Make NFQUEUE parsing more robust

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=40606
+SHOREWALL_CAPVERSION=40609
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -42,16 +42,6 @@ fi
 
 . ${SHAREDIR}/shorewall/lib.base
 
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
 #
 # Issue an error message and die
 #
@@ -375,7 +365,18 @@ savesets() {
 
     supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+}
+
+#
+# Proactive save of the current ipset contents
+#
+savesets1() {
+    local supported
+
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 
 #
@@ -387,7 +388,7 @@ do_save() {
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -473,7 +474,7 @@ do_save() {
 		    fi
 		fi
 		;;
-	    [Nn]o)
+	    [Nn]o|ipv4|ipv6)
 		;;
 	    *)
 		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
@@ -1224,6 +1225,16 @@ show_command() {
 	    echo
 	    show_bl;
 	    ;;
+	opens)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
+
+	    if chain_exists dynamic; then
+		g_ipt_options="$g_ipt_options --line-numbers"
+		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
+		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
+	    fi
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1662,7 +1673,7 @@ restore_command() {
 
     if [ -z "$STARTUP_ENABLED" ]; then
 	error_message "ERROR: Startup is disabled"
-	exit 2
+	exit 6
     fi
 
     g_restorepath=${VARDIR}/$RESTOREFILE
@@ -2076,6 +2087,166 @@ delete_command() {
     fi
 }
 
+open_close_command() {
+    local command
+    local desc
+    local proto
+    local icmptype
+
+    open_close_setup() {
+	[ -n "$g_nolock" ] || mutex_on
+
+	if ! product_is_started ; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "The $COMMAND command requires the firewall to be running"
+	fi
+
+	if ! chain_exists dynamic; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
+	fi
+    }
+
+    [ $# -le 4 ] || fatal_error "Too many parameters"
+
+    if [ $COMMAND = open ]; then
+	[ $# -ge 2 ] || fatal_error "Too few parameters"
+    else
+	[ $# -ge 1 ] || fatal_error "Too few parameters"
+    fi
+
+    if [ $# -eq 1 ]; then
+	#
+	# close <rule number>
+	#
+	case $1 in
+	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
+		;;
+	    *)
+		fatal_error "$1 is not a valid temporary open number"
+		;;
+	esac
+
+	open_close_setup #Conditionally acquires mutex
+
+	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
+	    if $g_tool -D dynamic $1; then
+		[ -n "$g_nolock" ] || mutex_off
+		echo "Temporary open #$1 closed"
+		return 0
+	    fi
+	    [ -n "$g_nolock" ] || mutex_off
+	    return 2
+	else
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "$1 is not a valid temporary open number"
+	fi
+    else
+	if [ $1 = all ]; then
+	    command=dynamic
+	else
+	    command="dynamic -s $1"
+	fi
+
+	if [ $2 != all ]; then
+	    command="$command -d $2"
+	fi
+
+	desc="from $1 to $2"
+
+	if [ $# -ge 3 ]; then
+	    proto=$3
+
+	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58
+
+	    command="$command -p $proto"
+
+	    case $3 in
+		[0-9]*)
+		    desc="$desc protocol $3"
+		    ;;
+		*)
+		    desc="$desc $3"
+		    ;;
+	    esac
+
+	    if [ $g_family -eq 4 ]; then
+		if [ $proto = 6 -o $proto = icmp ]; then
+		    proto=icmp
+		    icmptype='--icmp-type'
+		fi
+	    else
+		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
+		    proto=icmp
+		    icmptype='--icmpv6-type'
+		fi
+	    fi
+	fi
+
+	if [ $# -eq 4 ]; then
+	    if [ $proto = icmp ]; then
+		case $4 in
+		    *,*)
+			fatal_error "Only a single ICMP type may be specified"
+			;;
+		    [0-9]*)
+			desc="$desc type $4"
+			;;
+		    *)
+			desc="$desc $4"
+			;;
+		esac
+
+		command="$command $icmptype $4"
+	    else
+		case $4 in
+		*,*)
+		    command="$command -m multiport --dports $4"
+		    ;;
+		*)
+		    command="$command --dport $4"
+		    ;;
+		esac
+
+		case $4 in
+		    [0-9]*,)
+			desc="$desc ports $4"
+			;;
+		    [0-9]*)
+			desc="$desc port $4"
+			;;
+		    *)
+			desc="$desc $4"
+			;;
+		esac
+	    fi
+	fi
+
+	command="$command -j ACCEPT"
+
+	open_close_setup #Conditionally acquires mutex
+
+	if [ $COMMAND = open ]; then
+	    if $g_tool -I $command ; then
+		[ -n "$g_nolock" ] || mutex_off
+		echo "Firewall dynamically opened for connections $desc"
+		return 0
+	    fi
+	    [ -n "$g_nolock" ] || mutex_off
+	    return 2
+	fi
+
+	if $g_tool -D $command 2> /dev/null; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
+	    return 0
+	fi
+
+	[ -n "$g_nolock" ] || mutex_off
+	fatal_error "Connections $desc are not currently opened"
+    fi
+}
+
 #
 # 'hits' commmand executor
 #
@@ -2294,6 +2465,7 @@ determine_capabilities() {
     local chain
     local chain1
     local arptables
+    local helper
 
     if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2394,6 +2566,7 @@ determine_capabilities() {
     NEW_TOS_MATCH=
     TARPIT_TARGET=
     IFACE_MATCH=
+    TCPMSS_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2551,6 +2724,8 @@ determine_capabilities() {
 
     qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
 
+    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
+
     if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
 
@@ -2592,21 +2767,44 @@ determine_capabilities() {
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;
 
-	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
+		eval ${helper}_ENABLED=''
+	    done
+
+	    if [ -n "$HELPERS" ]; then
+		for helper in $(split_list "$HELPERS"); do
+		    case $helper in
+			none)
+			    ;;
+			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
+			    eval ${helper}_ENABLED=Yes
+			    ;;
+			*)
+			    error_message "WARNING: Invalid helper ($helper) ignored"
+			    ;;
+		    esac
+		done
+	    else
+		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
+		    eval ${helper}_ENABLED=Yes
+		done
+	    fi
+
+	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi
 
 	qt $g_tool -t raw -F $chain
@@ -2820,16 +3018,17 @@ report_capabilities_unsorted() {
     report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
     report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
     report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-    report_capability "Geo IP match" $GEOIP_MATCH
-    report_capability "RPFilter match" $RPFILTER_MATCH
-    report_capability "NFAcct match" $NFACCT_MATCH
-    report_capability "Checksum Target" $CHECKSUM_TARGET
-    report_capability "Arptables JF" $ARPTABLESJF
-    report_capability "MASQUERADE Target" $MASQUERADE_TGT
-    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
-    report_capability "New tos Match" $NEW_TOS_MATCH
-    report_capability "TARPIT Target" $TARPIT_TARGET
-    report_capability "Iface Match" $IFACE_MATCH
+    report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
+    report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
+    report_capability "NFAcct Match" $NFACCT_MATCH
+    report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
+    report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
+    report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
+    report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
+    report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
+    report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
+    report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
+    report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
 
     report_capability "Amanda Helper" $AMANDA_HELPER
     report_capability "FTP Helper" $FTP_HELPER
@@ -2959,6 +3158,7 @@ report_capabilities_unsorted1() {
     report_capability1 NEW_TOS_MATCH
     report_capability1 TARPIT_TARGET
     report_capability1 IFACE_MATCH
+    report_capability1 TCPMSS_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3470,7 +3670,7 @@ start_command() {
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    logger -p kern.err "ERROR:$g_product start failed"
-	    rc=2
+	    rc=6
 	fi
 
 	[ -n "$g_nolock" ] || mutex_off
@@ -3603,7 +3803,7 @@ restart_command() {
     else
 	error_message "${VARDIR}/firewall is missing or is not executable"
 	logger -p kern.err "ERROR:$g_product restart failed"
-	rc=2
+	rc=6
     fi
 
     [ -n "$g_nolock" ] || mutex_off
@@ -3628,6 +3828,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
     echo "   drop <address> ..."
@@ -3645,12 +3846,15 @@ usage() # $1 = exit status
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reject <address> ..."
+    echo "   reenable <interface>"
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
     echo "   run <command> [ <parameter> ... ]"
     echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
@@ -3670,6 +3874,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
     echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
     echo "   [ show | list | ls ] routing"
     echo "   [ show | list | ls ] tc [ device ]"
@@ -3850,10 +4055,6 @@ shorewall_cli() {
 
     [ -n "${VARDIR:=/var/lib/$g_program}" ]
 
-    if [ ! -f ${VARDIR}/firewall ]; then
-	[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.rstore ${VARDIR}/firewall
-    fi
-
     g_firewall=${VARDIR}/firewall
 
     version_file=${g_sharedir}/version
@@ -3916,7 +4117,7 @@ shorewall_cli() {
 	    shift
 	    restart_command $@
 	    ;;
-	disable|enable)
+	disable|enable|reenable)
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -3979,6 +4180,11 @@ shorewall_cli() {
 	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
+	open|close)
+	    get_config
+	    shift
+	    open_close_command $@
+	    ;;
 	allow)
 	    get_config
 	    allow_command $@
@@ -4023,10 +4229,29 @@ shorewall_cli() {
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
-	    # Undocumented way to call functions in the libraries directly
+	    # Way to call functions in the libraries directly
 	    #
 	    shift
-	    $@
+
+	    if [ $# -gt 0 ]; then
+		#
+		# First look for it here
+		#
+		if type $1 2> /dev/null | fgrep -q 'is a function'; then
+		    #
+		    # It's a shell function -- call it
+		    #
+		    $@
+		else
+		    #
+		    # It isn't a function visible to this script -- try
+		    # the compiled firewall
+		    #
+		    run_it $g_firewall $g_debugging call $@
+		fi
+	    else
+		usage 1
+	    fi
 	    ;;
 	help)
 	    shift
@@ -4042,6 +4267,12 @@ shorewall_cli() {
 	    shift
 	    noiptrace_command $@
 	    ;;
+	savesets)
+	    [ $# -eq 1 ] || usage 1
+	    get_config
+	    [ -n "$g_debugging" ] && set -x
+	    savesets1
+	    ;;
 	*)
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@

Shorewall-core/lib.common

@@ -70,6 +70,15 @@ startup_error() # $* = Error Message
     exit 2
 }
 
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
 #
 # Get the Shorewall version of the passed script
 #
@@ -211,6 +220,17 @@ split() {
     IFS=$ifs
 }
 
+#
+# Split a comma-separated list into a space-separated list
+#
+split_list() {
+    local ifs
+    ifs=$IFS
+    IFS=,
+    echo $*
+    IFS=$ifs
+}
+
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise

Shorewall-core/uninstall.sh

@@ -35,6 +35,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall-init/init.debian.sh

@@ -74,7 +74,9 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
     fi
 }
 
@@ -103,21 +105,17 @@ shorewall_start () {
   echo -n "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
-	      else
-		  echo_notdone
-	      fi
-	  )
-      else
-	  echo_notdone
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
+	  fi
       fi
   done
 
@@ -144,10 +142,10 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 

Shorewall-init/init.sh

@@ -69,10 +69,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    else
+	return 0
     fi
 }
 
@@ -83,11 +83,11 @@ shorewall_start () {
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -106,10 +106,10 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 

Shorewall-init/init.suse.sh

@@ -80,7 +80,9 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
     fi
 }
 
@@ -91,14 +93,12 @@ shorewall_start () {
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x $STATEDIR/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
+      if setstatedir; then
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
-      else
-	  exit 6
       fi
   done
 
@@ -114,12 +114,10 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
-      else
-	  exit 6
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 

Shorewall-init/install.sh

@@ -188,6 +188,8 @@ done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
+[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
+
 if [ -z "$BUILD" ]; then
     case $(uname) in
 	cygwin*)
@@ -379,9 +381,9 @@ fi
 
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
     elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
@@ -390,15 +392,11 @@ if [ $HOST = debian ]; then
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi
 
-	if [ $configure -eq 1 ]; then
-	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-	else
-	    mkdir -p ${DESTDIR}${CONFDIR}/default
-	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
-	fi
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
     fi
 
     IFUPDOWN=ifupdown.debian.sh
@@ -408,13 +406,13 @@ else
 
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
     fi
@@ -440,12 +438,8 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-    else
-	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
-    fi
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 
 case $HOST in

