later and supercedes
     <ulink url="PortKnocking.html">this article.</ulink></para>
   </caution>
 
@@ -477,7 +477,7 @@ root@gateway:~# </programlisting>
 
       <para>This example is taken from <ulink
       url="http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/">this
-      article</ulink> which explains the nice benefits of this approach. This
+      article</ulink> which explains the nice benifits of this approach. This
       example is for ssh, but it can be adapted for any application.</para>
 
       <para>The name SSH has been changed to SSHLIMIT so as not to override
@@ -701,87 +701,5 @@ ResetEvent(SSH,DROP:info)        </programlisting>
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
     </section>
-
-    <section id="Stateful">
-      <title>Stateful Port Knocking (knock with a sequence of ports)</title>
-
-      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
-      define portknocking sequences. Download <ulink
-      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
-      module</ulink> and copy it into your site_perl directory.</para>
-
-      <para>Using Gerhard's module, a port-knocking rule is defined via a
-      '?PERL' statement. This example opens the SSH port from net-&gt;fw using
-      the knock sequence 52245, 15623, 19845:</para>
-
-      <programlisting>?BEGIN PERL
-use KnockEnhanced;
-KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; 'tcp', target =&gt; 'ssh', knocker =&gt; [52245,15623,19845]};
-?END PERL</programlisting>
-
-      <para>A few notes on the parameters:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>The first parameter is the rule SOURCE</para>
-        </listitem>
-
-        <listitem>
-          <para>The second parameter is the rule DEST</para>
-        </listitem>
-
-        <listitem>
-          <para>The third parameter is a Perl hash reference that defines the
-          remaining parameters. Each parameter is specified via
-          <replaceable>param</replaceable> =&gt;
-          <replaceable>value</replaceable>.</para>
-
-          <itemizedlist>
-            <listitem>
-              <para><emphasis role="bold">proto</emphasis> is the protocol --
-              if not specified, the default is tcp</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">seconds</emphasis> is the timeout
-              between successive events -- default is 60 seconds.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">original_dest</emphasis> is the rule
-              ORIGINAL DEST</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">target</emphasis> is the port(s)
-              that you are trying to open. May either be a single name or
-              number, or it may be a list of names and/or numbers separated by
-              commas and enclosed in square brackets ("[...]").</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">name</emphasis> is a name used as
-              the base for event and chain names. If not supplied, the first
-              <emphasis role="bold">target</emphasis> is used, in which case
-              the first target must be a port name.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">log_level </emphasis>specifies
-              logging for the generated rules</para>
-            </listitem>
-          </itemizedlist>
-
-          <note>
-            <para>Port names and numbers may be optionally followed by a colon
-            (":") and a protocol name or number to override the specified
-            protocol.</para>
-          </note>
-        </listitem>
-      </itemizedlist>
-
-      <para>The module itself contains additional examples of its
-      usage.</para>
-    </section>
   </section>
 </article>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2014</year>
+      <year>2001-2013</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -516,8 +516,8 @@ DNAT       net           net:66.249.93.111:993  tcp      80          -         2
 
         <para>In <filename>/etc/shorewall/interfaces</filename>, specify the
         <emphasis role="bold">routeback</emphasis> option on
-        eth0:<programlisting>#ZONE      INTERFACE     BROADCAST            OPTIONS
-net        eth0          detect               <emphasis role="bold">routeback</emphasis></programlisting></para>
+        eth0:<programlisting>#ZONE      INTERFACE     OPTIONS
+net        eth0          <emphasis role="bold">routeback</emphasis></programlisting></para>
 
         <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>
@@ -700,8 +700,8 @@ DNAT       net           net:192.168.4.22       tcp      80,443      -         <
         <listitem>
           <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-          <programlisting>#ZONE    INTERFACE    BROADCAST    OPTIONS
-loc      eth1         detect       <emphasis role="bold">routeback</emphasis>    </programlisting>
+          <programlisting>#ZONE    INTERFACE    OPTIONS
+loc      eth1         <emphasis role="bold">routeback</emphasis>    </programlisting>
         </listitem>
 
         <listitem>
@@ -821,8 +821,8 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
 
           <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-          <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
-dmz      eth2         192.168.2.255   <emphasis role="bold">routeback</emphasis> </programlisting>
+          <programlisting>#ZONE    INTERFACE    OPTIONS
+dmz      eth2         <emphasis role="bold">routeback</emphasis> </programlisting>
 
