Add a handle back to the flow classifier

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -191,6 +191,8 @@ setup_logread() {
 	else
 	    g_logread="logread"
 	fi
+    elif [ "$LOGFILE" = "systemd" ]; then
+	g_logread="journalctl -r"
     elif [ -r $LOGFILE ]; then
 	if qt mywhich tac; then
 	    g_logread="tac $LOGFILE"

Shorewall-init/init.debian.sh

@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network

Shorewall-lite/init.debian.sh

@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,10 +92,11 @@ shorewall_start () {
 
 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall/Perl/Shorewall/Chains.pm

@@ -1337,7 +1337,14 @@ sub push_rule( $$ ) {
     push @{$chainref->{rules}}, $ruleref;
     $chainref->{referenced} = 1;
     $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
+
+    if ( $debug ) {
+	if ( $ruleref->{comment} ) {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
+	} else {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
+	}
+    }
 
     $chainref->{complete} = 1 if $complete;
 
@@ -4012,7 +4019,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;
 
-	if ( $baseref->{mode} == CAT_MODE ) {
+	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;

Shorewall/Perl/Shorewall/Config.pm

@@ -577,6 +577,7 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
+our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -731,6 +732,7 @@ sub initialize( $;$$) {
     # Contents of last COMMENT line.
     #
     $comment       = '';
+    $sr_comment    = '';
     $warningcount  = 0;
     #
     # Misc Globals
@@ -2156,6 +2158,47 @@ sub split_list3( $$ ) {
     @list2;
 }
 
+#
+# This version spits a list on white-space with optional leading comma. It prevents double-quoted
+# strings from being split.
+#
+sub split_list4( $ ) {
+    my ($list ) = @_;
+    my @list1 = split( /,?\s+/, $list );
+    my @list2;
+    my $element   = '';
+    my $opencount = 0;
+
+    return @list1 unless $list =~ /"/;
+
+    @list1 = split( /(,?\s+)/, $list );
+
+    for ( my $i = 0; $i < @list1; $i += 2 ) {
+	my $e = $list1[$i];
+
+	if ( $e =~ /[^\\]"/ ) {
+	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
+		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
+		push @list2, $e;
+	    } elsif ( $element ne '' ) {
+		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
+		push @list2, join( $list1[$i - 1], $element, $e );
+		$element = '';
+	    } else {
+		$element = $e;
+	    }
+	} elsif ( $element ne '' ) {
+	    $element = join( $list1[$i - 1], $element, $e );
+	} else {
+	    push @list2, $e;
+	}
+    }
+
+    fatal_error "Mismatched_quotes ($list)" if $element ne '';
+
+    @list2;
+}
+
 #
 # Splits the columns of a config file record
 #
@@ -2225,6 +2268,8 @@ sub passed( $ ) {
     defined $val && $val ne '' && $val ne '-';
 }
 
+sub clear_comment();
+
 #
 # Pre-process a line from a configuration file.
 
@@ -2248,6 +2293,8 @@ sub split_line2( $$;$$$ ) {
     }
 
     $inline_matches = '';
+
+    clear_comment if $sr_comment;
     #
     # First, see if there are double semicolons on the line; what follows will be raw iptables input
     #
@@ -2354,18 +2401,37 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;
 
-	my @pairs = split( /,?\s+/, $pairs );
+	my @pairs = split_list4( $pairs );
 
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-	    $column = $columnsref->{$column};
-	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-	    $value = $1 if $value =~ /^"([^"]+)"$/;
-	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
-	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-	    $line[$column] = $value;
+
+	    if ( $value =~ /"$/ ) {
+		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
+		$value = $1;
+	    }
+
+	    if ( $column eq 'comment' ) {
+		if ( $comments_allowed ) {
+		    if ( have_capability( 'COMMENTS' ) ) {
+			$comment = $value;
+			$sr_comment = 1;
+		    } else {
+			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
+		    }
+		} else {
+		    fatal_error '"comment" is not allowed in this file';
+		}
+	    } else {
+		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+		$column = $columnsref->{$column};
+		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+		$value = $1 if $value =~ /^"([^"]+)"$/;
+		$value =~ s/\\"/"/g;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		$line[$column] = $value;
+	    }
 	}
     }
 