Shorewall-init/shorewall-init.service

@@ -4,9 +4,9 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall (bootup security)
+Description=Shorewall firewall (bootup security)
 Before=network.target
-Conflicts=iptables.service firewalld.service
+Conflicts=iptables.service ip6tables.service firewalld.service
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214

@@ -4,7 +4,7 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall (bootup security)
+Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 Conflicts=iptables.service firewalld.service

Shorewall-init/uninstall.sh

@@ -35,6 +35,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall-lite/manpages/shorewall-lite.xml

@@ -47,6 +47,19 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>allow</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -59,6 +72,21 @@
       choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -265,6 +293,29 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reenable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -302,8 +353,6 @@
       <arg><option>-n</option></arg>
 
       <arg><option>-p</option><arg><option>-C</option></arg></arg>
-
-      <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -350,6 +399,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -578,7 +638,10 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -603,7 +666,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Re-enables receipt of packets from hosts previously
@@ -615,7 +679,25 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.10. Allows you to call a function in
+          one of the Shorewall libraries or in your compiled script. function
+          must name the shell function to be called. The listed parameters are
+          passed to the function.</para>
+
+          <para>The function is first searched for in
+          <filename>lib.base</filename>, <filename>lib.common</filename> and
+          <filename>lib.cli</filename>. If it is not found, the call command
+          is passed to the generated script to be executed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">clear
+        </emphasis>[-<option>f</option>]</term>
 
         <listitem>
           <para>Clear will remove all rules and chains installed by
@@ -632,7 +714,31 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">delete </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>The delete command reverses the effect of an earlier <emphasis
@@ -647,7 +753,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -659,7 +767,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -668,7 +777,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        [-<option>l</option>] [-<option>m</option>]
+        [-<option>c</option>]</term>
 
         <listitem>
           <para>Produces a verbose report about the firewall configuration for
@@ -689,7 +800,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -701,7 +814,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -722,7 +836,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">hits </emphasis>
+        [-<option>t</option>]</term>
 
         <listitem>
           <para>Generates several reports from Shorewall-lite log messages in
@@ -732,7 +847,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
+        address/vlsm }</term>
 
         <listitem>
           <para>Ipcalc displays the network address, broadcast address,
@@ -742,7 +858,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
+        <term><emphasis role="bold">iprange
+        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
 
         <listitem>
           <para>Iprange decomposes the specified range of IP addresses into
@@ -751,7 +868,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that causes iptables
@@ -770,7 +888,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
+
+        <listitem>
+          <para><command>list</command> is a synonym for
+          <command>show</command> -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">logdrop
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -781,7 +909,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        [<replaceable>refresh-interval</replaceable>]</term>
 
         <listitem>
           <para>Monitors the log file specified by the LOGFILE option in
@@ -800,7 +929,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -811,7 +941,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
+
+        <listitem>
+          <para><command>ls</command> is a synonym for <command>show</command>
+          -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that cancels a trace
@@ -824,16 +964,83 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
 
         <listitem>
-          <para>All the packet and byte counters in the firewall are
-          reset.</para>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">reenable</emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <command>disable</command> command followed by an
+          <command>enable</command> command on the specified
+          <replaceable>interface</replaceable> or
+          <replaceable>provider</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
+        address</replaceable></term>
+
+        <listitem>
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          to be silently rejected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
+        ...]</emphasis><acronym/></term>
+
+        <listitem>
+          <para>Resets the packet and byte counters in the specified
+          <replaceable>chain</replaceable>(s). If no
+          <replaceable>chain</replaceable> is specified, all the packet and
+          byte counters in the firewall are reset.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
+        [-<option>C</option>]</term>
 
         <listitem>
           <para>Restart is similar to <emphasis role="bold">shorewall-lite
@@ -856,7 +1063,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -876,6 +1085,14 @@
             different from the current values.</para>
           </caution>
 
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
+          causes the connection tracking table to be flushed; the
+          <command>conntrack</command> utility must be installed to use this
+          option.</para>
+
           <para>The <option>-C</option> option was added in Shorewall 4.6.5.
           If the <option>-C</option> option was specified during <emphasis
           role="bold">shorewall save</emphasis>, then the counters saved by
@@ -884,7 +1101,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run
+        </emphasis><replaceable>command</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.6.3. Executes
@@ -901,7 +1120,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>The dynamic blacklist is stored in
@@ -918,6 +1138,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -927,7 +1161,8 @@
 
           <variablelist>
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists
+              </emphasis>[-<option>x</option>]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -940,7 +1175,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
+              role="bold">capabilities</emphasis></term>
 
               <listitem>
                 <para>Displays your kernel/iptables capabilities. The
@@ -951,8 +1187,10 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ]</term>
+              <term>[-<option>b</option>] [-<option>x</option>]
+              [-<option>l</option>] [-<option>t</option>
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+              [ <emphasis>chain</emphasis>... ]</term>
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
@@ -1051,7 +1289,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
+              role="bold">log</emphasis></term>
 
               <listitem>
                 <para>Displays the last 20 Shorewall-lite messages from the
@@ -1063,6 +1302,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">mangle</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter mangle table using the command
+                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
+                The <emphasis role="bold">-x</emphasis> option is passed
+                directly through to iptables and causes actual packet and byte
+                counts to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">marks</emphasis></term>
 
@@ -1086,6 +1339,16 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">policies</emphasis></term>
 
@@ -1143,7 +1406,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
+        [-<option>n</option>] [<option>-f</option>]
+        [-<option>C</option>]</term>
 
         <listitem>
           <para>Start Shorewall Lite. Existing connections through
@@ -1155,7 +1420,7 @@
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
 
-          <para>The <option>-m</option> option prevents the firewall script
+          <para>The <option>-n</option> option prevents the firewall script
           from modifying the current routing configuration.</para>
 
           <para>The <option>-f</option> option was added in Shorewall 4.6.5.

Shorewall-lite/shorewall-lite.service

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 

Shorewall-lite/shorewall-lite.service.214

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 

Shorewall-lite/uninstall.sh

@@ -40,6 +40,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall/Macros/macro.Jabber

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Jabber Macro
+#
+# /usr/share/shorewall/macro.Jabber
+#
+#	This macro accepts Jabber traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5222

Shorewall/Macros/macro.JabberPlain

@@ -1,13 +1,14 @@
 #
-# Shorewall version 3.4 - JabberPlain Macro
+# Shorewall version 4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext).
+#	This macro accepts Jabber traffic (plaintext). This macro is
+#	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	5222
+Jabber

Shorewall/Macros/macro.JabberSecure

@@ -1,9 +1,11 @@
 #
-# Shorewall version 3.4 - JabberSecure (ssl) Macro
+# Shorewall version 4 - JabberSecure (SSL) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (ssl).
+#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
+#	is deprecated, please configure Jabber with STARTTLS and use
+#	Jabber macro instead.
 #
 ###############################################################################
 ?FORMAT 2

Shorewall/Macros/macro.QUIC

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - QUIC Macro
+#
+# /usr/share/shorewall/macro.QUIC
+#
+#	This macro handles QUIC (Quick UDP Internet Connections).
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	udp	80,443

Shorewall/Perl/Shorewall/ARP.pm

@@ -34,6 +34,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
+our $VERSION = 'MODULEVERSION';
 
 our %arp_table;
 our $arp_input;

Shorewall/Perl/Shorewall/Chains.pm

@@ -260,6 +260,7 @@ our %EXPORT_TAGS = (
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
+                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
@@ -279,7 +280,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.5_18';
+our $VERSION = 'MODULEVERSION';
 
 #
 # Chain Table
@@ -764,7 +765,6 @@ sub initialize( $$$ ) {
 		     RETURN       => 1,
 		     QUEUE        => 1,
 		     CLASSIFY     => 1,
-		     CT           => 1,
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
@@ -5604,6 +5604,8 @@ sub have_ipset_rules() {
 
 sub get_interface_address( $ );
 
+sub get_interface_gateway ( $;$ );
+
 sub record_runtime_address( $$;$ ) {
     my ( $addrtype, $interface, $protect ) = @_;
 
@@ -6693,11 +6695,10 @@ sub get_interface_gateway ( $;$ ) {
     $global_variables |= ALL_COMMANDS;
 
     if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
     } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
-[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
-);
+[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
     $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
@@ -6803,16 +6804,40 @@ sub have_global_variables() {
     have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
 }
 
+sub have_address_variables() {
+    ( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
+}
+
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $ ) {
+sub set_global_variables( $$ ) {
 
-    my $setall = shift;
+    my ( $setall, $conditional ) = @_;
 
-    emit $_ for values %interfaceaddr;
-    emit $_ for values %interfacegateways;
-    emit $_ for values %interfacemacs;
+    if ( $conditional ) {
+	my ( $interface, $code );
+
+	while ( ( $interface, $code ) = each %interfaceaddr ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
+	}
+
+	while ( ( $interface, $code ) = each %interfacegateways ) {
+	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
+	    push_indent;
+	    emit( $code );
+	    pop_indent;
+	    emit( qq(fi\n) );
+	}
+
+	while ( ( $interface, $code ) = each %interfacemacs ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
+	}
+    } else {
+	emit $_     for values %interfaceaddr;
+	emit "$_\n" for values %interfacegateways;
+	emit $_     for values %interfacemacs;
+    }
 
     if ( $setall ) {
 	emit $_ for values %interfaceaddrs;
@@ -7953,7 +7978,7 @@ else
 fi
 
 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
 else
     rm -f \${VARDIR}/.dynamic
 fi
@@ -8048,7 +8073,7 @@ sub create_save_ipsets() {
     if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
-	      '    file=$1'
+	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 
 	if ( @ipsets ) {
@@ -8074,7 +8099,9 @@ sub create_save_ipsets() {
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
-		      "    done" );
+		      "    done" ,
+		      '',
+		    );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
@@ -8091,7 +8118,9 @@ sub create_save_ipsets() {
 		       '    fi' );
  	    }
 
-	    emit("}\n" );
+	    emit( "    return 0",
+		  '',
+		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
@@ -8113,10 +8142,13 @@ sub create_save_ipsets() {
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
+		  '    return 0',
+		  '' ,
 		  "}\n" );
 	}
     } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
+	      '    return 1',
 	      "}\n" );
     } else {
 	emit( '    true',
@@ -8703,7 +8735,7 @@ sub get_inline_matches( $ ) {
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
-    my ( $target, $param ) = split '/', $_[0];
+    my ( $target, $param ) = split '/', $_[0], 2;
 
     unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -274,10 +274,21 @@ sub generate_script_2() {
 	  'detect_configuration()',
 	  '{' );
 
-    my $global_variables = have_global_variables;
+    my $global_variables    = have_global_variables;
+    my $optional_interfaces = find_interfaces_by_option( 'optional' );
 
     push_indent;
 
+    if ( have_address_variables || @$optional_interfaces ) {
+	emit( 'local interface',
+	      '',
+	      'interface="$1"',
+	      ''
+	    );
+    }
+
+    map_provider_to_interface if have_providers;
+
     if ( $global_variables ) {
 
 	if ( $global_variables & NOT_RESTORE ) {
@@ -292,7 +303,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 
-		set_global_variables(0);
+		set_global_variables(0, 0);
 
 		handle_optional_interfaces(0);
 	    }
@@ -306,10 +317,10 @@ sub generate_script_2() {
 	    push_indent;
 	}
 
-	set_global_variables(1);
+	set_global_variables(1,1);
 
 	if ( $global_variables & NOT_RESTORE ) {
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;

Shorewall/Perl/Shorewall/Config.pm

@@ -232,7 +232,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.6.0-Beta1';
+our $VERSION = 'MODULEVERSION';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -396,6 +396,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 NEW_TOS_MATCH   => 'New tos Match',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
+                 TCPMSS_TARGET   => 'TCPMSS Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -714,7 +715,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40606 ,
+		    CAPVERSION              => 40609 ,
 		  );
     #
     # From shorewall.conf file
@@ -879,9 +880,6 @@ sub initialize( $;$$) {
     #
     # Valid log levels
     #
-    # Note that we don't include LOGMARK; that is so we can default its
-    # priority to 'info' (LOGMARK itself defaults to 'warn').
-    #
     %validlevels = ( DEBUG   => 7,
 		     INFO    => 6,
 		     NOTICE  => 5,
@@ -983,6 +981,7 @@ sub initialize( $;$$) {
 	       REAP_OPTION => undef,
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
+	       TCPMSS_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -4468,7 +4467,9 @@ sub Iface_Match() {
     qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
 }
 
