Merge branch '4.6.8' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.8

Merge Tuomo Soini's fix for the .service files.

Shorewall-core/INSTALL

@@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 5
+Shoreline Firewall (Shorewall) Version 4
 -----         ----
 
 -----------------------------------------------------------------------------

Shorewall-core/configure

@@ -28,7 +28,7 @@
 #
 # Build updates this
 #
-VERSION=4.6.12
+VERSION=4.5.2.1
 
 case "$BASH_VERSION" in
     [4-9].*)
@@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		vendor=debian
 		;;
 	    opensuse)
 		vendor=suse
@@ -130,7 +130,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian.sysvinit
+		rcfile=shorewallrc.debian
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat

Shorewall-core/configure.pl

@@ -31,7 +31,7 @@ use strict;
 # Build updates this
 #
 use constant {
-    VERSION => '4.6.12'
+    VERSION => '4.5.2.1'
 };
 
 my %params;
@@ -68,16 +68,14 @@ unless ( defined $vendor ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+	} elsif ( $id eq 'ubuntu' ) {
-	    my $init = `ls -l /sbin/init`;
+	    $vendor = 'debian';
-	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
 	} else {
 	    $vendor = $id;
 	}
     }
 
     $params{HOST} = $vendor;
-    $params{HOST} =~ s/\..*//;
 }
 
 if ( defined $vendor ) {
@@ -86,7 +84,7 @@ if ( defined $vendor ) {
 } else {
     if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian.sysvinit';
+	$rcfilename = 'shorewallrc.debian';
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -119,7 +117,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
     printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }
 
 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";

Shorewall-core/lib.base

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -75,24 +75,6 @@ elif [ -z "${VARDIR}" ]; then
     VARDIR="${VARLIB}/${PRODUCT}"
 fi
 
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
 #
 # Conditionally produce message
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -42,6 +42,16 @@ fi
 
 . ${SHAREDIR}/shorewall/lib.base
 
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
 #
 # Issue an error message and die
 #
@@ -388,7 +398,7 @@ do_save() {
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -409,7 +419,10 @@ do_save() {
 	    resolve_arptables
 
 	    if [ -n "$arptables" ]; then
-		if ${arptables}-save > ${VARDIR}/restore-$$; then
+	        #
+	        # 'sed' command is a hack to work around broken arptables_jf
+	        #
+		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
 		    if grep -q '^-A' ${VARDIR}/restore-$$; then
 			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
 		    else
@@ -454,7 +467,16 @@ do_save() {
 		esac
 
 		if [ -n "$IPSET" ]; then
-		    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
+		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
+			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
+			hack='| grep -v /31'
+		    else
+			hack=
+		    fi
+
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
 			#
 			# Don't save an 'empty' file
 			#
@@ -462,7 +484,7 @@ do_save() {
 		    fi
 		fi
 		;;
-	    [Nn]o|ipv4|ipv6)
+	    [Nn]o)
 		;;
 	    *)
 		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
@@ -969,6 +991,8 @@ show_command() {
 
     case "$1" in
 	connections)
+	    [ $# -gt 1 ] && usage 1
+
 	    if [ $g_family -eq 4 ]; then
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
@@ -983,10 +1007,8 @@ show_command() {
 		echo
 
 		if qt mywhich conntrack ; then
-		    shift
+		    conntrack -f ipv${g_family} -L | show_connections_filter
-		    conntrack -f ipv4 -L $@ | show_connections_filter
 		else
-		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
@@ -994,12 +1016,10 @@ show_command() {
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
-		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
+		conntrack -f ipv6 -L | show_connections_filter
 	    else
-		[ $# -gt 1 ] && usage 1
 		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
@@ -1503,9 +1523,7 @@ do_dump_command() {
 	heading "Conntrack Table"
     fi
 
-    if qt mywhich conntrack; then
+    if [ $g_family -eq 4 ]; then
-	conntrack -f ipv${g_family} -L 2> /dev/null
-    elif [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
     else
 	grep '^ipv6' /proc/net/nf_conntrack
@@ -1665,7 +1683,7 @@ restore_command() {
 
     if [ -z "$STARTUP_ENABLED" ]; then
 	error_message "ERROR: Startup is disabled"
-	exit 6
+	exit 2
     fi
 
     g_restorepath=${VARDIR}/$RESTOREFILE
@@ -2457,7 +2475,6 @@ determine_capabilities() {
     local chain
     local chain1
     local arptables
-    local helper
 
     if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2759,44 +2776,21 @@ determine_capabilities() {
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;
 
-	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-		eval ${helper}_ENABLED=''
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    done
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    if [ -n "$HELPERS" ]; then
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-		for helper in $(split_list "$HELPERS"); do
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-		    case $helper in
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-			none)
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-			    ;;
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-			    eval ${helper}_ENABLED=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-			    ;;
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-			*)
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-			    error_message "WARNING: Invalid helper ($helper) ignored"
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-			    ;;
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
-		    esac
-		done
-	    else
-		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
-		    eval ${helper}_ENABLED=Yes
-		done
-	    fi
-
-	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi
 
 	qt $g_tool -t raw -F $chain
@@ -3611,19 +3605,6 @@ get_config() {
 	IPSET=''
     fi
 