@@ -2395,6 +2461,7 @@ sub no_comment() {
 sub clear_comment() {
     $comment   = '';
     $nocomment = 0;
+    $sr_comment = '';
 }
 
 #
@@ -2490,7 +2557,8 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function ];
+			  $section_function,
+			  $sr_comment ];
 }
 
 #
@@ -2514,7 +2582,8 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function ) = @$arrayref;
+	  $section_function,
+	  $sr_comment ) = @$arrayref;
     } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2883,6 +2952,7 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
+			      $sr_comment = '';
 			  } else {
 			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
@@ -3236,6 +3306,7 @@ sub push_open( $;$$$$ ) {
     push @openstack, \@a;
     @includestack = ();
     $currentfile = undef;
+    $sr_comment = '';
     open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -686,6 +686,7 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
+			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -2113,9 +2114,31 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
 
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my @interfaces;
+    my $wildcards;
 
-    if ( @$interfaces ) {
+    #
+    # First do the provider interfacess. Those that are real providers will never have wildcard physical
+    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
+    # wildcard physical names are also included in the providers table.
+    #
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+	push @interfaces, $providerref->{interface};
+	$wildcards ||= $providerref->{wildcard};
+    }
+
+    #
+    # Now do the optional wild interfaces
+    #
+    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
+	push@interfaces, $interface;
+	unless ( $wildcards ) {
+	    my $interfaceref = find_interface($interface);
+	    $wildcards = 1 if $interfaceref->{wildcard};
+	}
+    }
+
+    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
 
@@ -2126,7 +2149,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
 
 	if ( $wildcards ) {
 	    #
@@ -2143,74 +2166,76 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
 
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $providerref = $providers{$provider};
+	for my $interface ( @interfaces ) {
+	    if ( my $provider = $provider_interfaces{ $interface } ) {
+		my $physical     = get_physical $interface;
+		my $base         = uc var_base( $physical );
+		my $providerref  = $providers{$provider};
+		my $interfaceref = known_interface( $interface );
+		my $wildbase     = uc $interfaceref->{base};
 
-	    emit( "$physical)" ), push_indent if $wildcards;
+		emit( "$physical)" ), push_indent if $wildcards;
 
-	    if ( $provider eq $physical ) {
-		#
-		# Just an optional interface, or provider and interface are the same
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
-		#
-		# Provider
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
+		if ( $provider eq $physical ) {
+		    #
+		    # Just an optional interface, or provider and interface are the same
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		} else {
+		    #
+		    # Provider
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		}
 
-	    push_indent;
-	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-	    } else {
-		emit qq(if interface_is_usable $physical; then);
-	    }
-
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'fi' );
-
-	    pop_indent;
-
-	    emit( "fi\n" );
-
-	    emit( ';;' ), pop_indent if $wildcards;
-	}
-
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
 		push_indent;
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		} else {
+		    emit qq(if interface_is_usable $physical; then);
+		}
 
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+		emit( "    SW_${base}_IS_USABLE=Yes" );
+		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
+		emit( 'fi' );
+
+		pop_indent;
+
+		emit( "fi\n" );
+
+		emit( ';;' ), pop_indent if $wildcards;
+	    } else {
+		my $physical    = get_physical $interface;
+		my $base        = uc var_base( $physical );
+		my $case        = $physical;
+		my $wild        = $case =~ s/\+$/*/;
+
+		if ( $wildcards ) {
+		    emit( "$case)" );
 		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+
+		    if ( $wild ) {
+			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+			push_indent;
+			emit ( 'if interface_is_usable $interface; then' );
+		    } else {
+			emit ( "if interface_is_usable $physical; then" );
+		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }
 