-
+sub Tcpmss_Target() {
+    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
+}
 
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
@@ -4557,6 +4558,7 @@ our %detect_capability =
       STATISTIC_MATCH => \&Statistic_Match,
       TARPIT_TARGET => \&Tarpit_Target,
       TCPMSS_MATCH => \&Tcpmss_Match,
+      TCPMSS_TARGET => \&Tcpmss_Target,
       TFTP_HELPER => \&TFTP_Helper,
       TFTP0_HELPER => \&TFTP0_Helper,
       TIME_MATCH => \&Time_Match,
@@ -4710,6 +4712,7 @@ sub determine_capabilities() {
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
+	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5014,6 +5017,10 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
     }
+    #
+    # Assume that this is available when using an old capabilities files
+    #
+    $capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );
 
     $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
     $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
@@ -5608,8 +5615,9 @@ sub get_configuration( $$$$$ ) {
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'CLEAR_TC'                   , $family == F_IPV4 ? 'Yes' : '';
 
-    if ( supplied $config{CLAMPMSS} ) {
-	default_yes_no 'CLAMPMSS'                   , '' unless $config{CLAMPMSS} =~ /^\d+$/;
+    if ( supplied( $val = $config{CLAMPMSS} ) ) {
+	default_yes_no 'CLAMPMSS'                   , '' unless $val =~ /^\d+$/;
+	require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS}; 
     } else {
 	$config{CLAMPMSS} = '';
     }

Shorewall/Perl/Shorewall/Misc.pm

@@ -2418,7 +2418,7 @@ EOF
     case $COMMAND in
         stop|clear|restore)
             if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
             fi
             ;;
         *)
@@ -2433,7 +2433,7 @@ EOF
     case $COMMAND in
         stop|clear|restore)
             if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
             fi
             ;;
         *)

Shorewall/Perl/Shorewall/Providers.pm

@@ -44,9 +44,10 @@ our @EXPORT = qw( process_providers
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
+                  map_provider_to_interface
 	       );
 our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = '4.4_24';
+our $VERSION = 'MODULEVERSION';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -567,8 +568,8 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
-		$load = $1;
-		require_capability 'STATISTIC_MATCH', "load=$load", 's';
+		$load = sprintf "%1.8f", $1;
+		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
 		$noautosrc = 0;
 	    } elsif ( $option eq 'noautosrc' ) {
@@ -694,8 +695,6 @@ sub process_a_provider( $ ) {
     $provider_interfaces{$interface} = $table unless $shared;
 
     if ( $track ) {
-	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
-
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
 	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
@@ -1086,10 +1085,8 @@ CEOF
     }
 }
 
-sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) =
-	split_line( 'rtrules file',
-		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+sub add_an_rtrule1( $$$$$ ) {
+    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;
 
     our $current_if;
 
@@ -1178,6 +1175,17 @@ sub add_an_rtrule( ) {
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
+sub add_an_rtrule( ) {
+    my ( $sources, $dests, $provider, $priority, $originalmark ) =
+	split_line( 'rtrules file',
+		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+    for my $source ( split_list( $sources, "source" ) ) {
+	for my $dest (split_list( $dests , "dest" ) ) {
+	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
+	}
+    }
+}
+
 sub add_a_route( ) {
     my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',
@@ -1506,7 +1514,7 @@ EOF
 		       "        start_provider_$provider" );
 	    }
 
-	    emit ( '    else',
+	    emit ( '    elif [ -z "$2" ]; then',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1554,7 +1562,7 @@ EOF
 	    }
 
 	    emit( "        stop_$providerref->{what}_$provider",
-		  '    else',
+		  '    elif [ -z "$2" ]; then',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
@@ -1579,10 +1587,44 @@ sub have_providers() {
     return our $providers;
 }
 
+sub map_provider_to_interface() {
+
+    my $haveoptional;
+
+    for my $providerref ( values %providers ) {
+	if ( $providerref->{optional} ) {
+	    unless ( $haveoptional++ ) {
+		emit( 'if [ -n "$interface" ]; then',
+		      '    case $interface in' );
+
+		push_indent;
+		push_indent;
+	    }
+
+	    emit( $providerref->{provider} . ')',
+		  '    interface=' . $providerref->{physical},
+		  '    ;;' );
+	}
+    }
+
+    if ( $haveoptional ) {
+	pop_indent;
+	pop_indent;
+	emit( '    esac',
+	      "fi\n"
+	    );
+    }
+}
+
 sub setup_providers() {
     our $providers;
 
     if ( $providers ) {
+	if ( $maxload ) {
+	    warning_message "The sum of the provider interface loads exceeds 1.000000" if $maxload > 1;
+	    warning_message "The sum of the provider interface loads is less than 1.000000" if $maxload < 1;
+	}
+
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
@@ -1720,12 +1762,12 @@ sub compile_updown() {
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
-	      q(        detect_configuration),        
+	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
-	      q(        detect_configuration),        
+	      q(        detect_configuration $1),
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
@@ -1932,6 +1974,19 @@ sub handle_optional_interfaces( $ ) {
 
 	    emit( "$physical)" ), push_indent if $wildcards;
 
+	    if ( $provider eq $physical ) {
+		#
+		# Just an optional interface, or provider and interface are the same
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    } else {
+		#
+		# Provider
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    }
+
+	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
@@ -1943,6 +1998,10 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 
+	    pop_indent;
+
+	    emit( "fi\n" );
+
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = 2;
-	validate_level( $level = $3 ) if supplied $3;
+	$action      = $2;
+	validate_level( $level = $4 ) if supplied $4;
     } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;
 
@@ -146,7 +146,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		my $modifiers = '';
 
-		$disposition = "helper";
+		$disposition = 'helper';
 
 		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
 		    $args      = $1;
@@ -156,8 +156,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
 		$action = "CT --helper $helpers_aliases{$args}";
-		$exception_rule = do_proto( $proto, '-', '-' );
 
+		$exception_rule = do_proto( $proto, '-', '-' );
+		
 		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
 		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
 		    $mod    = $1;
@@ -176,6 +177,17 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 			fatal_error "Invalid helper option ($mod)";
 		    }
 		}
+	    } elsif ( $option eq 'ctevents' ) {
+		$disposition = 'helper';
+
+		for ( split_list( $args, 'ctevents' ) ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevents' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+		$action = 'CT --expevents new';
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }

Shorewall/Perl/Shorewall/Rules.pm

@@ -224,6 +224,7 @@ sub initialize( $ ) {
     $family            = shift;
     #
     # Chains created as a result of entries in the policy file
+    #
     @policy_chains  = ();
     #
     # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
@@ -468,6 +469,64 @@ sub process_default_action( $$$$ ) {
     $default;
 }
 
+#
+# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
+#
+sub handle_nfqueue( $$ ) {
+    my ($params, $allow_bypass ) = @_;
+    my ( $action, $bypass );
+    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
+
+    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
+
+    if ( supplied( $params ) ) {
+	( my $queue, $bypass, my $junk ) = split ',', $params, 3;
+
+	fatal_error "Invalid NFQUEUE parameter list ($params)" if defined $junk;
+
+	if ( supplied $queue ) {
+	    if ( $queue eq 'bypass' ) {
+		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
+		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
+		return 'NFQUEUE --queue-bypass';
+	    }
+
+	    ( $queue1, $queue2 ) = split ':', $queue, 2;
+
+	    fatal_error "Invalid NFQUEUE parameter list ($params)" unless supplied $queue1;
+
+	    $queuenum1 = numeric_value( $queue1 );
+
+	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
+
+	    if ( supplied $queue2 ) {
+		$queuenum2 = numeric_value( $queue2 );
+
+		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
+	    }
+	} else {
+	    $queuenum1 = 0;
+	}
+    } else {
+	$queuenum1 = 0;
+    }
+
+    if ( supplied $bypass ) {
+	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
+	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
+
+	$bypass =' --queue-bypass';
+    } else {
+	$bypass = '';
+    }
+
+    if ( supplied $queue2 ) {
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
+    } else {
+	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
+    }
+}
+
 #
 # Process an entry in the policy file.
 #
@@ -518,11 +577,9 @@ sub process_a_policy() {
     $default = process_default_action( $originalpolicy, $policy, $default, $level );
 
     if ( defined $queue ) {
-	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
-	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
-	my $queuenum = numeric_value( $queue );
-	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
-	$policy = "NFQUEUE --queue-num $queuenum";
+	$policy = handle_nfqueue( $queue,
+				  0 # Don't allow 'bypass'
+	    );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -548,10 +605,10 @@ sub process_a_policy() {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
-		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+		fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	    fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 , $audit );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -583,23 +640,23 @@ sub process_a_policy() {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
 		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
-		    print_policy $zone, $zone1, $policy, $chain;
+		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
 		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
-		print_policy $zone, $server, $policy, $chain;
+		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
 	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
-	    print_policy $client, $zone, $policy, $chain;
+	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
 
     } else {
-	print_policy $client, $server, $policy, $chain;
+	print_policy $client, $server, $originalpolicy, $chain;
     }
 }
 
@@ -712,7 +769,7 @@ sub process_policies()
 #
 # Policy Rule application
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
@@ -737,6 +794,7 @@ sub add_policy_rules( $$$$$ ) {
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
+				'',           #Matches1
 				$loglevel,    #Log Level and Tag
 				$default,     #Target
 				$param || '', #Param
@@ -1622,7 +1680,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'Limit'          => \&Limit,
 		 );
 
-sub process_rule ( $$$$$$$$$$$$$$$$$$$ );
+sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1686,6 +1744,7 @@ sub process_action($$) {
 	}
 
 	process_rule( $chainref,
+		      '',
 		      '',
 		      $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		      '',
@@ -1874,6 +1933,7 @@ sub process_reject_action() {
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
+			'',           #Matches1
 			'',           #Log Level and Tag
 			$action,      #Target
 		        '',           #Param
@@ -1902,8 +1962,8 @@ sub process_reject_action() {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
+    my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
 
     my $generated = 0;
 
@@ -2002,7 +2062,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
 
 	$generated |= process_rule(
 				   $chainref,
-				   $matches,
+	                           $matches,
+	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2035,8 +2096,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
 #
 # Expand an inline action rule from the rules file
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
-    my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
+    my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
 
     my $generated = 0;
 
@@ -2126,7 +2187,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
 
 	$generated |= process_rule(
 				   $chainref,
-				   $matches,
+	                           $matches,
+	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2179,9 +2241,10 @@ sub verify_audit($;$$) {
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
 
-sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
+sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $rule,       #Matches
+	 $matches1,   #Matches after the ones generated by the columns
 	 $target,
 	 $current_param,
 	 $source,
@@ -2246,6 +2309,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_macro( $basictarget,
 				       $chainref,
 				       $rule . $raw_matches,
+				       $matches1,
 				       $target,
 				       $current_param,
 				       $source,
@@ -2269,10 +2333,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	return $generated;
 
     } elsif ( $actiontype & NFQ ) {
-	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
-	my $paramval = $param eq '' ? 0 : numeric_value( $param );
-	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
-	$action = "NFQUEUE --queue-num $paramval";
+	$action = handle_nfqueue( $param,
+				  1 # Allow 'bypass'
+	    );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2649,6 +2712,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$rule . $raw_matches,
+					$matches1,
 					$loglevel,
 					$target,
 					$current_param,
@@ -2703,7 +2767,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
 		       do_helper( $helper ) ,
-		       $raw_matches ,
+		       $matches1 . $raw_matches ,
 		     );
     } else {
 	$rule .= join( '',
@@ -2715,7 +2779,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
-		       $raw_matches ,
+		       $matches1 . $raw_matches ,
 		     );
     }
 
@@ -2960,8 +3024,8 @@ sub merge_target( $$ ) {
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
-sub perl_action_helper($$;$) {
-    my ( $target, $matches, $isstatematch ) = @_;
+sub perl_action_helper($$;$$) {
+    my ( $target, $matches, $isstatematch , $matches1 ) = @_;
     my $action   = $actparms{action};
     my $chainref = $actparms{0};
     my $result;
@@ -2970,6 +3034,12 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
+    if ( $matches1 ) {
+	$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
+    } else {
+	$matches1 = '';
+    }
+
     set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
 
     if ( $isstatematch ) {
@@ -2993,6 +3063,7 @@ sub perl_action_helper($$;$) {
     if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
+				 $matches1,
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
@@ -3001,6 +3072,7 @@ sub perl_action_helper($$;$) {
 
