Apply Matt Darfeuille's fix for fatal_error()

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -378,6 +378,17 @@ savesets() {
     [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 
+#
+# Proactive save of the current ipset contents
+#
+savesets1() {
+    local supported
+
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+}
+
 #
 # Save currently running configuration
 #
@@ -387,7 +398,7 @@ do_save() {
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -1224,6 +1235,16 @@ show_command() {
 	    echo
 	    show_bl;
 	    ;;
+	opens)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
+
+	    if chain_exists dynamic; then
+		g_ipt_options="$g_ipt_options --line-numbers"
+		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
+		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
+	    fi
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -2076,6 +2097,166 @@ delete_command() {
     fi
 }
 
+open_close_command() {
+    local command
+    local desc
+    local proto
+    local icmptype
+
+    open_close_setup() {
+	[ -n "$g_nolock" ] || mutex_on
+
+	if ! product_is_started ; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "The $COMMAND command requires the firewall to be running"
+	fi
+
+	if ! chain_exists dynamic; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
+	fi
+    }
+
+    [ $# -le 4 ] || fatal_error "Too many parameters"
+
+    if [ $COMMAND = open ]; then
+	[ $# -ge 2 ] || fatal_error "Too few parameters"
+    else
+	[ $# -ge 1 ] || fatal_error "Too few parameters"
+    fi
+
+    if [ $# -eq 1 ]; then
+	#
+	# close <rule number>
+	#
+	case $1 in
+	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
+		;;
+	    *)
+		fatal_error "$1 is not a valid temporary open number"
+		;;
+	esac
+
+	open_close_setup #Conditionally acquires mutex
+
+	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
+	    if $g_tool -D dynamic $1; then
+		[ -n "$g_nolock" ] || mutex_off
+		echo "Temporary open #$1 closed"
+		return 0
+	    fi
+	    [ -n "$g_nolock" ] || mutex_off
+	    return 2
+	else
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "$1 is not a valid temporary open number"
+	fi
+    else
+	if [ $1 = all ]; then
+	    command=dynamic
+	else
+	    command="dynamic -s $1"
+	fi
+
+	if [ $2 != all ]; then
+	    command="$command -d $2"
+	fi
+
+	desc="from $1 to $2"
+
+	if [ $# -ge 3 ]; then
+	    proto=$3
+
+	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58
+
+	    command="$command -p $proto"
+
+	    case $3 in
+		[0-9]*)
+		    desc="$desc protocol $3"
+		    ;;
+		*)
+		    desc="$desc $3"
+		    ;;
+	    esac
+
+	    if [ $g_family -eq 4 ]; then
+		if [ $proto = 6 -o $proto = icmp ]; then
+		    proto=icmp
+		    icmptype='--icmp-type'
+		fi
+	    else
+		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
+		    proto=icmp
+		    icmptype='--icmpv6-type'
+		fi
+	    fi
+	fi
+
+	if [ $# -eq 4 ]; then
+	    if [ $proto = icmp ]; then
+		case $4 in
+		    *,*)
+			fatal_error "Only a single ICMP type may be specified"
+			;;
+		    [0-9]*)
+			desc="$desc type $4"
+			;;
+		    *)
+			desc="$desc $4"
+			;;
+		esac
+
+		command="$command $icmptype $4"
+	    else
+		case $4 in
+		*,*)
+		    command="$command -m multiport --dports $4"
+		    ;;
+		*)
+		    command="$command --dport $4"
+		    ;;
+		esac
+
+		case $4 in
+		    [0-9]*,)
+			desc="$desc ports $4"
+			;;
+		    [0-9]*)
+			desc="$desc port $4"
+			;;
+		    *)
+			desc="$desc $4"
+			;;
+		esac
+	    fi
+	fi
+
+	command="$command -j ACCEPT"
+
+	open_close_setup #Conditionally acquires mutex
+
+	if [ $COMMAND = open ]; then
+	    if $g_tool -I $command ; then
+		[ -n "$g_nolock" ] || mutex_off
+		echo "Firewall dynamically opened for connections $desc"
+		return 0
+	    fi
+	    [ -n "$g_nolock" ] || mutex_off
+	    return 2
+	fi
+
+	if $g_tool -D $command 2> /dev/null; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
+	    return 0
+	fi
+
+	[ -n "$g_nolock" ] || mutex_off
+	fatal_error "Connections $desc are not currently opened"
+    fi
+}
+
 #
 # 'hits' commmand executor
 #
@@ -3628,6 +3809,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
     echo "   drop <address> ..."
@@ -3645,12 +3827,14 @@ usage() # $1 = exit status
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
     echo "   run <command> [ <parameter> ... ]"
     echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
@@ -3670,6 +3854,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
     echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
     echo "   [ show | list | ls ] routing"
     echo "   [ show | list | ls ] tc [ device ]"
@@ -3979,6 +4164,11 @@ shorewall_cli() {
 	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
+	open|close)
+	    get_config
+	    shift
+	    open_close_command $@
+	    ;;
 	allow)
 	    get_config
 	    allow_command $@
@@ -4042,6 +4232,12 @@ shorewall_cli() {
 	    shift
 	    noiptrace_command $@
 	    ;;
+	savesets)
+	    [ $# -eq 1 ] || usage 1
+	    get_config
+	    [ -n "$g_debugging" ] && set -x
+	    savesets1
+	    ;;
 	*)
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@