-    if [ -n "$WORKAROUNDS" ]; then
-	case $WORKAROUNDS in
-	    [Yy]es)
-	        ;;
-	    [Nn]o)
-		WORKAROUNDS=''
-		;;
-	    *)
-		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
-		;;
-	esac
-    fi
-
     TC=tc
 
     IP=$(mywhich ip 2> /dev/null)
@@ -3675,7 +3656,7 @@ start_command() {
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    logger -p kern.err "ERROR:$g_product start failed"
-	    rc=6
+	    rc=2
 	fi
 
 	[ -n "$g_nolock" ] || mutex_off
@@ -3744,7 +3725,7 @@ start_command() {
 }
 
 #
-# Reload/Restart Command Executor
+# Restart Command Executor
 #
 restart_command() {
     local finished
@@ -3803,12 +3784,12 @@ restart_command() {
     [ -n "$g_nolock" ] || mutex_on
 
     if [ -x ${VARDIR}/firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+	run_it ${VARDIR}/firewall $g_debugging restart
 	rc=$?
     else
 	error_message "${VARDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:$g_product $COMMAND failed"
+	logger -p kern.err "ERROR:$g_product restart failed"
-	rc=6
+	rc=2
     fi
 
     [ -n "$g_nolock" ] || mutex_off
@@ -3823,12 +3804,6 @@ run_command() {
     fi
 }
 
-#
-# Echo the parameters if product is Shorewall or Shorewall6
-#
-ecko() {
-    [ -z "$g_lite" ] && echo "$@"
-}
 #
 # Give Usage Information
 #
@@ -3838,16 +3813,13 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
     echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
     echo "   drop <address> ..."
     echo "   dump [ -x ] [ -l ] [ -m ]"
     echo "   enable <interface>"
-    ecko "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
     echo "   forget [ <file name> ]"
     echo "   help"
 
@@ -3857,46 +3829,20 @@ usage() # $1 = exit status
 	echo "   iprange <address>-<address>"
     fi
 
-    if [ $g_family -eq 4 ]; then
-	echo "   iptrace <iptables match expression>"
-    else
-	echo "   iptrace <ip6tables match expression>"
-    fi
-
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   noiptrace <iptables match expression>"
-    else
-	echo "   noiptrace <ip6tables match expression>"
-    fi
-
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
-    echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   reset [ <chain> ... ]"
-
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    if [ -n "$g_lite" ]; then
-	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
-
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
     echo "   run <command> [ <parameter> ... ]"
-    ecko "   safe-restart [ -t <timeout> ] [ <directory> ]"
-    ecko "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ -C ] [ <file name> ]"
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    ecko "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
@@ -3912,8 +3858,6 @@ usage() # $1 = exit status
 
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
-    ecko "   [ show | list | ls ] macro <macro>"
-    ecko "   [ show | list | ls ] macros"
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
@@ -3921,17 +3865,9 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
-
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
-    if [ -n "$g_lite" ]; then
-	echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
-    else
-	echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
-
-    echo "   status [ -i ]"
     echo "   stop"
-    ecko "   try <directory> [ <timeout> ]"
+    echo "   status [ -i ]"
-    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3969,6 +3905,7 @@ shorewall_cli() {
     g_refreshchains=:none:
     g_confess=
     g_update=
+    g_convert=
     g_annotate=
     g_recovering=
     g_timestamp=
@@ -3977,10 +3914,11 @@ shorewall_cli() {
     g_conditional=
     g_file=
     g_doing="Compiling"
+    g_directives=
     g_inline=
+    g_tcrules=
     g_counters=
     g_loopback=
-    g_compiled=
 
     VERBOSE=
     VERBOSITY=1
@@ -4159,12 +4097,12 @@ shorewall_cli() {
 	    run_it $g_firewall $g_debugging reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
-	reload|restart)
+	restart)
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
-	disable|enable|reenable)
+	disable|enable)
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4276,29 +4214,10 @@ shorewall_cli() {
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
-	    # Way to call functions in the libraries directly
+	    # Undocumented way to call functions in the libraries directly
 	    #
 	    shift
-
+	    $@
-	    if [ $# -gt 0 ]; then
-		#
-		# First look for it here
-		#
-		if type $1 2> /dev/null | fgrep -q 'is a function'; then
-		    #
-		    # It's a shell function -- call it
-		    #
-		    $@
-		else
-		    #
-		    # It isn't a function visible to this script -- try
-		    # the compiled firewall
-		    #
-		    run_it $g_firewall $g_debugging call $@
-		fi
-	    else
-		usage 1
-	    fi
 	    ;;
 	help)
 	    shift

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -71,35 +71,99 @@ startup_error() # $* = Error Message
 }
 