 	$result = process_rule( $chainref,
 				$matches,
+				$matches1,
 				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
@@ -3052,6 +3124,7 @@ sub perl_action_tcp_helper($$) {
 	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
+				     '',
 				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
@@ -3061,6 +3134,7 @@ sub perl_action_tcp_helper($$) {
 	} else {
 	    $result = process_rule( $chainref,
 				    $proto,
+				    '',
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
@@ -3254,6 +3328,7 @@ sub process_raw_rule ( ) {
 		for my $proto ( @protos ) {
 		    for my $user ( @users ) {
 			if ( process_rule( undef,
+					   '',
 					   '',
 					   $target,
 					   '',

Shorewall/Perl/Shorewall/Zones.pm

@@ -465,6 +465,7 @@ sub parse_zone_option_list($$\$$)
 	    } else {
 		fatal_error "Missing value for option \"$e\""        unless defined $val;
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+		require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
 	    }
 
 	    my $key = $zonekey{$e};
@@ -1258,6 +1259,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
+		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -2067,6 +2069,7 @@ sub process_host( ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
+		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {

Shorewall/Perl/lib.core

@@ -1,11 +1,11 @@
-#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
-#       This program is part of Shorewall.
+#	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
+#	Free Software Foundation, either version 2 of the license or, at your
+#	option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,30 +17,41 @@
 #
 #	Options are:
 #
-#	    -n				  Do not alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
+#	    -n				Do not alter Routing
+#	    -v and -q			Standard Shorewall Verbosity control
+#	    -t				Timestamp progress messages
+#	    -p				Purge conntrack table
+#	    -r				Recover from failed start/restart
+#	    -V <verbosity>		Set verbosity level explicitly
+#	    -R <restore>		Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
-#	   start			  Starts the firewall
-#          refresh                        Refresh the firewall
-#	   restart			  Restarts the firewall
-#	   reload			  Reload the firewall
-#	   clear			  Removes all firewall rules
-#	   stop				  Stops the firewall
-#	   status			  Displays firewall status
-#	   version			  Displays the version of Shorewall that
-#	   				  generated this program
+#	    clear			Removes all firewall rules
+#	    disable			Disable an optional interface
+#	    down			Stop an optional interface
+#	    enable			Enable an optional interface
+#	    help			Show command syntax
+#	    reenable			Disable then nable an optional
+#					interface
+#	    refresh			Refresh the firewall
+#	    reload			Reload the firewall
+#	    restart			Restarts the firewall
+#	    restore			Restore a saved configuration
+#	    reset			Reset byte and packet counters
+#	    run				Call a function in this program
+#	    savesets			Save the ipset contents
+#	    status			Displays firewall status
+#	    start			Starts the firewall
+#	    stop			Stops the firewall
+#	    up				Start an optional interface
+#	    version			Displays the version of Shorewall that
+#					generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
-#                     Address family-neutral Functions
+#		      Address family-neutral Functions
 ################################################################################
 #
 # Conditionally produce message
@@ -593,48 +604,61 @@ interface_enabled() {
 
 distribute_load() {
     local interface
-    local totalload
-    local load
-    local mark
-    local maxload
+    local currentload # Total load of enabled interfaces
+    local load        # Specified load of an enabled interface
+    local mark        # Mark of an enabled interface
+    local totalload   # Total load of all interfaces - usually 1.000000
+    local nload       # Normalized load of an enabled interface
+    local var         # Interface name to embed in a variable name
 
-    maxload=$1
+    totalload=$1
     shift
 
-    totalload=0
+    currentload=0
 
     for interface in $@; do
 	if interface_enabled $interface; then
+	    var=$(echo $interface | sed 's/[.-]/_/g')
 	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${interface}_load=$load
+	    eval ${var}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${interface}_mark=$mark
-	    totalload=$( bc <<EOF
+	    eval ${var}_mark=$mark
+	    currentload=$( bc <<EOF
 scale=8
-$totalload + $load
+$currentload + $load
 EOF
 )
 	fi
     done
 
-    if [ $totalload ]; then
+    if [ $currentload ]; then
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
-	    eval load=\$${interface}_load
-	    eval mark=\$${interface}_mark
+
+	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    eval load=\$${var}_load
+	    eval mark=\$${var}_mark
 
 	    if [ -n "$load" ]; then
-		load=$(bc <<EOF
+		nload=$(bc <<EOF
 scale=8
-( $load / $totalload ) * $maxload
+( $load / $currentload ) * $totalload
 EOF
 )
-		totalload=$(bc <<EOF
+		currentload=$(bc <<EOF
 scale=8
-$totalload - $load
+$currentload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
+
+		case $nload in
+		    .*|0.*)
+			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			;;
+		    *)
+			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
+			;;
+		esac
 	    fi
 	done
     fi

Shorewall/Perl/prog.footer

@@ -15,12 +15,14 @@ usage() {
     echo "   down <interface>"
     echo "   enable <interface>"
     echo "   reset"
+    echo "   reenable <interface>"
     echo "   refresh"
     echo "   restart"
     echo "   run <command> [ <parameter> ... ]"
     echo "   status"
     echo "   up <interface>"
     echo "   savesets <file>"
+    echo "   call <function> [ <parameter> ... ]"
     echo "   version"
     echo
     echo "Options are:"
@@ -375,8 +377,8 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration
-	    enable_provider $1
+	    detect_configuration $1
+	    enable_provider $1 Yes
 	fi
 	mutex_off
 	status=0
@@ -387,8 +389,21 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration
-	    disable_provider $1
+	    detect_configuration $1
+	    disable_provider $1 Yes
+	fi
+	mutex_off
+	status=0
+	;;
+    reenable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	mutex_on
+	if product_is_started; then
+	    detect_configuration $1
+	    COMMAND=enable  disable_provider $1 Yes
+	    COMMAND=disable enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
@@ -407,10 +422,35 @@ case "$COMMAND" in
     savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
+	    status=$?
 	else
 	    usage 2
 	fi
 	;;
+    call)
+	#
+	# Way to call functions in the generated script directly
+	#
+	detect_configuration
+
+	shift
+
+	if [ $# -gt 0 ]; then
+	    #
+	    # See what it is
+	    #
+	    if type $1 2> /dev/null | fgrep -q 'is a function'; then
+		#
+		# It's a shell function -- call it
+		#
+		$@
+	    else
+		fatal_error "$1 is not a known shell function"
+	    fi
+	else
+	    usage 1
+	fi
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/action.ResetEvent

@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, "-m recent --name $event --remove --rdest" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
-    perl_action_helper( $action, "-m recent --name $event --remove --rsource" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rsource" );
 }
 
 1;

Shorewall/action.SetEvent

@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, "-m recent --name $event --set --rdest" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
-    perl_action_helper( $action, "-m recent --name $event --set --rsource" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
 }
 
 1;

Shorewall/lib.cli-std

@@ -169,7 +169,7 @@ get_config() {
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
 			fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED"
-			exit 2
+			exit 6
 		    fi
 		    ;;
 	    esac
@@ -1645,6 +1645,7 @@ usage() # $1 = exit status
     echo "   allow <address> ..."
     echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
     echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -1679,6 +1680,8 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
     fi
 
+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
+    echo "   reenable <interface>"
     echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
     echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
@@ -1689,6 +1692,7 @@ usage() # $1 = exit status
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -1710,6 +1714,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] marks"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
     echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
     echo "   [ show | list | ls ] routing"
     echo "   [ show | list | ls ] tc [ device ]"

Shorewall/manpages/shorewall-conntrack.xml

@@ -90,7 +90,8 @@
         role="bold">NOTRACK</emphasis>|<emphasis
         role="bold">CT</emphasis>:<emphasis
         role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
+        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
           <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -114,7 +115,8 @@
               <replaceable>name</replaceable> to this connection. This is more
               flexible than loading the conntrack helper with preset ports. If
               a <replaceable>log-level</replaceable> is specified, the packet
-              will also be logged at that level.</para>
+              will also be logged at that level. Beginning with Shorewall
+              4.6.10, the helper name is optional</para>
 
               <para>At this writing, the available helpers are:</para>
 
@@ -244,6 +246,31 @@
               </itemizedlist>
             </listitem>
 
+            <listitem>
+              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
+
+              <para>Added in Shorewall 4.6.10. Only generate the specified
+              conntrack events for this connection. Possible event types are:
+              <emphasis role="bold">new</emphasis>, <emphasis
+              role="bold">related</emphasis>, <emphasis
+              role="bold">destroy</emphasis>, <emphasis
+              role="bold">reply</emphasis>, <emphasis
+              role="bold">assured</emphasis>, <emphasis
+              role="bold">protoinfo</emphasis>, <emphasis
+              role="bold">helper</emphasis>, <emphasis
+              role="bold">mark</emphasis> (this is connection mark, not packet
+              mark), <emphasis role="bold">natseqinfo</emphasis>, and
+              <emphasis role="bold">secmark</emphasis>.</para>
+            </listitem>
+
+            <listitem>
+              <para>expevents=new</para>
+
+              <para>Added in Shorewall 4.6.10. Only generate <emphasis
+              role="bold">new</emphasis> expectation events for this
+              connection.</para>
+            </listitem>
+
             <listitem>
               <para><option>DROP</option></para>
 

Shorewall/manpages/shorewall-interfaces.xml

@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <para/>
+                <para></para>
 
                 <warning>
                   <para>Do not specify <emphasis
@@ -425,7 +425,7 @@ loc     eth2            -</programlisting>
         1
         teastep@lists:~$ </programlisting>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -913,7 +913,7 @@ net     ppp0      -</programlisting>
 
           <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
--       br0       routeback</programlisting>
+-       br0       bridge</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall/manpages/shorewall-policy.xml

@@ -105,7 +105,7 @@
         role="bold">REJECT</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
         role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
         role="bold">None</emphasis>}]</term>
@@ -180,8 +180,14 @@
               <listitem>
                 <para>Queue the request for a user-space application using the
                 nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not given, queue
-                zero (0) is assumed.</para>
+                <replaceable>queuenumber1</replaceable> is not given, queue
+                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
+                queue number (queuenumber2) may be given. This specifies a
+                range of queues to use. Packets are then balanced across the
+                given queues. This is useful for multicore systems: start
+                multiple instances of the userspace program on queues x, x+1,
+                .. x+n and use "x:x+n". Packets belonging to the same
+                connection are put into the same nfqueue.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -220,7 +220,22 @@
             </varlistentry>
 
             <varlistentry>
-              <term>noautosrc</term>
+              <term><emphasis
+              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.0. This option provides an
+                alternative method of load balancing based on probabilities.
+                Providers to be balanced are given a
+                <replaceable>probability</replaceable> (a number 0 &gt; n
+                &gt;= 1) with up to 8 digits to the right of the decimal
+                point. Beginning with Shorewall 4.6.10, a warning is issued if
+                the sum of the probabilities is not 1.00000000.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">noautosrc</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.17. Prevents the addition of a

Shorewall/manpages/shorewall-rtrules.xml

@@ -48,6 +48,9 @@
           &amp;<replaceable>interface</replaceable> in this column to indicate
           that the source is the primary IP address of the named
           interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 
@@ -64,6 +67,9 @@
           role="bold">DEST</emphasis>, place "-" in that column. Note that you
           may not omit both <emphasis role="bold">SOURCE</emphasis> and
           <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-rules.xml

@@ -559,24 +559,36 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
 
               <listitem>
                 <para>Queues the packet to a user-space application using the
                 nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not specified, queue
-                zero (0) is assumed.</para>
+                <replaceable>queuenumber</replaceable>1 is not specified,
+                queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
+                the keyword <emphasis role="bold">bypass</emphasis> can be
+                given. By default, if no userspace program is listening on an
+                NFQUEUE, then all packets that are to be queued are dropped.
+                When this option is used, the NFQUEUE rule is silently
+                bypassed instead. The packet will move on to the next rule.
+                Also beginning in Shorewall 4.6.10, a second queue number
+                (<replaceable>queuenumber2</replaceable>) may be specified.
+                This specifies a range of queues to use. Packets are then
+                balanced across the given queues. This is useful for multicore
+                systems: start multiple instances of the userspace program on
+                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
+                the same connection are put into the same nfqueue.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis
-              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
+              <term><emphasis role="bold"><emphasis
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
                 by OPTIMIZE=1 in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -112,7 +112,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -122,7 +122,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -132,7 +132,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -142,7 +142,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -384,6 +384,11 @@
               <para>Set AUTOHELPERS=No.</para>
             </listitem>
 