Shorewall-core/uninstall.sh

@@ -35,6 +35,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall-init/install.sh

@@ -188,6 +188,8 @@ done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
+[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
+
 if [ -z "$BUILD" ]; then
     case $(uname) in
 	cygwin*)
@@ -379,9 +381,9 @@ fi
 
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
     elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
@@ -390,15 +392,11 @@ if [ $HOST = debian ]; then
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi
 
-	if [ $configure -eq 1 ]; then
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
-	else
-	    mkdir -p ${DESTDIR}${CONFDIR}/default
-	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
-	fi
     fi
 
     IFUPDOWN=ifupdown.debian.sh
@@ -408,13 +406,13 @@ else
 
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
     fi
@@ -440,12 +438,8 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    if [ $configure -eq 1 ]; then
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
-    else
-	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
-    fi
 fi
 
 case $HOST in

Shorewall-init/uninstall.sh

@@ -35,6 +35,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall-lite/manpages/shorewall-lite.xml

@@ -59,6 +59,21 @@
       choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -265,6 +280,15 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -350,6 +374,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -631,6 +666,27 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">delete</emphasis></term>
 
@@ -823,6 +879,45 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">reset</emphasis></term>
 
@@ -918,6 +1013,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -1086,6 +1195,16 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">policies</emphasis></term>
 

Shorewall-lite/uninstall.sh

@@ -40,6 +40,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall/Perl/Shorewall/Chains.pm

@@ -7953,7 +7953,7 @@ else
 fi
 
 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
 else
     rm -f \${VARDIR}/.dynamic
 fi
@@ -8048,7 +8048,7 @@ sub create_save_ipsets() {
     if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
-	      '    file=$1'
+	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 
 	if ( @ipsets ) {
@@ -8074,7 +8074,9 @@ sub create_save_ipsets() {
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
-		      "    done" );
+		      "    done" ,
+		      '',
+		    );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
@@ -8091,7 +8093,9 @@ sub create_save_ipsets() {
 		       '    fi' );
  	    }
 
-	    emit("}\n" );
+	    emit( "    return 0",
+		  '',
+		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
@@ -8113,10 +8117,13 @@ sub create_save_ipsets() {
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
+		  '    return 0',
+		  '' ,
 		  "}\n" );
 	}
     } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
+	      '    return 1',
 	      "}\n" );
     } else {
 	emit( '    true',

Shorewall/Perl/Shorewall/Misc.pm

@@ -2418,7 +2418,7 @@ EOF
     case $COMMAND in
         stop|clear|restore)
             if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
             fi
             ;;
         *)
@@ -2433,7 +2433,7 @@ EOF
     case $COMMAND in
         stop|clear|restore)
             if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
             fi
             ;;
         *)

Shorewall/Perl/Shorewall/Providers.pm

@@ -1086,10 +1086,8 @@ CEOF
     }
 }
 
-sub add_an_rtrule( ) {
+sub add_an_rtrule1( $$$$$ ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) =
+    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;
-	split_line( 'rtrules file',
-		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
 
     our $current_if;
 
@@ -1178,6 +1176,17 @@ sub add_an_rtrule( ) {
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
+sub add_an_rtrule( ) {
+    my ( $sources, $dests, $provider, $priority, $originalmark ) =
+	split_line( 'rtrules file',
+		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+    for my $source ( split_list( $sources, "source" ) ) {
+	for my $dest (split_list( $dests , "dest" ) ) {
+	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
+	}
+    }
+}
+
 sub add_a_route( ) {
     my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',