 #
-# Create the required option string and run the passed script using
+# Get the Shorewall version of the passed script
+#
+get_script_version() { # $1 = script
+    local temp
+    local version
+    local ifs
+    local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0
+
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
+
+    if [ -z "$temp" ]; then
+	version=0
+    else
+	ifs=$IFS
+	IFS=.
+	temp=$(echo $temp)
+	IFS=$ifs
+	digits=0
+
+	for temp in $temp; do
+	    version=${version}$(printf '%02d' $temp)
+	    digits=$(($digits + 1))
+	    [ $digits -eq 3 ] && break
+	done
+    fi
+
+    echo $version
+
+    VERBOSITY="$verbosity"
+}
+
+#
+# Do required exports or create the required option string and run the passed script using
 # $SHOREWALL_SHELL
 #
 run_it() {
     local script
     local options
+    local version
 
     export VARDIR
 
     script=$1
     shift
 
-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
+    version=$(get_script_version $script)
-	options="$1 -"
+
-	shift;
+    if [ $version -lt 040408 ]; then
+	#
+	# Old script that doesn't understand 4.4.8 script options
+	#
+	export RESTOREFILE
+	export VERBOSITY
+	export NOROUTES=$g_noroutes
+	export PURGE=$g_purge
+	export TIMESTAMP=$g_timestamp
+	export RECOVERING=$g_recovering
+
+	case "$g_program" in
+	    *-lite)
+		#
+		# Shorewall Lite
+		#
+		export LOGFORMAT
+		export IPTABLES
+		;;
+	esac
     else
-	options='-'
+	#
+	# 4.4.8 or later -- no additional exports required
+	#
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	    options="$1 -"
+	    shift;
+	else
+	    options='-'
+	fi
+
+	[ -n "$g_noroutes" ]   && options=${options}n
+	[ -n "$g_timestamp" ]  && options=${options}t
+	[ -n "$g_purge" ]      && options=${options}p
+	[ -n "$g_recovering" ] && options=${options}r
+	[ -n "$g_counters" ]   && options=${options}c
+
+	options="${options}V $VERBOSITY"
+
+	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
     fi
 
-    [ -n "$g_noroutes" ]   && options=${options}n
-    [ -n "$g_timestamp" ]  && options=${options}t
-    [ -n "$g_purge" ]      && options=${options}p
-    [ -n "$g_recovering" ] && options=${options}r
-    [ -n "$g_counters" ]   && options=${options}c
-
-    options="${options}V $VERBOSITY"
-
-    [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
-
     $SHOREWALL_SHELL $script $options $@
 }
 
@@ -147,17 +211,6 @@ split() {
     IFS=$ifs
 }
 
-#
-# Split a comma-separated list into a space-separated list
-#
-split_list() {
-    local ifs
-    ifs=$IFS
-    IFS=,
-    echo $*
-    IFS=$ifs
-}
-
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
@@ -499,9 +552,9 @@ in_network() # $1 = IP address, $2 = CIDR network
 #
 # Query NetFilter about the existence of a filter chain
 #
-chain_exists() # $1 = chain name, $2 = table name (optional)
+chain_exists() # $1 = chain name
 {
-    qt1 $g_tool -t ${2:-filter} -L $1 -n
+    qt1 $g_tool -L $1 -n
 }
 
 #

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 4.5 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 4.5 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian

@@ -15,9 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.debian.systemd

@@ -1,23 +0,0 @@
-#
-# Debian Shorewall 4.5 rc file
-#
-BUILD=					#Default is to detect the build system
-HOST=debian
-PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
-CONFDIR=/etc				#Directory where subsystem configurations are installed
-SBINDIR=/sbin				#Directory where system administration programs are installed
-MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
-INITDIR=				#Directory where SysV init scripts are installed.
-INITFILE=				#Name of the product's installed SysV init script
-INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
-SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
-SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib				#Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 4.5 rc file
 #
 HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 4.5 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 4.5 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-init/init.debian.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -74,9 +74,7 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
-    else
-	return 0
     fi
 }
 
@@ -105,17 +103,21 @@ shorewall_start () {
   echo -n "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
-              #
+      if [ -x ${STATEDIR}/firewall ]; then
-	      # Run in a sub-shell to avoid name collisions
+          #
-	      #
+	  # Run in a sub-shell to avoid name collisions
-	      (
+	  #
-		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+	  ( 
-		      ${STATEDIR}/firewall ${OPTIONS} stop
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  fi
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
-	      )
+	      else
-	  fi
+		  echo_notdone
+	      fi
+	  )
+      else
+	  echo_notdone
       fi
   done
 
@@ -142,10 +144,10 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
-	      ${STATEDIR}/firewall ${OPTIONS} clear
+      if [ -x ${STATEDIR}/firewall ]; then
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 

Shorewall-init/init.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -69,10 +69,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ ! -x $STATEDIR/firewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-    else
+	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
-	return 0
+	fi
     fi
 }
 
@@ -83,11 +83,11 @@ shorewall_start () {
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+      if [ -x ${STATEDIR}/firewall ]; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      fi
+	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	  fi
       fi
   done
@@ -106,10 +106,10 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
-	      ${STATEDIR}/firewall ${OPTIONS} clear
+      if [ -x ${STATEDIR}/firewall ]; then
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-init/init.suse.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -38,7 +38,7 @@
 # 0 - success
 # 1 - generic or unspecified error
 # 2 - invalid or excess argument(s)
-# 3 - unimplemented feature
+# 3 - unimplemented feature (e.g. "reload")
 # 4 - insufficient privilege
 # 5 - program is not installed
 # 6 - program is not configured
@@ -80,9 +80,7 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
-    else
-	return 0
     fi
 }
 