+            <listitem>
+              <para>Modify the HELPERS setting (see below) to list the helpers
+              that you need.</para>
+            </listitem>
+
             <listitem>
               <para>Either:</para>
 
@@ -902,9 +907,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
 
         <listitem>
-          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
-          application helpers that are to be enabled. If not specified, the
-          default is to enable all helpers.</para>
+          <para>Added in Shorewall 4.5.7. This option specifies a
+          comma-separated list naming the Netfilter application helpers that
+          are to be enabled. If not specified, the default is to enable all
+          helpers.</para>
 
           <para>Possible values for <replaceable>helper</replaceable>
           are:</para>
@@ -1174,7 +1180,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </varlistentry>
           </variablelist>
 
-          <para></para>
+          <para/>
 
           <blockquote>
             <para>If this variable is not set or is given an empty value
@@ -1423,7 +1429,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </listitem>
           </itemizedlist>
 
-          <para></para>
+          <para/>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1440,7 +1446,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para></para>
+            <para/>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1784,8 +1790,8 @@ LOG:info:,bar                        net                    fw</programlisting>
 
         <listitem>
           <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
-          o.xz gz xz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
+          o.gz o.xz gz xz".</para>
         </listitem>
       </varlistentry>
 
@@ -2162,7 +2168,7 @@ LOG:info:,bar                        net                    fw</programlisting>
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -49,6 +49,21 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>call</option></arg>
+
+      <arg
+      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
+      ...</arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -85,6 +100,21 @@
       choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -359,6 +389,31 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reenable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -528,6 +583,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -560,7 +626,7 @@
       <arg><option>-t</option>
       {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
 
-      <arg><arg><option>chain</option></arg><arg choice="plain"
+      <arg><arg choice="plain"
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
@@ -600,8 +666,6 @@
 
       <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg>-c</arg>
-
       <arg choice="plain"><option>event</option><arg
       choice="plain"><replaceable>event</replaceable></arg></arg>
     </cmdsynopsis>
@@ -822,7 +886,10 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -854,7 +921,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow</emphasis>
+        <replaceable>address</replaceable></term>
 
         <listitem>
           <para>Re-enables receipt of packets from hosts previously
@@ -866,7 +934,28 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">check</emphasis></term>
+        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.10. Allows you to call a function in
+          one of the Shorewall libraries or in your compiled script. function
+          must name the shell function to be called. The listed parameters are
+          passed to the function.</para>
+
+          <para>The function is first searched for in
+          <filename>lib.base</filename>, <filename>lib.common</filename>,
+          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
+          If it is not found, the call command is passed to the generated
+          script to be executed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
+        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
+        [-<option>T</option>] [-<option>i</option>]
+        [<replaceable>directory</replaceable>]</term>
 
         <listitem>
           <para>Compiles the configuration in the specified
@@ -896,7 +985,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -905,7 +994,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">clear</emphasis>
+        [-<option>f</option>]</term>
 
         <listitem>
           <para>Clear will remove all rules and chains installed by Shorewall.
@@ -922,7 +1012,31 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">compile</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
+        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
+        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
+        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
 
         <listitem>
           <para>Compiles the current configuration into the executable file
@@ -970,7 +1084,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -979,7 +1093,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">delete </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>The delete command reverses the effect of an earlier <emphasis
@@ -1003,7 +1120,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -1022,7 +1141,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop</emphasis>
+        <replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1031,7 +1151,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis> [-<option>x</option>]
+        [-<option>l</option>] [-<option>m</option>]
+        [-<option>c</option>]</term>
 
         <listitem>
           <para>Produces a verbose report about the firewall configuration for
@@ -1053,7 +1175,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1074,7 +1198,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">export</emphasis></term>
+        <term><emphasis role="bold">export </emphasis>[<replaceable>
+        directory1</replaceable> ] [<replaceable>
+        user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
+        ]</term>
 
         <listitem>
           <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1098,7 +1225,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget</emphasis> [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
@@ -1118,7 +1246,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">hits</emphasis>
+        [-<option>t</option>]</term>
 
         <listitem>
           <para>Generates several reports from Shorewall log messages in the
@@ -1128,7 +1257,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">ipcalc</emphasis> { address mask |
+        address/vlsm }</term>
 
         <listitem>
           <para>Ipcalc displays the network address, broadcast address,
@@ -1138,7 +1268,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
+        <term><emphasis role="bold">iprange
+        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
 
         <listitem>
           <para>Iprange decomposes the specified range of IP addresses into
@@ -1147,7 +1278,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace</emphasis> <replaceable>iptables
+        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that causes iptables
@@ -1165,7 +1297,20 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">load</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
+
+        <listitem>
+          <para><command>list</command> is a synonym for
+          <command>show</command> -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">load</emphasis> [-<option>s</option>]
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>
 
         <listitem>
           <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1211,7 +1356,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1220,7 +1365,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">logdrop</emphasis>
+        <replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1232,7 +1378,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        [<replaceable> refresh-interval </replaceable>]</term>
 
         <listitem>
           <para>Monitors the log file specified by the LOGFILE option in
@@ -1250,7 +1397,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject</emphasis><replaceable>
+        address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1262,7 +1410,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
+
+        <listitem>
+          <para><command>ls</command> is a synonym for <command>show</command>
+          -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that cancels a trace
@@ -1275,7 +1433,63 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">refresh</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall close all 192.168.1.1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reenable</emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <command>disable</command> command followed by an
+          <command>enable</command> command on the specified
+          <replaceable>interface</replaceable> or
+          <replaceable>provider</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
+        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
+        </option><replaceable>directory</replaceable> ] [
+        <replaceable>chain</replaceable>... ]</term>
 
         <listitem>
           <para>All steps performed by <command>restart</command> are
@@ -1304,7 +1518,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1327,7 +1541,21 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reload</emphasis></term>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
+        address</replaceable></term>
+
+        <listitem>
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          to be silently rejected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>
 
         <listitem>
           <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1373,7 +1601,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1382,16 +1610,22 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
+        ...]</emphasis><acronym/></term>
 
         <listitem>
-          <para>All the packet and byte counters in the firewall are
-          reset.</para>
+          <para>Resets the packet and byte counters in the specified
+          <replaceable>chain</replaceable>(s). If no
+          <replaceable>chain</replaceable> is specified, all the packet and
+          byte counters in the firewall are reset.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
+        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
+        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Restart is similar to <emphasis role="bold">shorewall
@@ -1428,7 +1662,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1445,7 +1679,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis> [-<option>n</option>]
+        [-<option>p</option>] [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Restore Shorewall to a state saved using the <emphasis
@@ -1481,7 +1717,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run
+        </emphasis><replaceable>command</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.6.3. Executes
@@ -1507,7 +1745,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">safe-restart</emphasis></term>
+        <term><emphasis role="bold">safe-restart
+        </emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
+        </option><replaceable>timeout</replaceable> ] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Only allowed if Shorewall is running. The current
@@ -1532,7 +1773,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">safe-start</emphasis></term>
+        <term><emphasis role="bold">safe-start</emphasis><emphasis
+        role="bold"> </emphasis>[-<option>d</option>] [-<option>p</option>]
+        [-<option>t</option><replaceable>timeout</replaceable> ] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Shorewall is started normally. You will then be prompted
@@ -1554,7 +1798,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis> [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
@@ -1572,6 +1817,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -1590,7 +1849,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists</emphasis>
+              [-<option>x</option>]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1603,7 +1863,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
+              role="bold">capabilities</emphasis></term>
 
               <listitem>
                 <para>Displays your kernel/iptables capabilities. The
@@ -1614,8 +1875,10 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ]</term>
+              <term>[-<option>b</option>] [-<option>x</option>]
+              [-<option>l</option>] [-<option>t</option>
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+              [ <emphasis>chain</emphasis>... ]</term>
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
@@ -1714,7 +1977,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
+              role="bold">log</emphasis></term>
 
               <listitem>
                 <para>Displays the last 20 Shorewall messages from the log
@@ -1736,7 +2000,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">macro</emphasis></term>
+              <term><emphasis role="bold">macro
+              </emphasis><replaceable>macro</replaceable></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.6. Displays the file that
@@ -1746,6 +2011,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">mangle</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter mangle table using the command
+                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
+                The <emphasis role="bold">-x</emphasis> option is passed
+                directly through to iptables and causes actual packet and byte
+                counts to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">marks</emphasis></term>
 
@@ -1757,7 +2036,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">nat</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">nat</emphasis></term>
 
               <listitem>
                 <para>Displays the Netfilter nat table using the command
@@ -1769,6 +2049,16 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">policies</emphasis></term>
 
@@ -1782,7 +2072,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
+              <term>[-<option>c</option>]<emphasis role="bold">
+              routing</emphasis></term>
 
               <listitem>
                 <para>Displays the system's IPv4 routing configuration.
@@ -1792,7 +2083,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">raw</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">raw</emphasis></term>
 
               <listitem>
                 <para>Displays the Netfilter raw table using the command
@@ -1826,7 +2118,11 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
+        </emphasis>[-<option>n</option>] [-<option>p</option>]
+        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
+        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Start shorewall. Existing connections through shorewall
@@ -1870,7 +2166,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
           alternative input specifications following a semicolon (";"). Such
           lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
           <ulink
@@ -1886,7 +2182,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop</emphasis>
+        [-<option>f</option>]</term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
@@ -1908,7 +2205,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">status</emphasis></term>
+        <term><emphasis role="bold">status</emphasis>
+        [-<option>i</option>]</term>
 
         <listitem>
           <para>Produces a short report about the state of the
@@ -1921,7 +2219,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">try</emphasis></term>
+        <term><emphasis role="bold">try</emphasis>
+        <replaceable>directory</replaceable> [
+        <replaceable>timeout</replaceable> ]</term>
 
         <listitem>
           <para>If Shorewall is started then the firewall state is saved to a
@@ -1956,7 +2256,11 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">update</emphasis></term>
+        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
+        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
+        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
+        [-<option>t</option>] [-<option>A</option>] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.21 and causes the compiler to update
@@ -1993,7 +2297,7 @@
           directory.</para>
 
           <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
           alternative input specifications following a semicolon (";"). Such
           lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
           <ulink
@@ -2048,7 +2352,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">version</emphasis></term>
+        <term><emphasis role="bold">version</emphasis>
+        [-<option>a</option>]</term>
 
         <listitem>
           <para>Displays Shorewall's version. The <option>-a</option> option

Shorewall/shorewall.service

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
+Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 

Shorewall/shorewall.service.214

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
+Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 

Shorewall/uninstall.sh

@@ -40,6 +40,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1
@@ -197,7 +203,7 @@ fi
 
 rm -rf ${VARDIR}/shorewall
 rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXECDIR}/shorewall
+[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -47,6 +47,21 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>call</option></arg>
+
+      <arg
+      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
+      ...</arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -59,6 +74,35 @@
       choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -168,37 +212,6 @@
       choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>ipcalc</option></arg>
-
-      <group choice="req">
-        <arg choice="plain"><replaceable>address</replaceable>
-        <replaceable>mask</replaceable></arg>
-
-        <arg
-        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
-      </group>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>iprange</option></arg>
-
-      <arg
-      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -265,6 +278,34 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reenable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -304,8 +345,6 @@
       <arg><option>-p</option></arg>
 
       <arg><option>-C</option></arg>
-
-      <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -353,6 +392,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -581,7 +631,10 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -606,7 +659,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Re-enables receipt of packets from hosts previously
@@ -617,7 +671,25 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.10. Allows you to call a function in
+          one of the Shorewall libraries or in your compiled script. function
+          must name the shell function to be called. The listed parameters are
+          passed to the function.</para>
+
+          <para>The function is first searched for in
+          <filename>lib.base</filename>, <filename>lib.common</filename> and
+          <filename>lib.cli</filename>. If it is not found, the call command
+          is passed to the generated script to be executed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">clear </emphasis><emphasis role="bold">
+        </emphasis>[-<option>f</option>]</term>
 