Shorewall/Perl/Shorewall/Raw.pm

@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = 2;
+	$action      = $2;
-	validate_level( $level = $3 ) if supplied $3;
+	validate_level( $level = $4 ) if supplied $4;
     } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;
 

Shorewall/Perl/prog.footer

@@ -407,6 +407,7 @@ case "$COMMAND" in
     savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
+	    status=$?
 	else
 	    usage 2
 	fi

Shorewall/lib.cli-std

@@ -1645,6 +1645,7 @@ usage() # $1 = exit status
     echo "   allow <address> ..."
     echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
     echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -1679,6 +1680,7 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
     fi
 
+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
     echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
@@ -1689,6 +1691,7 @@ usage() # $1 = exit status
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -1710,6 +1713,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] marks"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
     echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
     echo "   [ show | list | ls ] routing"
     echo "   [ show | list | ls ] tc [ device ]"

Shorewall/manpages/shorewall-rtrules.xml

@@ -48,6 +48,9 @@
           &amp;<replaceable>interface</replaceable> in this column to indicate
           that the source is the primary IP address of the named
           interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 
@@ -64,6 +67,9 @@
           role="bold">DEST</emphasis>, place "-" in that column. Note that you
           may not omit both <emphasis role="bold">SOURCE</emphasis> and
           <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -85,6 +85,21 @@
       choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -359,6 +374,17 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -528,6 +554,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -896,7 +933,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -921,6 +958,27 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">compile</emphasis></term>
 
@@ -970,7 +1028,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1211,7 +1269,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1274,6 +1332,45 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall close all 192.168.1.1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">refresh</emphasis></term>
 
@@ -1304,7 +1401,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1373,7 +1470,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1428,7 +1525,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1572,6 +1669,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -1769,6 +1880,16 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">policies</emphasis></term>
 
@@ -1870,7 +1991,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
           alternative input specifications following a semicolon (";"). Such
           lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
           <ulink
@@ -1993,7 +2114,7 @@
           directory.</para>
 
           <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
           alternative input specifications following a semicolon (";"). Such
           lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
           <ulink

Shorewall/uninstall.sh

@@ -40,6 +40,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1
@@ -197,7 +203,7 @@ fi
 
 rm -rf ${VARDIR}/shorewall
 rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXECDIR}/shorewall
+[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -59,6 +59,35 @@
       choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -265,6 +294,20 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -353,6 +396,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -632,6 +686,27 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall6-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">delete</emphasis></term>
 
@@ -831,6 +906,45 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          2001:470:b:227::1, the command would be:</para>
+
+          <programlisting>    shorewall6-lite open all 2001:470:b:227::1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall6-lite close all 2001:470:b:227::1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">reset</emphasis></term>
 
@@ -929,6 +1043,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -1086,6 +1214,16 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">nat</emphasis></term>
 

Shorewall6-lite/uninstall.sh

@@ -36,6 +36,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1

Shorewall6/manpages/shorewall6-rtrules.xml

@@ -48,6 +48,9 @@
           &amp;<replaceable>interface</replaceable> in this column to indicate
           that the source is the primary IP address of the named
           interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 
@@ -64,6 +67,9 @@
           role="bold">DEST</emphasis>, place "-" in that column. Note that you
           may not omit both <emphasis role="bold">SOURCE</emphasis> and
           <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -83,6 +83,21 @@
       <arg choice="plain"><option>clear</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -310,6 +325,20 @@
       expression</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -483,6 +512,17 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -834,7 +874,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -853,6 +893,27 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall6 show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">compile</emphasis></term>
 
@@ -901,7 +962,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1116,7 +1177,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1179,6 +1240,45 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          2001:470:b:227::1, the command would be:</para>
+
+          <programlisting>    shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">refresh</emphasis></term>
 
@@ -1211,7 +1311,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1278,7 +1378,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1337,7 +1437,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1472,6 +1572,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">show</emphasis></term>
 
@@ -1644,6 +1758,16 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">policies</emphasis></term>
 