@@ -93,12 +91,14 @@ shorewall_start () {
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x $STATEDIR/firewall ]; then
+
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+      if [ -x $STATEDIR/firewall ]; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      fi
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
 	  fi
+      else
+	  exit 6
       fi
   done
 
@@ -114,10 +114,12 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
-	      ${STATEDIR}/firewall ${OPTIONS} clear
+      if [ -x ${STATEDIR}/firewall ]; then
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
+      else
+	  exit 6
       fi
   done
 

Shorewall-init/shorewall-init

@@ -1,19 +1,18 @@
-#!/bin/bash
+#! /bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	On most distributions, this file should be called
+#       On most distributions, this file should be called /etc/init.d/shorewall.
-#	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-#	This program is part of Shorewall.
+#       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by
+#	it under the terms of the GNU General Public License as published by the
-#	the Free Software Foundation, either version 2 of the license or,
+#       Free Software Foundation, either version 2 of the license or, at your
-#	at your option, any later version.
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -23,7 +22,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-###############################################################################
+#########################################################################################
 # set the STATEDIR variable
 setstatedir() {
     local statedir
@@ -34,9 +33,7 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
-    else
-	return 0
     fi
 }
 
@@ -49,7 +46,7 @@ setstatedir() {
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
     . $SYSCONFDIR/shorewall-init
     if [ -z "$PRODUCTS" ]; then
-	echo "ERROR: No products configured" >&2
+        echo "ERROR: No products configured" >&2
 	exit 1
     fi
 else
@@ -59,66 +56,71 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-    local PRODUCT
+  local PRODUCT
-    local STATEDIR
+  local STATEDIR
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
+      setstatedir
-	    if [ -x ${STATEDIR}/firewall ]; then
-		#
-		# Run in a sub-shell to avoid name collisions
-		#
-		(
-		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
-		    fi
-		)
-	    fi
-	fi
-    done
 
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	ipset -R < "$SAVE_IPSETS"
+          #
-    fi
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+	      else
+		  exit 1
+	      fi
+	  )
+      else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
+	  exit 1
+      fi
+  done
 
-    return 0
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
 }
 
 # Clear the firewall
 shorewall_stop () {
-    local PRODUCT
+  local PRODUCT
-    local STATEDIR
+  local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
+      setstatedir
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
-	fi
-    done
 
-    if [ -n "$SAVE_IPSETS" ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	mkdir -p $(dirname "$SAVE_IPSETS")
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
-	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+      fi
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+  done
-	fi
-    fi
 
-    return 0
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
 }
 
 case "$1" in
-    start)
+  start)
-	shorewall_start
+     shorewall_start
-	;;
+     ;;
-    stop)
+  stop)
-	shorewall_stop
+     shorewall_stop
-	;;
+     ;;
-    *)
+  *)
-	echo "Usage: $0 {start|stop}"
+     echo "Usage: $0 {start|stop}"
-	exit 1
+     exit 1
 esac
 
 exit 0

Shorewall-init/shorewall-init.service

@@ -4,8 +4,10 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network.target
+Wants=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
@@ -16,4 +18,4 @@ ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 
 [Install]
-WantedBy=network-pre.target
+WantedBy=basic.target

Shorewall-init/shorewall-init.service.214

@@ -4,9 +4,10 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214.debian

@@ -1,17 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop

Shorewall-init/shorewall-init.service.debian

@@ -1,19 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target

Shorewall-lite/configpath

@@ -1,5 +1,5 @@
 #
-# Shorewall Lite version 5 - Default Config Path
+# Shorewall Lite version 4.1 - Default Config Path
 #
 # /usr/share/shorewall-lite/configpath
 #

Shorewall-lite/manpages/shorewall-lite.xml

@@ -47,19 +47,6 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>allow</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -302,20 +289,6 @@
       </arg> </arg></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -329,21 +302,6 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reload</option></arg>
-
-      <arg><option>-n</option></arg>
-
-      <arg><option>-p</option><arg><option>-C</option></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -368,6 +326,8 @@
       <arg><option>-n</option></arg>
 
       <arg><option>-p</option><arg><option>-C</option></arg></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -653,10 +613,7 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
+        <term><emphasis role="bold">add</emphasis></term>
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -681,8 +638,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">allow
+        <term><emphasis role="bold">allow</emphasis></term>
-        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Re-enables receipt of packets from hosts previously
@@ -694,25 +650,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <term><emphasis role="bold">clear</emphasis></term>
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename> and
-          <filename>lib.cli</filename>. If it is not found, the call command
-          is passed to the generated script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">clear
-        </emphasis>[-<option>f</option>]</term>
 
         <listitem>
           <para>Clear will remove all rules and chains installed by
@@ -723,7 +661,6 @@
           <para>If <option>-f</option> is given, the command will be processed
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
-          role="bold">reload</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
           role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
@@ -751,10 +688,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
+        <term><emphasis role="bold">delete</emphasis></term>
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
 
         <listitem>
           <para>The delete command reverses the effect of an earlier <emphasis
@@ -769,9 +703,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
+        <term><emphasis role="bold">disable</emphasis></term>
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -783,8 +715,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">drop
+        <term><emphasis role="bold">drop</emphasis></term>
-        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -793,9 +724,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        <term><emphasis role="bold">dump</emphasis></term>
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
 