         <listitem>
           <para>Clear will remove all rules and chains installed by
@@ -633,7 +705,31 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall6-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">delete </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>The delete command reverses the effect of an earlier
@@ -648,7 +744,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -660,7 +758,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed
@@ -669,7 +768,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        [-<option>l</option>] [-<option>m</option>]
+        [-<option>c</option>]</term>
 
         <listitem>
           <para>Produces a verbose report about the firewall configuration for
@@ -691,7 +792,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -703,7 +806,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Deletes
@@ -735,26 +839,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
-
-        <listitem>
-          <para>Ipcalc displays the network address, broadcast address,
-          network in CIDR notation and netmask corresponding to the
-          input[s].</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
-
-        <listitem>
-          <para>Iprange decomposes the specified range of IP addresses into
-          the equivalent list of network/host addresses.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
+        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that causes iptables
@@ -773,7 +859,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
+
+        <listitem>
+          <para><command>list</command> is a synonym for
+          <command>show</command> -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">logdrop
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed
@@ -785,7 +881,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        [<replaceable>refresh-interval</replaceable>]</term>
 
         <listitem>
           <para>Monitors the log file specified by the LOGFILE option in
@@ -807,7 +904,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed
@@ -819,29 +917,107 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
+
+        <listitem>
+          <para><command>ls</command> is a synonym for <command>show</command>
+          -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace
+        </emphasis><replaceable>ip6tables match
+        expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that cancels a trace
           started by a preceding <command>iptrace</command> command.</para>
 
-          <para>The <replaceable>iptables match expression</replaceable> must
+          <para>The <replaceable>ip6tables match expression</replaceable> must
           be one given in the <command>iptrace</command> command being
           canceled.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
 
         <listitem>
-          <para>All the packet and byte counters in the firewall are
-          reset.</para>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          2001:470:b:227::1, the command would be:</para>
+
+          <programlisting>    shorewall6-lite open all 2001:470:b:227::1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall6-lite close all 2001:470:b:227::1 tcp 22</programlisting>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">reenable</emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <command>disable</command> command followed by an
+          <command>enable</command> command on the specified
+          <replaceable>interface</replaceable> or
+          <replaceable>provider</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
+        address</replaceable></term>
+
+        <listitem>
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          to be silently rejected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
+        ...]</emphasis><acronym/></term>
+
+        <listitem>
+          <para>Resets the packet and byte counters in the specified
+          <replaceable>chain</replaceable>(s). If no
+          <replaceable>chain</replaceable> is specified, all the packet and
+          byte counters in the firewall are reset.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
+        [-<option>C</option>]</term>
 
         <listitem>
           <para>Restart is similar to <command>shorewall6-lite start</command>
@@ -872,7 +1048,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Restore shorewall6-lite to a state saved using the
@@ -894,7 +1072,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run
+        </emphasis><replaceable>command</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.6.3. Executes
@@ -911,7 +1091,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>The dynamic blacklist is stored in
@@ -929,6 +1110,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -938,7 +1133,8 @@
 
           <variablelist>
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">bl|blacklists</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -951,7 +1147,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
+              role="bold">capabilities</emphasis></term>
 
               <listitem>
                 <para>Displays your kernel/iptables capabilities. The
@@ -962,8 +1159,10 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ]</term>
+              <term>[-<option>b</option>] [-<option>x</option>]
+              [-<option>l</option>] [-<option>t</option>
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
+              <emphasis>chain</emphasis>... ]</term>
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
@@ -1063,7 +1262,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
+              role="bold">log</emphasis></term>
 
               <listitem>
                 <para>Displays the last 20 shorewall6-lite messages from the
@@ -1076,6 +1276,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">mangle</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter mangle table using the command
+                <command>ip6tables -t mangle -L -n -v</command>.The
+                <option>-x</option> option is passed directly through to
+                ip6tables and causes actual packet and byte counts to be
+                displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">marks</emphasis></term>
 
@@ -1087,11 +1301,22 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">nat</emphasis></term>
 
               <listitem>
                 <para>Displays the Netfilter nat table using the command
-                <command>iptables -t nat -L -n -v</command>.The
+                <command>ip6tables -t nat -L -n -v</command>.The
                 <option>-x</option> option is passed directly through to
                 iptables and causes actual packet and byte counts to be
                 displayed. Without this option, those counts are
@@ -1112,17 +1337,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
-
-              <listitem>
-                <para>Displays the system's IPv4 routing configuration. The -c
-                option causes the route cache to be displayed in addition to
-                the other routing information.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">raw</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">raw</emphasis></term>
 
               <listitem>
                 <para>Displays the Netfilter raw table using the command
@@ -1134,6 +1350,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>[-<option>c</option>]<emphasis role="bold">
+              </emphasis><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -1156,7 +1383,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start </emphasis>[-<option>p</option>]
+        [-<option>n</option>] [<option>-f</option>]
+        [-<option>C</option>]</term>
 
         <listitem>
           <para>Start Shorewall6 Lite. Existing connections through
@@ -1168,7 +1397,7 @@
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
 
-          <para>The <option>-m</option> option prevents the firewall script
+          <para>The <option>-n</option> option prevents the firewall script
           from modifying the current routing configuration.</para>
 
           <para>The <option>-f</option> option was added in Shorewall 4.6.5.
@@ -1187,7 +1416,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop </emphasis><emphasis role="bold">
+        </emphasis>[-<option>f</option>]</term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
@@ -1221,7 +1451,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">version</emphasis></term>
+        <term><emphasis role="bold">version
+        </emphasis>[-<option>a</option>]</term>
 
         <listitem>
           <para>Displays Shorewall's version. The <option>-a</option> option

Shorewall6-lite/shorewall6-lite.service

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
+Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 

Shorewall6-lite/shorewall6-lite.service.214

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
+Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 

Shorewall6-lite/uninstall.sh

@@ -36,6 +36,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall6/configfiles/findgw

@@ -0,0 +1,16 @@
+#
+# Shorewall version 4 - Findgw File
+#
+# /etc/shorewall6/findgw
+#
+# The code in this file is executed when Shorewall is trying to detect the
+# gateway through an interface in /etc/shorewall6/providers that has GATEWAY
+# specified as 'detect'.
+#
+# The function should echo the IP address of the gateway if it knows what
+# it is; the name of the interface is in $1.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################

Shorewall6/manpages/shorewall6-conntrack.xml

@@ -90,7 +90,7 @@
         role="bold">NOTRACK</emphasis>|<emphasis
         role="bold">CT</emphasis>:<emphasis
         role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new|notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
           <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -238,12 +238,37 @@
                 <listitem>
                   <para><option>expevents</option><option>=new</option></para>
 
-                  <para>Only generate a <emphasis role="bold">new</emphasis>
+                  <para>Only generate <emphasis role="bold">new</emphasis>
                   expectation events for this connection.</para>
                 </listitem>
               </itemizedlist>
             </listitem>
 
+            <listitem>
+              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
+
+              <para>Added in Shorewall 4.6.10. Only generate the specified
+              conntrack events for this connection. Possible event types are:
+              <emphasis role="bold">new</emphasis>, <emphasis
+              role="bold">related</emphasis>, <emphasis
+              role="bold">destroy</emphasis>, <emphasis
+              role="bold">reply</emphasis>, <emphasis
+              role="bold">assured</emphasis>, <emphasis
+              role="bold">protoinfo</emphasis>, <emphasis
+              role="bold">helper</emphasis>, <emphasis
+              role="bold">mark</emphasis> (this is connection mark, not packet
+              mark), <emphasis role="bold">natseqinfo</emphasis>, and
+              <emphasis role="bold">secmark</emphasis>.</para>
+            </listitem>
+
+            <listitem>
+              <para>expevents=new</para>
+
+              <para>Added in Shorewall 4.6.10. Only generate <emphasis
+              role="bold">new</emphasis> expectation events for this
+              connection.</para>
+            </listitem>
+
             <listitem>
               <para><option>DROP</option></para>
 

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -628,7 +628,7 @@ dmz     eth2      -</programlisting>
 
           <programlisting>FORMAT 2
 #ZONE   INTERFACE        OPTIONS
--       br0              routeback</programlisting>
+-       br0              bridge</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6-policy.xml

@@ -105,9 +105,9 @@
         role="bold">REJECT</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
         role="bold">None</emphasis>}]</term>
 
         <listitem>
@@ -180,8 +180,14 @@
               <listitem>
                 <para>Queue the request for a user-space application using the
                 nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not given, queue
-                zero (0) is assumed.</para>
+                <replaceable>queuenumber1</replaceable> is not given, queue
+                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
+                queue number (queuenumber2) may be given. This specifies a
+                range of queues to use. Packets are then balanced across the
+                given queues. This is useful for multicore systems: start
+                multiple instances of the userspace program on queues x, x+1,
+                .. x+n and use "x:x+n". Packets belonging to the same
+                connection are put into the same nfqueue.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-providers.xml

@@ -213,7 +213,22 @@
             </varlistentry>
 
             <varlistentry>
-              <term>noautosrc</term>
+              <term><emphasis
+              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.0. This option provides an
+                alternative method of load balancing based on probabilities.
+                Providers to be balanced are given a
+                <replaceable>probability</replaceable> (a number 0 &gt; n
+                &gt;= 1) with up to 8 digits to the right of the decimal
+                point. Beginning with Shorewall 4.6.10, a warning is issued if
+                the sum of the probabilities is not 1.00000000.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">noautosrc</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.17. Prevents the addition of a

Shorewall6/manpages/shorewall6-rtrules.xml

@@ -48,6 +48,9 @@
           &amp;<replaceable>interface</replaceable> in this column to indicate
           that the source is the primary IP address of the named
           interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 
@@ -64,6 +67,9 @@
           role="bold">DEST</emphasis>, place "-" in that column. Note that you
           may not omit both <emphasis role="bold">SOURCE</emphasis> and
           <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -534,19 +534,31 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
 
               <listitem>
                 <para>Queues the packet to a user-space application using the
                 nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not specified, queue
-                zero (0) is assumed.</para>
+                <replaceable>queuenumber</replaceable>1 is not specified,
+                queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
+                the keyword <emphasis role="bold">bypass</emphasis> can be
+                given. By default, if no userspace program is listening on an
+                NFQUEUE, then all packets that are to be queued are dropped.
+                When this option is used, the NFQUEUE rule is silently
+                bypassed instead. The packet will move on to the next rule.
+                Also beginning in Shorewall 4.6.10, a second queue number
+                (<replaceable>queuenumber2</replaceable>) may be specified.
+                This specifies a range of queues to use. Packets are then
+                balanced across the given queues. This is useful for multicore
+                systems: start multiple instances of the userspace program on
+                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
+                the same connection are put into the same nfqueue.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis
-              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
+              <term><emphasis role="bold"><emphasis
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed

Shorewall6/manpages/shorewall6.conf.xml

@@ -98,7 +98,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -108,7 +108,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -118,7 +118,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -128,7 +128,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -313,6 +313,11 @@
               <para>Set AUTOHELPERS=No.</para>
             </listitem>
 
+            <listitem>
+              <para>Modify the HELPERS setting (see below) to list the helpers
+              that you need.</para>
+            </listitem>
+
             <listitem>
               <para>Either:</para>
 
@@ -787,9 +792,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
 
         <listitem>
-          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
-          application helpers that are to be enabled. If not specified, the
-          default is to enable all helpers.</para>
+          <para>Added in Shorewall 4.5.7. This option specifies a
+          comma-separated list naming the Netfilter application helpers that
+          are to be enabled. If not specified, the default is to enable all
+          helpers.</para>
 
           <para>Possible values for <replaceable>helper</replaceable>
           are:</para>
@@ -1239,7 +1245,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </listitem>
           </itemizedlist>
 
-          <para></para>
+          <para/>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1256,7 +1262,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para></para>
+            <para/>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1588,8 +1594,8 @@ LOG:info:,bar                        net                    fw</programlisting>
 
         <listitem>
           <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
-          o.xz gz xz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
+          o.gz o.xz gz xz".</para>
         </listitem>
       </varlistentry>
 
@@ -1903,7 +1909,7 @@ LOG:info:,bar                        net                    fw</programlisting>
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -1949,7 +1955,7 @@ LOG:info:,bar                        net                    fw</programlisting>
               into.</member>
             </simplelist></para>
 