@@ -1728,7 +1852,7 @@
           compiler-generated error and warning message.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
@@ -1783,7 +1907,7 @@
           command is issued using the specified configuration
           <replaceable>directory</replaceable>; otherwise, a <emphasis
           role="bold">start</emphasis> command is performed using the
-          specified configuration <replaceable>directory</replaceable>. if an
+          specified configuration <replaceable>directory</replaceable>. If an
           error occurs during the compilation phase of the <emphasis
           role="bold">restart</emphasis> or <emphasis role="bold">start
           </emphasis>, the command terminates without changing the Shorewall6
@@ -1839,12 +1963,12 @@
           <para>The <option>-D</option> option was added in Shorewall 4.5.11.
           When this option is specified, the compiler will walk through the
           directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink

Shorewall6/uninstall.sh

@@ -36,6 +36,12 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
     "$@" >/dev/null 2>&1
@@ -136,8 +142,8 @@ else
     usage 1
 fi
 
-if [ -f ${SHARDIR}/shorewall6/version ]; then
+if [ -f ${SHAREDIR}/shorewall6/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall6/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."

docs/Install.xml

@@ -693,6 +693,12 @@
         a product for Debian into the /tmp/package directory:</para>
 
         <programlisting>DESTDIR=/tmp/package ./install.sh shorewallrc.debian</programlisting>
+
+        <para>When DESTDIR is specified, the installers treat $DESTDIR as the
+        root of the filesystem tree. In other words, the created installation
+        is only runnable if one chroots to $DESTDIR. Please note that the
+        uninstall.sh scripts cannot uninstall a configuration installed with
+        non-empty DESTDIR. </para>
       </section>
 
       <section>

docs/MultiISP.xml

@@ -2245,7 +2245,83 @@ defaults {
 
 include /etc/lsm/shorewall.conf</programlisting>
 
-        <para><filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and
+        later)<programlisting>#!/bin/sh
+#
+# (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
+# (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
+#
+# License: GPLv2
+#
+
+STATE=${1}
+NAME=${2}
+CHECKIP=${3}
+DEVICE=${4}
+WARN_EMAIL=${5}
+REPLIED=${6}
+WAITING=${7}
+TIMEOUT=${8}
+REPLY_LATE=${9}
+CONS_RCVD=${10}
+CONS_WAIT=${11}
+CONS_MISS=${12}
+AVG_RTT=${13}
+
+if [ -f /usr/share/shorewall-lite/lib.base ]; then
+    VARDIR=/var/lib/shorewall-lite
+    STATEDIR=/etc/shorewall-lite
+    TOOL=/sbin/shorewall-lite
+else
+    VARDIR=/var/lib/shorewall
+    STATEDIR=/etc/shorewall
+    TOOL=/sbin/shorewall
+fi
+
+[ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
+
+cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
+
+Hi,
+
+Connection ${NAME} is now ${STATE}.
+
+Following parameters were passed:
+newstate     = ${STATE}
+name         = ${NAME}
+checkip      = ${CHECKIP}
+device       = ${DEVICE}
+warn_email   = ${WARN_EMAIL}
+
+Packet counters:
+replied      = ${REPLIED} packets replied
+waiting      = ${WAITING} packets waiting for reply
+timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
+reply_late   = ${REPLY_LATE} packets that received a reply after timeout
+cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
+cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
+cons_miss    = ${CONS_MISS} consecutive packets that have timed out
+avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
+
+Your LSM Daemon
+
+EOM
+
+if [ ${STATE} = up ]; then
+# echo 0 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
+  ${VARDIR}/firewall enable ${DEVICE}
+else
+#  echo 1 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
+   ${VARDIR}/firewall disable ${DEVICE}
+fi
+
+$TOOL show routing &gt;&gt; /var/log/lsm
+
+exit 0
+
+#EOF</programlisting>Prior to Shorewall 4.4.23, it was necessary to restart
+        the firewall when an interface transitions between the usable and
+        unusable states.<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2311,88 +2387,12 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status
 