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
+		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+		emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		       'fi' );
 
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
+		if ( $wildcards ) {
+		    pop_indent, emit( 'fi' ) if $wild;
+		    emit( ';;' );
+		    pop_indent;
+		}
 	    }
 	}
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -4299,7 +4299,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 
 	DSCP       => {
-	    defaultchain   => 0,
+	    defaultchain   => POSTROUTING,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 1,
 	    maxparams      => 1,

Shorewall/Perl/Shorewall/Tc.pm

@@ -350,9 +350,10 @@ sub process_simple_device() {
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
+	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1587,7 +1587,7 @@ sub known_interface($)
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
 					       physical => $physical ,
-					       base     => var_base( $physical ) ,
+					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };

Shorewall/init.debian.sh

@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,10 +97,11 @@ shorewall_start () {
 
 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -145,7 +146,7 @@ case "$1" in
   restart)
      shorewall_restart
      ;;
-  force0reload|reload)
+  force-reload|reload)
      shorewall_reload
      ;;
   status)

Shorewall/manpages/shorewall-mangle.xml

@@ -355,7 +355,8 @@ DIVERTHA        -               -               tcp</programlisting>
     EF   =&gt; 0x2e</programlisting>
 
                 <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -1354,7 +1354,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
       <varlistentry>
         <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
 
         <listitem>
           <para>This parameter tells the /sbin/shorewall program where to look
@@ -1364,7 +1364,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
           If not assigned or if assigned an empty value, /var/log/messages is
           assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+          Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/init.debian.sh

@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6-lite
@@ -92,10 +92,11 @@ shorewall6_start () {
 
 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 Lite firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall6/init.debian.sh

@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6
@@ -97,10 +97,11 @@ shorewall6_start () {
 
 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall6/manpages/shorewall6-mangle.xml

@@ -356,7 +356,8 @@ DIVERTHA        -               -               tcp</programlisting>
     EF   =&gt; 0x2e</programlisting>
 
                 <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
               </listitem>
             </varlistentry>
 
@@ -633,7 +634,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                   <listitem>
                     <para>The third number specifies the number of log
                     messages that should be buffered in the kernel before they
-                    are sent to user space. The default is 1. </para>
+                    are sent to user space. The default is 1.</para>
                   </listitem>
                 </itemizedlist>
               </listitem>

Shorewall6/manpages/shorewall6.conf.xml

@@ -1166,7 +1166,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
       <varlistentry>
         <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
 
         <listitem>
           <para>This parameter tells the /sbin/shorewall6 program where to
@@ -1175,7 +1175,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           role="bold">logwatch</emphasis>, <emphasis role="bold">show
           log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
           If not assigned or if assigned an empty value, /var/log/messages is
-          assumed.</para>
+          assumed. Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
         </listitem>
       </varlistentry>
 

docs/Anatomy.xml

@@ -61,7 +61,7 @@
       <listitem>
         <para><emphasis role="bold">Shorewall6</emphasis>. This package
         requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
       </listitem>
 
       <listitem>

docs/GettingStarted.xml

@@ -26,6 +26,8 @@
 
       <year>2011</year>
 
+      <year>2016</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -89,7 +91,9 @@
 
     <listitem>
       <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network. For
+      Redhat-specific install/configure information, see <ulink url="???">this
+      article </ulink>contributed by Digimer.</para>
     </listitem>
 
     <listitem>

docs/Introduction.xml

@@ -398,7 +398,7 @@ ACCEPT     net           $FW       tcp        22</programlisting>
       <listitem>
         <para><emphasis role="bold">Shorewall6</emphasis>. This package
         requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
       </listitem>
 
       <listitem>

docs/support.xml

@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
           </listitem>
 
           <listitem>
-            <para>Post the <filename>/tmp/status.txt</filename> file as an
-            attachment compressed with gzip or bzip2.</para>
+            <para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
+            as an attachment compressed with gzip or bzip2.</para>
           </listitem>
 
           <listitem>