         <listitem>
           <para>Produces a verbose report about the firewall configuration for
@@ -816,9 +745,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
+        <term><emphasis role="bold">enable</emphasis></term>
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -830,8 +757,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
+        <term><emphasis role="bold">forget</emphasis></term>
-        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -852,8 +778,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">hits </emphasis>
+        <term><emphasis role="bold">hits</emphasis></term>
-        [-<option>t</option>]</term>
 
         <listitem>
           <para>Generates several reports from Shorewall-lite log messages in
@@ -863,8 +788,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
+        <term><emphasis role="bold">ipcalc</emphasis></term>
-        address/vlsm }</term>
 
         <listitem>
           <para>Ipcalc displays the network address, broadcast address,
@@ -874,8 +798,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iprange
+        <term><emphasis role="bold">iprange</emphasis></term>
-        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
 
         <listitem>
           <para>Iprange decomposes the specified range of IP addresses into
@@ -884,8 +807,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
+        <term><emphasis role="bold">iptrace</emphasis></term>
-        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that causes iptables
@@ -904,17 +826,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -925,8 +837,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        <term><emphasis role="bold">logwatch</emphasis></term>
-        [<replaceable>refresh-interval</replaceable>]</term>
 
         <listitem>
           <para>Monitors the log file specified by the LOGFILE option in
@@ -945,8 +856,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">logreject
+        <term><emphasis role="bold">logreject</emphasis></term>
-        </emphasis><replaceable>address</replaceable></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -957,17 +867,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
 
         <listitem>
           <para>This is a low-level debugging command that cancels a trace
@@ -1019,39 +919,21 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
+        <term><emphasis role="bold">reset</emphasis></term>
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
 
         <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <para>All the packet and byte counters in the firewall are
-          <command>disable</command> command followed by an
+          reset.</para>
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
+        <term><emphasis role="bold">restart</emphasis></term>
-        address</replaceable></term>
 
         <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          to be silently rejected.</para>
+          start</emphasis> except that it assumes that the firewall is already
-        </listitem>
+          started. Existing connections are maintained.</para>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reload </emphasis>[-n] [-p]
-        [-<option>C</option>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0, <emphasis
-          role="bold">reload</emphasis> is similar to <emphasis
-          role="bold">shorewall-lite start</emphasis> except that it assumes
-          that the firewall is already started. Existing connections are
-          maintained.</para>
 
           <para>The <option>-n</option> option causes Shorewall-lite to avoid
           updating the routing table(s).</para>
@@ -1069,46 +951,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
+        <term><emphasis role="bold">restore</emphasis></term>
-        ...]</emphasis><acronym/></term>
-
-        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
-        [-<option>C</option>]</term>
-
-        <listitem>
-          <para>Beginning with Shorewall 5.0.0, this command performs a true
-          restart. The firewall is completely stopped as if a
-          <command>stop</command> command had been issued then it is started
-          again.</para>
-
-          <para>The <option>-n</option> option causes Shorewall-lite to avoid
-          updating the routing table(s).</para>
-
-          <para>The <option>-p</option> option causes the connection tracking
-          table to be flushed; the <command>conntrack</command> utility must
-          be installed to use this option.</para>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
-          If the specified (or implicit) firewall script is the one that
-          generated the current running configuration, then the running
-          netfilter configuration will be reloaded as is so as to preserve the
-          iptables packet and byte counters.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -1128,14 +971,6 @@
             different from the current values.</para>
           </caution>
 
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
-
-          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
-          causes the connection tracking table to be flushed; the
-          <command>conntrack</command> utility must be installed to use this
-          option.</para>
-
           <para>The <option>-C</option> option was added in Shorewall 4.6.5.
           If the <option>-C</option> option was specified during <emphasis
           role="bold">shorewall save</emphasis>, then the counters saved by
@@ -1144,9 +979,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">run
+        <term><emphasis role="bold">run</emphasis></term>
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.6.3. Executes
@@ -1163,8 +996,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
+        <term><emphasis role="bold">save</emphasis></term>
-        <replaceable>filename</replaceable> ]</term>
 
         <listitem>
           <para>The dynamic blacklist is stored in
@@ -1204,8 +1036,7 @@
 
           <variablelist>
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-              </emphasis>[-<option>x</option>]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1218,8 +1049,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[-<option>f</option>] <emphasis
+              <term><emphasis role="bold">capabilities</emphasis></term>
-              role="bold">capabilities</emphasis></term>
 
               <listitem>
                 <para>Displays your kernel/iptables capabilities. The
@@ -1230,10 +1060,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              [-<option>l</option>] [-<option>t</option>
+              ]</term>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
-              [ <emphasis>chain</emphasis>... ]</term>
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
@@ -1286,19 +1114,11 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">connections
+              <term><emphasis role="bold">connections</emphasis></term>
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
 
               <listitem>
                 <para>Displays the IP connections currently being tracked by
                 the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
               </listitem>
             </varlistentry>
 
@@ -1340,8 +1160,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[-<option>m</option>] <emphasis
+              <term><emphasis role="bold">log</emphasis></term>
-              role="bold">log</emphasis></term>
 