-$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
 
 $TOOL show routing &gt;&gt; /var/log/lsm
 
 exit 0
 
-#EOF</programlisting>Beginning with Shorewall 4.4.23, it is not necessary to
-        restart the firewall when an interface transitions between the usable
-        and unusable
-        states.<filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
-#
-# (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
-# (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
-#
-# License: GPLv2
-#
-
-STATE=${1}
-NAME=${2}
-CHECKIP=${3}
-DEVICE=${4}
-WARN_EMAIL=${5}
-REPLIED=${6}
-WAITING=${7}
-TIMEOUT=${8}
-REPLY_LATE=${9}
-CONS_RCVD=${10}
-CONS_WAIT=${11}
-CONS_MISS=${12}
-AVG_RTT=${13}
-
-if [ -f /usr/share/shorewall-lite/lib.base ]; then
-    VARDIR=/var/lib/shorewall-lite
-    STATEDIR=/etc/shorewall-lite
-    TOOL=/sbin/shorewall-lite
-else
-    VARDIR=/var/lib/shorewall
-    STATEDIR=/etc/shorewall
-    TOOL=/sbin/shorewall
-fi
-
-[ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
-
-cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
-
-Hi,
-
-Connection ${NAME} is now ${STATE}.
-
-Following parameters were passed:
-newstate     = ${STATE}
-name         = ${NAME}
-checkip      = ${CHECKIP}
-device       = ${DEVICE}
-warn_email   = ${WARN_EMAIL}
-
-Packet counters:
-replied      = ${REPLIED} packets replied
-waiting      = ${WAITING} packets waiting for reply
-timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
-reply_late   = ${REPLY_LATE} packets that received a reply after timeout
-cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
-cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
-cons_miss    = ${CONS_MISS} consecutive packets that have timed out
-avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
-
-Your LSM Daemon
-
-EOM
-
-<emphasis role="bold">if [ ${STATE} = up ]; then
-# echo 0 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
-  ${VARDIR}/firewall enable ${DEVICE}
-else
-#  echo 1 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
-   ${VARDIR}/firewall disable ${DEVICE}
-fi
-</emphasis>
-$TOOL show routing &gt;&gt; /var/log/lsm
-
-exit 0
-
 #EOF</programlisting></para>
       </section>
     </section>

docs/configuration_file_basics.xml

@@ -174,7 +174,13 @@
 
         <listitem>
           <para><filename>/etc/shorewall/start</filename> - commands that you
-          wish to execute at the completion of a <quote>shorewall
+          wish to execute near the completion of a <quote>shorewall
+          start</quote> or <quote>shorewall restart</quote></para>
+        </listitem>
+
+        <listitem>
+          <para><filename>/etc/shorewall/started</filename> - commands that
+          you wish to execute after the completion of a <quote>shorewall
           start</quote> or <quote>shorewall restart</quote></para>
         </listitem>
 
@@ -836,8 +842,11 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
         <para>ZONE — The name of a zone declared in
         <filename>/etc/shorewall/zones</filename> or
         <filename>/etc/shorewall6/zones</filename>. This part is only
-        available in the rules file (<filename>/etc/shorewall/rules</filename>
+        available in the rules file
-        and <filename>/etc/shorewall6/rules</filename>).</para>
+        (<filename>/etc/shorewall/rules</filename>,
+        <filename>/etc/shorewall/blrules</filename>,<filename>
+        /etc/shorewall6/rules</filename> and
+        <filename>/etc/shorewall6/blrules</filename>).</para>
       </listitem>
 
       <listitem>
@@ -1985,7 +1994,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
     assumed to have the value '' (an empty string, which also evaluates to
     false).</para>
 
-    <para>The setting in <filename>/etc/shorewall/params</filename> by be
+    <para>The setting in <filename>/etc/shorewall/params</filename> may be
     overridden at runtime, provided the setting in
     <filename>/etc/shorewall/params</filename> is done like this:</para>
 
@@ -2894,7 +2903,7 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
       surprises, I recommend that you read the <ulink
       url="starting_and_stopping_shorewall.htm#Saved">Shorewall Operations
       documentation section about saved configurations</ulink> before creating
-      one.</para>
+      one.3</para>
     </warning>
   </section>
 </article>

docs/shorewall_extension_scripts.xml

@@ -457,10 +457,10 @@ cat -</programlisting>
 
           <listitem>
             <para>VARDIR - The product state directory. Defaults <filename
-            class="directory">/usr/share/shorewall</filename>, <filename
+            class="directory">/var/lib/shorewall</filename>, <filename
-            class="directory">/usr/share/shorewall6/</filename>, <filename
+            class="directory">/var/lib/shorewall6/</filename>, <filename
-            class="directory">/usr/share/shorewall-lite</filename>, or
+            class="directory">/var/lib/shorewall-lite</filename>, or
-            <filename class="directory">/usr/share/shorewall6-lite</filename>
+            <filename class="directory">/var/lib/shorewall6-lite</filename>
             depending on which product is running, but may be overridden by an
             entry in ${CONFDIR}/vardir.</para>
           </listitem>