           <para>In <filename>/etc/shorewall/masq</filename>:</para>
 
@@ -2304,15 +2304,6 @@ gateway:~# </programlisting>
         </listitem>
       </orderedlist>
     </section>
-
-    <section id="faq103">
-      <title>(FAQ 103) Shorewall fails to start at boot but will start
-      immediately after</title>
-
-      <para>Answer: This is usually associated with SELinux. <ulink
-      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
-      is an example.</para>
-    </section>
   </section>
 
   <section id="MultiISP">

docs/FTP.xml

@@ -294,164 +294,9 @@ xt_tcpudp               3328  0
     /etc/shorewall/shorewall.conf to point to that directory.</para>
   </section>
 
-  <section>
-    <title>FTP with Kernel 3.5 and Later</title>
-
-    <para>Because of the potential for attackers to subvert Netfilter helpers
-    like the one for FTP, the Netfilter team are in the process of eliminating
-    the automatic association of helpers to connections. In the 3.5 kernel, it
-    is possible to disable this automatic association, and the team have
-    announced that automatic association will eventually be eliminated. While
-    it is certainly more secure to add explicit rules that create these
-    associations, for Shorewall to require users to add those rules would
-    present a gross inconvenience during a Shorewall upgrade. To make
-    Shorewall and kernel upgrades as smooth as possible, several new features
-    were added to the Shorewall 4.5.7:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Shorewall automatically disables the kernel's automatic
-        association of helpers to connections on kernel 3.5 and later.</para>
-      </listitem>
-
-      <listitem>
-        <para>An automatic association of helpers with connections that
-        performs the same function as in the pre-3.5 kernels has been added.
-        This automatic association is controlled by the AUTOHELPERS
-        shorewall.conf option which is set to 'Yes' by default.</para>
-      </listitem>
-
-      <listitem>
-        <para>A HELPERS column has been added to the /etc/shorewall/rules In
-        the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
-        specified helper is automatically associated with the
-        connection.</para>
-      </listitem>
-
-      <listitem>
-        <para>HELPERS may be specified in action files, macros and in the
-        rules file itself. In the RELATED section: The rule will only match
-        related connections that have the named helper attached. - The
-        standard Macros for applications requiring a helper (FTP, IRC, etc)
-        have been modified to automatically specify the correct helper in the
-        HELPER column.</para>
-      </listitem>
-
-      <listitem>
-        <para>HELPER is now a valid action in /etc/shorewall/rules. This
-        action requires that a helper be present in the HELPER column and
-        causes the specified helper to be associated with connections matching
-        the rule. No destination zone should be specified in HELPER rules.
-        HELPER rules allow specification of a helper for connections that are
-        ACCEPTed by the applicable policy.</para>
-
-        <para> Example (loc-&gt;net policy is ACCEPT) - In
-        /etc/shorewall/rules:</para>
-
-        <programlisting>#ACTION     SOURCE       DEST
-FTP(HELPER) loc          - </programlisting>
-
-        <para>or equivalently </para>
-
-        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
-#                                       PORT(S)
-HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
-      </listitem>
-
-      <listitem>
-        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
-        HELPERS column) can be taylored using the new HELPERS option in
-        shorewall.conf. </para>
-      </listitem>
-    </itemizedlist>
-
-    <para>By making AUTOHELPERS=Yes the default, users can upgrade their
-    systems to a 3.5+ kernel without disrupting the operation of their
-    firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
-    follow one of two strategies:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Use the HELPERS column in the rules file to enable helpers as
-        needed (preferred); or</para>
-      </listitem>
-
-      <listitem>
-        <para>Taylor the conntrack file to enable helpers on only those
-        connections that are required.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>With either of these approaches, the list if available helpers can
-    be trimmed using the HELPERS option and rules can be added to the RELATED
-    section of the rules file to further restrict the effect of helpers. The
-    implementation of these new function places conditional rules in the
-    /etc/shorewall[6]/conntrack file. These rules are included conditionally
-    based in the setting of AUTOHELPERS.</para>
-
-    <para> Example:</para>
-
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-?if $AUTOHELPERS &amp;&amp; __CT_TARGET
-?if __FTP_HELPER
-CT:helper:ftp           all             -               tcp     21
-?endif
-...
-?endif</programlisting>
-
-    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
-    and 'ftp' is not listed in that setting. For example, if you only need FTP
-    access from your 'loc' zone, then add this rule outside of the outer-most
-    ?if....?endif shown above.</para>
-
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-...
-CT:helper:ftp           loc             -               tcp     21</programlisting>
-
-    <para> For an overview of Netfilter Helpers and Shorewall's support for
-    dealing with them, see <ulink
-    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
-
-    <para>See <ulink
-    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
-    for additional information. </para>
-  </section>
-
   <section id="Ports">
     <title>FTP on Non-standard Ports</title>
 