               <listitem>
                 <para>Displays the last 20 Shorewall-lite messages from the
@@ -1353,20 +1172,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to iptables and causes actual packet and byte
-                counts to be displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">marks</emphasis></term>
 
@@ -1457,9 +1262,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
+        <term><emphasis role="bold">start</emphasis></term>
-        [-<option>n</option>] [<option>-f</option>]
-        [-<option>C</option>]</term>
 
         <listitem>
           <para>Start Shorewall Lite. Existing connections through
@@ -1471,7 +1274,7 @@
           table to be flushed; the <command>conntrack</command> utility must
           be installed to use this option.</para>
 
-          <para>The <option>-n</option> option prevents the firewall script
+          <para>The <option>-m</option> option prevents the firewall script
           from modifying the current routing configuration.</para>
 
           <para>The <option>-f</option> option was added in Shorewall 4.6.5.

Shorewall-lite/shorewall-lite.conf

@@ -1,5 +1,5 @@
 ###############################################################################
-#  /etc/shorewall-lite/shorewall-lite.conf Version 5 - Change the following
+#  /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.

Shorewall-lite/shorewall-lite.service.debian

@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
-
-[Install]
-WantedBy=basic.target

Shorewall/INSTALL

@@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 5
+Shoreline Firewall (Shorewall) Version 4
 -----         ----
 
 -----------------------------------------------------------------------------

Shorewall/Macros/macro.AMQP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - AMQP Macro
+# Shorewall version 4 - AMQP Macro
 #
 # /usr/share/shorewall/macro.AMQP
 #

Shorewall/Macros/macro.A_AllowICMPs

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Audited AllowICMPs Macro
+# Shorewall version 4 - Audited AllowICMPs Macro
 #
 # /usr/share/shorewall/macro.A_AllowICMPs
 #

Shorewall/Macros/macro.A_DropDNSrep

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Audited DropDNSrep Macro
+# Shorewall version 4 - Audited DropDNSrep Macro
 #
 # /usr/share/shorewall/macro.A_DropDNSrep
 #

Shorewall/Macros/macro.A_DropUPnP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - ADropUPnP Macro
+# Shorewall version 4 - ADropUPnP Macro
 #
 # /usr/share/shorewall/macro.A_DropUPnP
 #

Shorewall/Macros/macro.ActiveDir

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Samba 4 Macro
+# Shorewall version 4 - Samba 4 Macro
 #
 # /usr/share/shorewall/macro.ActiveDir
 #

Shorewall/Macros/macro.AllowICMPs

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - AllowICMPs Macro
+# Shorewall version 4 - AllowICMPs Macro
 #
 # /usr/share/shorewall/macro.AllowICMPs
 #

Shorewall/Macros/macro.Amanda

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Amanda Macro
+# Shorewall version 4 - Amanda Macro
 #
 # /usr/share/shorewall/macro.Amanda
 #

Shorewall/Macros/macro.Auth

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Auth Macro
+# Shorewall version 4 - Auth Macro
 #
 # /usr/share/shorewall/macro.Auth
 #

Shorewall/Macros/macro.BGP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - BGP Macro
+# Shorewall version 4 - BGP Macro
 #
 # /usr/share/shorewall/macro.BGP
 #

Shorewall/Macros/macro.BLACKLIST

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - blacklist Macro
+# Shorewall version 4 - blacklist Macro
 #
 # /usr/share/shorewall/macro.blacklist
 #

Shorewall/Macros/macro.BitTorrent

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - BitTorrent Macro
+# Shorewall version 4 - BitTorrent Macro
 #
 # /usr/share/shorewall/macro.BitTorrent
 #

Shorewall/Macros/macro.BitTorrent32

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - BitTorrent 3.2 Macro
+# Shorewall version 4 - BitTorrent 3.2 Macro
 #
 # /usr/share/shorewall/macro.BitTorrent32
 #

Shorewall/Macros/macro.CVS

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - CVS Macro
+# Shorewall version 4 - CVS Macro
 #
 # /usr/share/shorewall/macro.CVS
 #

Shorewall/Macros/macro.Citrix

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Citrix/ICA Macro
+# Shorewall version 4 - Citrix/ICA Macro
 #
 # /usr/share/shorewall/macro.Citrix
 #

Shorewall/Macros/macro.DAAP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - DAAP Macro
+# Shorewall version 4 - DAAP Macro
 #
 # /usr/share/shorewall/macro.DAAP
 #

Shorewall/Macros/macro.DCC

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - DCC Macro
+# Shorewall version 4 - DCC Macro
 #
 # /usr/share/shorewall/macro.DCC
 #

Shorewall/Macros/macro.DHCPfwd

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - DHCPfwd Macro
+# Shorewall version 4 - DHCPfwd Macro
 #
 # /usr/share/shorewall/macro.DHCPfwd
 #

Shorewall/Macros/macro.DNS

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - DNS Macro
+# Shorewall version 4 - DNS Macro
 #
 # /usr/share/shorewall/macro.DNS
 #

Shorewall/Macros/macro.Distcc

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Distcc Macro
+# Shorewall version 4 - Distcc Macro
 #
 # /usr/share/shorewall/macro.Distcc
 #

Shorewall/Macros/macro.Drop

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Drop Macro
+# Shorewall version 4 - Drop Macro
 #
 # /usr/share/shorewall/macro.Drop
 #