-          <programlisting></programlisting>
+          <programlisting/>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -48,6 +48,21 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>call</option></arg>
+
+      <arg
+      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
+      ...</arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -83,6 +98,21 @@
       <arg choice="plain"><option>clear</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -318,8 +348,24 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
       <arg
-      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reenable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -483,6 +529,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -759,7 +816,10 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
@@ -791,7 +851,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Re-enables receipt of packets from hosts previously
@@ -803,7 +864,28 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">check</emphasis></term>
+        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.10. Allows you to call a function in
+          one of the Shorewall libraries or in your compiled script. function
+          must name the shell function to be called. The listed parameters are
+          passed to the function.</para>
+
+          <para>The function is first searched for in
+          <filename>lib.base</filename>, <filename>lib.common</filename>,
+          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
+          If it is not found, the call command is passed to the generated
+          script to be executed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">check </emphasis>[-<option>e</option>]
+        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
+        [-<option>T</option>] [-<option>i</option>]
+        [<replaceable>directory</replaceable>]</term>
 
         <listitem>
           <para>Compiles the configuration in the specified
@@ -834,7 +916,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -843,7 +925,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">clear
+        </emphasis>[-<option>f</option>]</term>
 
         <listitem>
           <para>Clear will remove all rules and chains installed by
@@ -854,7 +937,32 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">compile</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall6 show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
+        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
+        [-<option>T</option>] [-<option>i</option>]
+        [<replaceable>directory</replaceable>]
+        [<replaceable>pathname</replaceable> ]</term>
 
         <listitem>
           <para>Compiles the current configuration into the executable file
@@ -901,7 +1009,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -910,7 +1018,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">delete </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.21. The delete command reverses the
@@ -935,7 +1046,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis><emphasis role="bold">
+        </emphasis>{ <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -954,7 +1067,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -963,7 +1077,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        [-<option>l</option>] [-<option>m</option>]
+        [-<option>c</option>]</term>
 
         <listitem>
           <para>Produces a verbose report about the firewall configuration for
@@ -985,7 +1101,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1006,7 +1124,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">export</emphasis></term>
+        <term><emphasis role="bold">export
+        </emphasis>[<replaceable>directory1</replaceable> ]
+        [<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
+        ]</term>
 
         <listitem>
           <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1030,7 +1151,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
@@ -1051,7 +1173,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
+        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that causes iptables
@@ -1070,7 +1193,20 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">load</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
+
+        <listitem>
+          <para><command>list</command> is a synonym for
+          <command>show</command> -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">load </emphasis> [-<option>s</option>]
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>
 
         <listitem>
           <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1116,7 +1252,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1125,7 +1261,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">logdrop
+        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1137,7 +1274,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        [<replaceable>refresh-interval</replaceable>]</term>
 
         <listitem>
           <para>Monitors the log file specified by the LOGFILE option in
@@ -1155,7 +1293,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject</emphasis>
+        <replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1167,7 +1306,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
+
+        <listitem>
+          <para><command>ls</command> is a synonym for <command>show</command>
+          -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace
+        </emphasis><replaceable>ip6tables match
+        expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that cancels a trace
@@ -1180,7 +1330,63 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">refresh</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          2001:470:b:227::1, the command would be:</para>
+
+          <programlisting>    shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reenable</emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <command>disable</command> command followed by an
+          <command>enable</command> command on the specified
+          <replaceable>interface</replaceable> or
+          <replaceable>provider</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
+        [-<option>d</option>] [-<option>T</option>] [-i]
+        [-<option>D</option><replaceable>directory</replaceable> ] [
+        <replaceable>chain</replaceable>... ]</term>
 
         <listitem>
           <para>All steps performed by <command>restart</command> are
@@ -1211,7 +1417,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1232,7 +1438,21 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reload</emphasis></term>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
+        address</replaceable></term>
+
+        <listitem>
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          to be silently rejected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>
 
         <listitem>
           <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1278,7 +1498,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1288,7 +1508,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym></acronym></term>
+        ...]</emphasis><acronym/></term>
 
         <listitem>
           <para>Resets the packet and byte counters in the specified
@@ -1299,7 +1519,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
+        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
+        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Restart is similar to <command>shorewall6 start</command>
@@ -1337,7 +1560,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1354,7 +1577,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Restore Shorewall6 to a state saved using the
@@ -1382,7 +1607,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run</emphasis><emphasis role="bold">
+        </emphasis><replaceable>command</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.6.3. Executes
@@ -1405,7 +1632,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">safe-restart</emphasis></term>
+        <term><emphasis role="bold">safe-restart
+        </emphasis>[-<option>d</option>] [-<option>p</option>]
+        [-<option>t</option><replaceable>timeout</replaceable> ] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Only allowed if Shorewall6 is running. The current
@@ -1431,7 +1661,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">safe-start</emphasis></term>
+        <term><emphasis role="bold">safe-start
+        </emphasis>[-<option>d</option>] [-<option>p</option>]
+        [-<option>t</option><replaceable>timeout</replaceable> ] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Shorewall6 is started normally. You will then be prompted
@@ -1453,7 +1686,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>The dynamic blacklist is stored in <filename>
@@ -1472,6 +1706,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -1490,7 +1738,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
+              </emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1503,7 +1752,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
+              role="bold">capabilities</emphasis></term>
 
               <listitem>
                 <para>Displays your kernel/ip6tables capabilities. The
@@ -1514,8 +1764,10 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ]</term>
+              <term>[-<option>b</option>] [-<option>x</option>]
+              [-<option>l</option>] [-<option>t</option>
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
+              <emphasis>chain</emphasis>... ]</term>
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
@@ -1600,7 +1852,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
+              role="bold">log</emphasis></term>
 
               <listitem>
                 <para>Displays the last 20 Shorewall6 messages from the log
@@ -1622,7 +1875,20 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">macro
+              </emphasis><replaceable>macro</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.6. Displays the file that
+                implements the specified <replaceable>macro</replaceable>
+                (usually
+                <filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">mangle</emphasis></term>
 
               <listitem>
                 <para>Displays the Netfilter mangle table using the command
@@ -1644,6 +1910,30 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">nat</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter nat table using the command
+                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
+                The <emphasis role="bold">-x</emphasis> option is passed
+                directly through to ip6tables and causes actual packet and
+                byte counts to be displayed. Without this option, those counts
+                are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">policies</emphasis></term>
 
@@ -1657,7 +1947,22 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
+                The <emphasis role="bold">-x</emphasis> option is passed
+                directly through to ip6tables and causes actual packet and
+                byte counts to be displayed. Without this option, those counts
+                are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">[-<option>c</option>]<emphasis
+              role="bold"> </emphasis>routing</emphasis></term>
 
               <listitem>
                 <para>Displays the system's IPv6 routing configuration. The -c
@@ -1688,7 +1993,11 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
+        </emphasis>[-<option>n</option>] [-<option>p</option>]
+        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
+        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Start shorewall6. Existing connections through shorewall6
@@ -1728,7 +2037,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1744,7 +2053,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop
+        </emphasis>[-<option>f</option>]</term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
@@ -1756,6 +2066,12 @@
           is from systems listed in <ulink
           url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1773,7 +2089,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">try</emphasis></term>
+        <term><emphasis role="bold">try
+        </emphasis><replaceable>directory</replaceable> [
+        <replaceable>timeout</replaceable> ]</term>
 
         <listitem>
           <para>If Shorewall6 is started then the firewall state is saved to a
@@ -1783,7 +2101,7 @@
           command is issued using the specified configuration
           <replaceable>directory</replaceable>; otherwise, a <emphasis
           role="bold">start</emphasis> command is performed using the
-          specified configuration <replaceable>directory</replaceable>. if an
+          specified configuration <replaceable>directory</replaceable>. If an
           error occurs during the compilation phase of the <emphasis
           role="bold">restart</emphasis> or <emphasis role="bold">start
           </emphasis>, the command terminates without changing the Shorewall6
@@ -1807,7 +2125,11 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">update</emphasis></term>
+        <term><emphasis role="bold">update </emphasis>[-<option>b</option>]
+        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
+        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
+        [-<option>t</option>] [-<option>A</option>] [
+        <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.21 and causes the compiler to update
@@ -1839,12 +2161,12 @@
           <para>The <option>-D</option> option was added in Shorewall 4.5.11.
           When this option is specified, the compiler will walk through the
           directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1899,7 +2221,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">version</emphasis></term>
+        <term><emphasis role="bold">version
+        [-<option>a</option>]</emphasis></term>
 
         <listitem>
           <para>Displays Shorewall6's version. If the <option>-a</option>

Shorewall6/shorewall6.service

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
+Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 

Shorewall6/shorewall6.service.214

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
+Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 

Shorewall6/uninstall.sh

@@ -36,6 +36,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1
@@ -136,8 +142,8 @@ else
     usage 1
 fi
 
-if [ -f ${SHARDIR}/shorewall6/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall6/version)"
+if [ -f ${SHAREDIR}/shorewall6/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."

docs/Anatomy.xml

@@ -24,6 +24,8 @@
 
       <year>2012</year>
 
+      <year>2015</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -93,13 +95,16 @@
   <section id="Shorewall">
     <title>Shorewall</title>
 
-    <para>The Shorewall package includes a large number of files which are
-    installed in <filename class="directory">/sbin</filename>, <filename
-    class="directory">/usr/share/shorewall</filename>, <filename
+    <para>The Shorewall package includes a large number of files which were
+    traditionally installed in <filename class="directory">/sbin</filename>,
+    <filename class="directory">/usr/share/shorewall</filename>, <filename
     class="directory">/etc/shorewall</filename>,
     <filename>/etc/init.d</filename> and <filename
     class="directory">/var/lib/shorewall/</filename>. These are described in
-    the sub-sections that follow.</para>
+    the sub-sections that follow. Since Shorewall 4.5.2, each of these
+    directories is now relocatable using the <ulink
+    url="Install.htm#idp8774904608">configure scripts included with Shorewall
+    Core</ulink>.</para>
 
     <section id="sbin">
       <title>/sbin</title>
@@ -170,7 +175,8 @@
 
         <listitem>
           <para><filename>lib.*</filename> - Shell function libraries used by
-          the other shell programs.</para>
+          the other shell programs. Most of these are actually provided by
+          Shorewall-core.</para>
         </listitem>
 
         <listitem>
@@ -194,6 +200,12 @@
           containing the Shorewall Perl modules used by the compiler.</para>
         </listitem>
 
+        <listitem>
+          <para><filename>shorewallrc</filename> - A file that specifies where
+          all of the other installed components (from all packages) are
+          installed.</para>
+        </listitem>
+
         <listitem>
           <para><filename>version</filename> - A file containing the currently
           install version of Shorewall.</para>
@@ -504,8 +516,8 @@
     <section id="sbin-lite">
       <title>/sbin</title>
 
-      <para>The <filename>/sbin/shorewall-lite</filename> shell program is used
-      to interact with Shorewall lite. See <ulink
+      <para>The <filename>/sbin/shorewall-lite</filename> shell program is
+      used to interact with Shorewall lite. See <ulink
       url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
     </section>
 

docs/Helpers.xml

@@ -114,9 +114,11 @@
       nf_nat_<replaceable>application</replaceable>; more about that
       below.</para>
 
-      <para>The modules are not auto-loaded and must be loaded explicitly
-      using the <command>modprob</command> or <command>insmod</command>
-      utilities.</para>
+      <para>Prior to Shorewall 4.5.7, helper modules were not auto-loaded and
+      must be loaded explicitly using the <command>modprob</command> or
+      <command>insmod</command> utilities. Beginning with Shorewall 4.5.7,
+      these modules are loaded when Shorewall is determining the capabilities
+      of your system.</para>
 
       <para>Many of the modules allow parameters to be specified when the
       module is loaded. Among the common parameters is the ports parameter
@@ -280,14 +282,23 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>DONT_LOAD</term>
+
+          <listitem>
+            <para>This is a comma-separated list of modules that you
+            specifically don't want Shorewall to load.</para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>HELPERS</term>
 
           <listitem>
             <para>This option was added in Shorewall 4.5.7 and lists the
-            modules to be enabled for association with connections. This
-            option is fully functional only on systems running kernel 3.5 or
-            later.</para>
+            modules to be enabled for association with connections
+            (comma-separated). This option is fully functional only on systems
+            running kernel 3.5 or later.</para>
 