-    <para>If you are running kernel 3.5 or later and Shorewall 4.5.7 or later,
-    then please read the preceding section. You can add appropriate entries
-    into <ulink url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>
-    or <ulink
-    url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink> to
-    associate the FTP helpers with a nonstandard port.</para>
-
-    <para>Examples using port 12345:</para>
-
-    <para><filename>/etc/shorewall/rules:</filename></para>
-
-    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
-#                                                             PORT(S)
-DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
-
-    <para>That entry will accept ftp connections on port 12345 from the net
-    and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
-
-    <para><filename>/etc/shorewall/conntrack:</filename></para>
-
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-...
-CT:helper:ftp           loc             -               tcp     12345</programlisting>
-
-    <para>That rule automatically associates the ftp helper with TCP port
-    12345 from the 'loc' zone.</para>
-
-    <para>Otherwise, read on.</para>
-
     <note>
       <para>If you are running <emphasis role="bold">kernel 2.6.19 or
       earlier</emphasis>, replace <emphasis

docs/GenericTunnels.xml

@@ -86,8 +86,8 @@ vpn          ipv4</programlisting>
     <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
     role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
 
-    <programlisting>#ZONE      INTERFACE       BROADCAST        OPTIONS
-vpn        tun0            10.255.255.255</programlisting>
+    <programlisting>#ZONE      INTERFACE       OPTIONS
+vpn        tun0</programlisting>
 
     <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
 
@@ -99,8 +99,8 @@ generic:47       net            134.28.54.2</programlisting>
     TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
     be accepted to/from the remote gateway.</para>
 
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
-vpn          tun0             192.168.1.255</programlisting>
+    <programlisting>#ZONE        INTERFACE        OPTIONS
+vpn          tun0</programlisting>
 
     <para>In /etc/shorewall/tunnels on system B, we have:</para>
 

docs/IPIP.xml

@@ -103,8 +103,8 @@ vpn          ipv4</programlisting>
     <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
     role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
 
-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+    <programlisting>#ZONE        INTERFACE      OPTIONS
+vpn          tosysb</programlisting>
 
     <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
 

docs/IPSEC-2.6.xml

@@ -59,7 +59,7 @@
 
   <important>
     <para><emphasis role="bold">Shorewall does not configure IPSEC for
-    you</emphasis> -- it rather configures netfilter to accommodate your IPSEC
+    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
     configuration.</para>
   </important>
 
@@ -139,7 +139,7 @@
     and zones was made easy by the presence of IPSEC pseudo-interfaces with
     names of the form <filename class="devicefile">ipsecN</filename> (e.g.
     <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
-    traffic (case 1.) was sent through an <filename
+    traffic (case 1.) was send through an <filename
     class="devicefile">ipsecN</filename> device while incoming unencrypted
     traffic (case 2) arrived from an <filename
     class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
@@ -238,7 +238,7 @@
 
     <para>Suppose that we have the following situation:</para>
 
-    <graphic fileref="images/TwoNets1.png"/>
+    <graphic fileref="images/TwoNets1.png" />
 
     <para>We want systems in the 192.168.1.0/24 sub-network to be able to
     communicate with systems in the 10.0.0.0/8 network. We assume that on both
@@ -481,7 +481,7 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
     when you travel and you want to be able to establish a secure connection
     back to your local network.</para>
 
-    <graphic fileref="images/Mobile.png"/>
+    <graphic fileref="images/Mobile.png" />
 
     <example id="roadWarrior">
       <title>Road Warrior VPN</title>
@@ -734,9 +734,9 @@ loc            ipv4
     <blockquote>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth0            detect          routefilter
-loc     eth1            192.168.1.255
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            routefilter
+loc     eth1            -
 l2tp    ppp+            -
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
     </blockquote>
@@ -827,9 +827,9 @@ HTTPS(ACCEPT)   l2tp    $FW
     hosts in that network. In that case, IPSEC transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
-    the ipsec-tools package. The files shown are from host 192.168.20.10; the
-    configuration of the other nodes is similar.</para>
+    <para><graphic fileref="images/TransportMode.png" />Here's an example
+    using the ipsec-tools package. The files shown are from host
+    192.168.20.10; the configuration of the other nodes is similar.</para>
 