Shorewall/Macros/macro.DropDNSrep

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - DropDNSrep Macro
+# Shorewall version 4 - DropDNSrep Macro
 #
 # /usr/share/shorewall/macro.DropDNSrep
 #

Shorewall/Macros/macro.DropUPnP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - DropUPnP Macro
+# Shorewall version 4 - DropUPnP Macro
 #
 # /usr/share/shorewall/macro.DropUPnP
 #

Shorewall/Macros/macro.Edonkey

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Edonkey Macro
+# Shorewall version 4 - Edonkey Macro
 #
 # /usr/share/shorewall/macro.Edonkey
 #

Shorewall/Macros/macro.FTP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - FTP Macro
+# Shorewall version 4 - FTP Macro
 #
 # /usr/share/shorewall/macro.FTP
 #

Shorewall/Macros/macro.Finger

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Finger Macro
+# Shorewall version 4 - Finger Macro
 #
 # /usr/share/shorewall/macro.Finger
 #

Shorewall/Macros/macro.GNUnet

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - GNUnet Macro
+# Shorewall version 4 - GNUnet Macro
 #
 # /usr/share/shorewall/macro.GNUnet
 #

Shorewall/Macros/macro.GRE

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - GRE Macro
+# Shorewall version 4 - GRE Macro
 #
 # /usr/share/shorewall/macro.GRE
 #

Shorewall/Macros/macro.Git

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Git Macro
+# Shorewall version 4 - Git Macro
 #
 # /usr/share/shorewall/macro.Git
 #

Shorewall/Macros/macro.Gnutella

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Gnutella Macro
+# Shorewall version 4 - Gnutella Macro
 #
 # /usr/share/shorewall/macro.Gnutella
 #

Shorewall/Macros/macro.Goto-Meeting

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Citrix/Goto Meeting macro
+# Shorewall version 4 - Citrix/Goto Meeting macro
 #
 # /usr/share/shorewall/macro.Goto-Meeting
 #          by Eric Teeter

Shorewall/Macros/macro.HKP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - HKP Macro
+# Shorewall version 4 - HKP Macro
 #
 # /usr/share/shorewall/macro.HKP
 #

Shorewall/Macros/macro.HTTP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - HTTP Macro
+# Shorewall version 4 - HTTP Macro
 #
 # /usr/share/shorewall/macro.HTTP
 #

Shorewall/Macros/macro.HTTPS

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - HTTPS Macro
+# Shorewall version 4 - HTTPS Macro
 #
 # /usr/share/shorewall/macro.HTTPS
 #

Shorewall/Macros/macro.ICPV2

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - ICPV2 Macro
+# Shorewall version 4 - ICPV2 Macro
 #
 # /usr/share/shorewall/macro.ICPV2
 #

Shorewall/Macros/macro.ICQ

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - ICQ Macro
+# Shorewall version 4 - ICQ Macro
 #
 # /usr/share/shorewall/macro.ICQ
 #

Shorewall/Macros/macro.ILO

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - ILO Macro
+# Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #

Shorewall/Macros/macro.IMAP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IMAP Macro
+# Shorewall version 4 - IMAP Macro
 #
 # /usr/share/shorewall/macro.IMAP
 #

Shorewall/Macros/macro.IMAPS

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IMAPS Macro
+# Shorewall version 4 - IMAPS Macro
 #
 # /usr/share/shorewall/macro.IMAPS
 #

Shorewall/Macros/macro.IPIP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPIP Macro
+# Shorewall version 4 - IPIP Macro
 #
 # /usr/share/shorewall/macro.IPIP
 #

Shorewall/Macros/macro.IPMI

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPMI Macro
+# Shorewall version 4 - IPMI Macro
 #
 # /usr/share/shorewall/macro.IPMI
 #

Shorewall/Macros/macro.IPPbrd

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPP Broadcast Macro
+# Shorewall version 4 - IPP Broadcast Macro
 #
 # /usr/share/shorewall/macro.IPPbrd
 #

Shorewall/Macros/macro.IPPserver

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPPserver Macro
+# Shorewall version 4 - IPPserver Macro
 #
 # /usr/share/shorewall/macro.IPPserver
 #

Shorewall/Macros/macro.IPsec

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPsec Macro
+# Shorewall version 4 - IPsec Macro
 #
 # /usr/share/shorewall/macro.IPsec
 #

Shorewall/Macros/macro.IPsecah

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPsecah Macro
+# Shorewall version 4 - IPsecah Macro
 #
 # /usr/share/shorewall/macro.IPsecah
 #

Shorewall/Macros/macro.IPsecnat

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - IPsecnat Macro
+# Shorewall version 4 - IPsecnat Macro
 #
 # /usr/share/shorewall/macro.IPsecnat
 #

Shorewall/Macros/macro.IRC

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 IRC Macro
+# Shorewall version 4 IRC Macro
 #
 # /usr/share/shorewall/macro.IRC
 #

Shorewall/Macros/macro.JAP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - JAP Macro
+# Shorewall version 4 - JAP Macro
 #
 # /usr/share/shorewall/macro.JAP
 #