             <para>The module names allowed in this list are <emphasis
             role="bold">amanda</emphasis>, <emphasis
@@ -297,7 +308,19 @@
             role="bold">pptp</emphasis>, <emphasis
             role="bold">sane</emphasis>, <emphasis role="bold">sip</emphasis>,
             <emphasis role="bold">snmp</emphasis> and <emphasis
-            role="bold">tftp</emphasis>.</para>
+            role="bold">tftp</emphasis>. If you don't want a particular helper
+            module loaded, then:</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>List it in the DONT_LOAD option; and</para>
+              </listitem>
+
+              <listitem>
+                <para>Explicitly list those helpers that you do want in
+                HELPERS.</para>
+              </listitem>
+            </itemizedlist>
           </listitem>
         </varlistentry>
 

docs/Install.xml

@@ -693,6 +693,12 @@
         a product for Debian into the /tmp/package directory:</para>
 
         <programlisting>DESTDIR=/tmp/package ./install.sh shorewallrc.debian</programlisting>
+
+        <para>When DESTDIR is specified, the installers treat $DESTDIR as the
+        root of the filesystem tree. In other words, the created installation
+        is only runnable if one chroots to $DESTDIR. Please note that the
+        uninstall.sh scripts cannot uninstall a configuration installed with
+        non-empty DESTDIR. </para>
       </section>
 
       <section>
@@ -731,7 +737,7 @@
         <para>The above shorewallrc creates a runnable configuration in
         /usr/local/shorewall-custom. It is triggered by adding SANDBOX to the
         shorewallrc file -- any non-empty value for that variable will prevent
-        the installer from replacing the current main configuraiton. </para>
+        the installer from replacing the current main configuraiton.</para>
       </section>
     </section>
 

docs/MultiISP.xml

@@ -119,7 +119,7 @@
           ISP.</para>
         </footnote> as in the following diagram.</para>
 
-      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
+      <graphic align="center" fileref="images/TwoISPs.png" valign="middle"/>
 
       <itemizedlist>
         <listitem>
@@ -342,6 +342,33 @@
             may try to use those stale files to determine the gateway
             address.</para>
 
+            <para>If Shorewall is unable to detect the gateway, it is likely
+            because you are using a DHCP client that Shorewall doesn't
+            natively support. You can work around that issue by using the
+            <emphasis role="bold">findgw</emphasis> <ulink
+            url="shorewall_extension_scripts.htm">extension
+            script.</ulink></para>
+
+            <para>For example, these examples from Mika Ilmaranta, work with
+            RHEL7-based systems with nmcli:</para>
+
+            <programlisting>nmcli --terse --fields IP6.GATEWAY device show ${1} | cut -f2- -d':' # IPv6
+
+nmcli --terse --fields IP4.GATEWAY device show ${1} | cut -f2- -d':' #IPv4
+</programlisting>
+
+            <para>This one from PGNd works on OpenSuSE running wicked:</para>
+
+            <programlisting>svc_status=$( systemctl is-active wickedd-dhcp4.service )
+
+if [ $svc_status == 'active' ]; then
+  data="/var/lib/wicked/lease-${1}-dhcp-ipv4.xml"
+  if [ -f $data ]; then
+    gateway=$( xml_grep 'gateway' $data --text_only )
+    echo $gateway
+  fi
+fi</programlisting>
+
             <para>The GATEWAY may be omitted (enter '-') for point-to-point
             links.</para>
           </listitem>
@@ -2245,7 +2272,83 @@ defaults {
 
 include /etc/lsm/shorewall.conf</programlisting>
 
-        <para><filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and
+        later)<programlisting>#!/bin/sh
+#
+# (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
+# (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
+#
+# License: GPLv2
+#
+
+STATE=${1}
+NAME=${2}
+CHECKIP=${3}
+DEVICE=${4}
+WARN_EMAIL=${5}
+REPLIED=${6}
+WAITING=${7}
+TIMEOUT=${8}
+REPLY_LATE=${9}
+CONS_RCVD=${10}
+CONS_WAIT=${11}
+CONS_MISS=${12}
+AVG_RTT=${13}
+
+if [ -f /usr/share/shorewall-lite/lib.base ]; then
+    VARDIR=/var/lib/shorewall-lite
+    STATEDIR=/etc/shorewall-lite
+    TOOL=/sbin/shorewall-lite
+else
+    VARDIR=/var/lib/shorewall
+    STATEDIR=/etc/shorewall
+    TOOL=/sbin/shorewall
+fi
+
+[ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
+
+cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
+
+Hi,
+
+Connection ${NAME} is now ${STATE}.
+
+Following parameters were passed:
+newstate     = ${STATE}
+name         = ${NAME}
+checkip      = ${CHECKIP}
+device       = ${DEVICE}
+warn_email   = ${WARN_EMAIL}
+
+Packet counters:
+replied      = ${REPLIED} packets replied
+waiting      = ${WAITING} packets waiting for reply
+timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
+reply_late   = ${REPLY_LATE} packets that received a reply after timeout
+cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
+cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
+cons_miss    = ${CONS_MISS} consecutive packets that have timed out
+avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
+
+Your LSM Daemon
+
+EOM
+
+if [ ${STATE} = up ]; then
+# echo 0 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
+  ${VARDIR}/firewall enable ${DEVICE}
+else
+#  echo 1 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
+   ${VARDIR}/firewall disable ${DEVICE}
+fi
+
+$TOOL show routing &gt;&gt; /var/log/lsm
+
+exit 0
+
+#EOF</programlisting>Prior to Shorewall 4.4.23, it was necessary to restart
+        the firewall when an interface transitions between the usable and
+        unusable states.<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2311,88 +2414,12 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status
 
-$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
 
 $TOOL show routing &gt;&gt; /var/log/lsm
 
 exit 0
 
-#EOF</programlisting>Beginning with Shorewall 4.4.23, it is not necessary to
-        restart the firewall when an interface transitions between the usable
-        and unusable
-        states.<filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
-#
-# (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
-# (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
-#
-# License: GPLv2
-#
-
-STATE=${1}
-NAME=${2}
-CHECKIP=${3}
-DEVICE=${4}
-WARN_EMAIL=${5}
-REPLIED=${6}
-WAITING=${7}
-TIMEOUT=${8}
-REPLY_LATE=${9}
-CONS_RCVD=${10}
-CONS_WAIT=${11}
-CONS_MISS=${12}
-AVG_RTT=${13}
-
-if [ -f /usr/share/shorewall-lite/lib.base ]; then
-    VARDIR=/var/lib/shorewall-lite
-    STATEDIR=/etc/shorewall-lite
-    TOOL=/sbin/shorewall-lite
-else
-    VARDIR=/var/lib/shorewall
-    STATEDIR=/etc/shorewall
-    TOOL=/sbin/shorewall
-fi
-
-[ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
-
-cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
-
-Hi,
-
-Connection ${NAME} is now ${STATE}.
-
-Following parameters were passed:
-newstate     = ${STATE}
-name         = ${NAME}
-checkip      = ${CHECKIP}
-device       = ${DEVICE}
-warn_email   = ${WARN_EMAIL}
-
-Packet counters:
-replied      = ${REPLIED} packets replied
-waiting      = ${WAITING} packets waiting for reply
-timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
-reply_late   = ${REPLY_LATE} packets that received a reply after timeout
-cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
-cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
-cons_miss    = ${CONS_MISS} consecutive packets that have timed out
-avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
-
-Your LSM Daemon
-
-EOM
-
-<emphasis role="bold">if [ ${STATE} = up ]; then
-# echo 0 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
-  ${VARDIR}/firewall enable ${DEVICE}
-else
-#  echo 1 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
-   ${VARDIR}/firewall disable ${DEVICE}
-fi
-</emphasis>
-$TOOL show routing &gt;&gt; /var/log/lsm
-
-exit 0
-
 #EOF</programlisting></para>
       </section>
     </section>
@@ -2480,7 +2507,7 @@ exit 0
       on ursa that I will describe here</emphasis>.</para>
 
       <para>Below is a diagram of our network:<graphic align="center"
-      fileref="images/Network2008a.png" /></para>
+      fileref="images/Network2008a.png"/></para>
 
       <para>The local wired network in my office is connected to both gateways
       and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
@@ -2651,7 +2678,7 @@ wlan0                   192.168.0.0/24</programlisting><note>
 
     <para>The network is pictured in the following diagram:</para>
 
-    <graphic fileref="images/Network2013.png" />
+    <graphic fileref="images/Network2013.png"/>
 
     <section>
       <title>IPv4 Configuration</title>

docs/configuration_file_basics.xml

@@ -174,7 +174,13 @@
 
         <listitem>
           <para><filename>/etc/shorewall/start</filename> - commands that you
-          wish to execute at the completion of a <quote>shorewall
+          wish to execute near the completion of a <quote>shorewall
+          start</quote> or <quote>shorewall restart</quote></para>
+        </listitem>
+
+        <listitem>
+          <para><filename>/etc/shorewall/started</filename> - commands that
+          you wish to execute after the completion of a <quote>shorewall
           start</quote> or <quote>shorewall restart</quote></para>
         </listitem>
 
@@ -265,13 +271,9 @@
         </listitem>
 
         <listitem>
-          <para><filename>/usr/share/shorewall/modules</filename> - directs
-          the firewall to load kernel modules.</para>
-        </listitem>
-
-        <listitem>
-          <para><filename>/usr/share/modules</filename> — Specifies the kernel
-          modules to be loaded during shorewall start/restart.</para>
+          <para><filename>/usr/share/shorewall/modules</filename> — Specifies
+          the kernel modules to be loaded during shorewall
+          start/restart.</para>
         </listitem>
 
         <listitem>
@@ -836,8 +838,11 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
         <para>ZONE — The name of a zone declared in
         <filename>/etc/shorewall/zones</filename> or
         <filename>/etc/shorewall6/zones</filename>. This part is only
-        available in the rules file (<filename>/etc/shorewall/rules</filename>
-        and <filename>/etc/shorewall6/rules</filename>).</para>
+        available in the rules file
+        (<filename>/etc/shorewall/rules</filename>,
+        <filename>/etc/shorewall/blrules</filename>,<filename>
+        /etc/shorewall6/rules</filename> and
+        <filename>/etc/shorewall6/blrules</filename>).</para>
       </listitem>
 
       <listitem>
@@ -1985,7 +1990,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
     assumed to have the value '' (an empty string, which also evaluates to
     false).</para>
 
-    <para>The setting in <filename>/etc/shorewall/params</filename> by be
+    <para>The setting in <filename>/etc/shorewall/params</filename> may be
     overridden at runtime, provided the setting in
     <filename>/etc/shorewall/params</filename> is done like this:</para>
 
@@ -2894,7 +2899,7 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
       surprises, I recommend that you read the <ulink
       url="starting_and_stopping_shorewall.htm#Saved">Shorewall Operations
       documentation section about saved configurations</ulink> before creating
-      one.</para>
+      one.3</para>
     </warning>
   </section>
 </article>

docs/ipsets.xml

@@ -24,6 +24,8 @@
 
       <year>2010</year>
 
+      <year>2015</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -170,6 +172,12 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
     ipv4 ipsets are saved. Both features require ipset version 5 or
     later.</para>
+
+    <para>Although Shorewall can save the definition of your ipsets and
+    restore them when Shorewall starts, in most cases you must use the ipset
+    utility to initially create and load your ipsets. The exception is that
+    Shorewall will automatically create an empty iphash ipset to back each
+    dynamic zone.</para>
   </section>
 
   <section>

docs/shorewall_extension_scripts.xml

@@ -457,10 +457,10 @@ cat -</programlisting>
 
           <listitem>
             <para>VARDIR - The product state directory. Defaults <filename
-            class="directory">/usr/share/shorewall</filename>, <filename
-            class="directory">/usr/share/shorewall6/</filename>, <filename
-            class="directory">/usr/share/shorewall-lite</filename>, or
-            <filename class="directory">/usr/share/shorewall6-lite</filename>
+            class="directory">/var/lib/shorewall</filename>, <filename
+            class="directory">/var/lib/shorewall6/</filename>, <filename
+            class="directory">/var/lib/shorewall-lite</filename>, or
+            <filename class="directory">/var/lib/shorewall6-lite</filename>
             depending on which product is running, but may be overridden by an
             entry in ${CONFDIR}/vardir.</para>
           </listitem>