     <blockquote>
       <para><filename>/etc/racoon/racoon.conf</filename>:</para>
@@ -889,8 +889,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
     <blockquote>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            routefilter,dhcp,tcpflags
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
       <para><filename>/etc/shorewall/tunnels</filename>:</para>

docs/Install.xml

@@ -147,7 +147,7 @@
       <emphasis role="bold">Shorewall-core</emphasis> 4.5.2 or later, a
       shorewallrc file named ${HOME}/.shorewallrc will be installed. That file
       will provide the default parameters for installing other Shorewall
-      components of the same or later version.</para>
+      components of the same or later verion.</para>
 
       <para>Note that <emphasis role="bold">you must install Shorewall-core
       before installing any other Shorewall package</emphasis>.</para>
@@ -730,7 +730,7 @@
 
           <programlisting><command>./install.sh -s</command></programlisting>
 
-          <para>The <emphasis role="bold">-s</emphasis> option suppresses
+          <para>The <emphasis role="bold">-s</emphasis> option supresses
           installation of all files in <filename
           class="directory">/etc/shorewall</filename> except
           <filename>shorewall.conf</filename>. You can copy any other files

docs/Introduction.xml

@@ -181,10 +181,10 @@ dmz     ipv4</programlisting>
     file. In the three-interface sample, the three zones are defined using
     that file as follows:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
-net        eth0          detect        dhcp,routefilter
-loc        eth1          detect
-dmz        eth2          detect</programlisting>
+    <programlisting>#ZONE      INTERFACE     OPTIONS
+net        eth0          dhcp,routefilter
+loc        eth1
+dmz        eth2</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0, the
@@ -201,10 +201,10 @@ dmz        eth2          detect</programlisting>
     file or you may use the nets= option in
     <filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
-net        eth0          detect        dhcp,routefilter,nets=(!192.168.0.0/23)
-loc        eth1          detect        nets=(192.168.0.0/24)
-dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
+    <programlisting>#ZONE      INTERFACE     OPTIONS
+net        eth0          dhcp,routefilter,nets=(!192.168.0.0/23)
+loc        eth1          nets=(192.168.0.0/24)
+dmz        eth2          nets=(192.168.1.0/24)</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>

docs/KVM.xml

@@ -66,7 +66,7 @@
   <section>
     <title>Networking Configuration</title>
 
-    <para>I use a network configuration where each VM has its own VNET and
+    <para>I use a network configuration where each VM has it's own VNET and
     tap device and the tap devices are all configured as ports on a Linux
     Bridge. For clarity, I've only shown four of the virtual machines
     available on the system.</para>

docs/Laptop.xml

@@ -68,10 +68,10 @@
     optional interfaces for the 'net' zone in
     <filename>/etc/shorewall/interfaces</filename>.</para>
 
-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
-net            eth0           detect              optional,…
-net            wlan0          detect              optional,…
-net            ppp0           -                   optional,…</programlisting>
+    <programlisting>#ZONE          INTERFACE      OPTIONS
+net            eth0           optional,…
+net            wlan0          optional,…
+net            ppp0           optional,…</programlisting>
 
     <para>With this configuration, access to the 'net' zone is possible
     regardless of which of the interfaces is being used.</para>

docs/MAC_Validation.xml

@@ -172,12 +172,12 @@ MACLIST_LOG_LEVEL=info</programlisting>
 
       <para>/etc/shorewall/interfaces:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+loc     $INT_IF         dhcp
 dmz     $DMZ_IF         -
 vpn     tun+            -
-Wifi    $WIFI_IF        -               maclist,dhcp
+Wifi    $WIFI_IF        maclist,dhcp
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
 
       <para>/etc/shorewall/maclist:</para>

docs/Manpages.xml

@@ -89,7 +89,7 @@
         Define MAC verification.</member>
 
         <member><ulink url="manpages/shorewall-mangle.html">mangle</ulink> -
-        Supersedes tcrules and describes packet/connection marking.</member>
+        Supercedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -168,7 +168,7 @@
         state (added in Shorewall 4.5.8).</member>
 
         <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
-        Define packet marking rules, usually for traffic shaping. Superseded
+        Define packet marking rules, usually for traffic shaping. Superceded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define

docs/Manpages6.xml

@@ -79,7 +79,7 @@
         - Define MAC verification.</member>
 
         <member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
-        Supersedes tcrules and describes packet/connection marking.</member>
+        Supercedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -149,7 +149,7 @@
         Classify traffic for simplified traffic shaping.</member>
 
         <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
-        - Define packet marking rules, usually for traffic shaping. Superseded
+        - Define packet marking rules, usually for traffic shaping. Superceded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> -