Shorewall/Macros/macro.Jabber

@@ -1,13 +0,0 @@
-#
-# Shorewall version 5 - Jabber Macro
-#
-# /usr/share/shorewall/macro.Jabber
-#
-#	This macro accepts Jabber traffic.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	5222

Shorewall/Macros/macro.JabberPlain

@@ -1,14 +1,13 @@
 #
-# Shorewall version 5 - JabberPlain Macro
+# Shorewall version 3.4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext). This macro is
+#	This macro accepts Jabber traffic (plaintext).
-#	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-Jabber
+PARAM	-	-	tcp	5222

Shorewall/Macros/macro.JabberSecure

@@ -1,11 +1,9 @@
 #
-# Shorewall version 5 - JabberSecure (SSL) Macro
+# Shorewall version 3.4 - JabberSecure (ssl) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
+#	This macro accepts Jabber traffic (ssl).
-#	is deprecated, please configure Jabber with STARTTLS and use
-#	Jabber macro instead.
 #
 ###############################################################################
 ?FORMAT 2

Shorewall/Macros/macro.Kerberos

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Kerberos Macro
+# Shorewall version 4 - Kerberos Macro
 #
 # /usr/share/shorewall/macro.Kerberos
 #

Shorewall/Macros/macro.L2TP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - L2TP Macro
+# Shorewall version 4 - L2TP Macro
 #
 # /usr/share/shorewall/macro.L2TP
 #

Shorewall/Macros/macro.LDAP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - LDAP Macro
+# Shorewall version 4 - LDAP Macro
 #
 # /usr/share/shorewall/macro.LDAP
 #

Shorewall/Macros/macro.LDAPS

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - LDAPS Macro
+# Shorewall version 4 - LDAPS Macro
 #
 # /usr/share/shorewall/macro.LDAPS
 #

Shorewall/Macros/macro.MSNP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - MSNP Macro
+# Shorewall version 4 - MSNP Macro
 #
 # /usr/share/shorewall/macro.MSNP
 #

Shorewall/Macros/macro.MSSQL

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - MSSQL Macro
+# Shorewall version 4 - MSSQL Macro
 #
 # /usr/share/shorewall/macro.MSSQL
 #

Shorewall/Macros/macro.Mail

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Mail Macro
+# Shorewall version 4 - Mail Macro
 #
 # /usr/share/shorewall/macro.Mail
 #

Shorewall/Macros/macro.MongoDB

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - MongoDB Macro
+# Shorewall version 4 - MongoDB Macro
 #
 # /usr/share/shorewall/macro.MongoDB
 #

Shorewall/Macros/macro.Munin

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Munin Macro
+# Shorewall version 4 - Munin Macro
 #
 # /usr/share/shorewall/macro.Munin
 #

Shorewall/Macros/macro.MySQL

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - MySQL Macro
+# Shorewall version 4 - MySQL Macro
 #
 # /usr/share/shorewall/macro.MySQL
 #

Shorewall/Macros/macro.NNTP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 NNTP Macro
+# Shorewall version 4 NNTP Macro
 #
 # /usr/share/shorewall/macro.NNTP
 #

Shorewall/Macros/macro.NNTPS

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 NNTPS Macro
+# Shorewall version 4 NNTPS Macro
 #
 # /usr/share/shorewall/macro.NNTPS
 #

Shorewall/Macros/macro.NTP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - NTP Macro
+# Shorewall version 4 - NTP Macro
 #
 # /usr/share/shorewall/macro.NTP
 #

Shorewall/Macros/macro.NTPbi

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - NTPbi Macro
+# Shorewall version 4 - NTPbi Macro
 #
 # /usr/share/shorewall/macro.NTPbi
 #

Shorewall/Macros/macro.NTPbrd

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - NTPbrd Macro
+# Shorewall version 4 - NTPbrd Macro
 #
 # /usr/share/shorewall/macro.NTPbrd
 #

Shorewall/Macros/macro.OSPF

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - OSPF Macro
+# Shorewall version 4 - OSPF Macro
 #
 # /usr/share/shorewall/macro.OSPF
 #

Shorewall/Macros/macro.OpenVPN

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - OpenVPN Macro
+# Shorewall version 4 - OpenVPN Macro
 #
 # /usr/share/shorewall/macro.OpenVPN Macro
 #

Shorewall/Macros/macro.PCA

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - PCA Macro
+# Shorewall version 4 - PCA Macro
 #
 # /usr/share/shorewall/macro.PCA
 #

Shorewall/Macros/macro.POP3

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - POP3 Macro
+# Shorewall version 4 - POP3 Macro
 #
 # /usr/share/shorewall/macro.POP3
 #

Shorewall/Macros/macro.POP3S

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - POP3S Macro
+# Shorewall version 4 - POP3S Macro
 #
 # /usr/share/shorewall/macro.POP3S
 #

Shorewall/Macros/macro.PPtP

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - PPTP Macro
+# Shorewall version 4 - PPTP Macro
 #
 # /usr/share/shorewall/macro.PPtP Macro
 #

Shorewall/Macros/macro.Ping

@@ -1,5 +1,5 @@
 #
-# Shorewall version 5 - Ping Macro
+# Shorewall version 4 - Ping Macro
 #
 # /usr/share/shorewall/macro.Ping
 #