Correct permissions of files created by the 'save' command

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -235,7 +235,8 @@ for on in \
     SPARSE \
     ANNOTATED \
     VARLIB \
-    VARDIR
+    VARDIR \
+    DEFAULT_PAGER
 do
     echo "$on=${options[${on}]}"
     echo "$on=${options[${on}]}" >> shorewallrc

Shorewall-core/configure.pl

@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
+          DEFAULT_PAGER / ) {
 
     my $val = $options{$_} || '';
 

Shorewall-core/lib.cli

@@ -466,7 +466,8 @@ do_save() {
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
+	    chmod 700 $g_restorepath
+	    chmod 600 ${g_restorepath}-iptables
 	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
@@ -487,6 +488,7 @@ do_save() {
 		if ${arptables}-save > ${VARDIR}/restore-$$; then
 		    if grep -q '^-A' ${VARDIR}/restore-$$; then
 			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			chmod 600 ${g_restorepath}-arptables
 		    else
 			rm -f ${VARDIR}/restore-$$
 		    fi
@@ -533,7 +535,7 @@ do_save() {
 			#
 			# Don't save an 'empty' file
 			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets && chmod 600 ${g_restorepath}-ipsets
 		    fi
 		fi
 		;;
@@ -3898,6 +3900,8 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
     if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -3905,7 +3909,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac

Shorewall-core/shorewallrc.apple

@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.archlinux

@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.cygwin

@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
+DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.debian.systemd

@@ -21,3 +21,4 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.debian.sysvinit

@@ -21,3 +21,4 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.default

@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.openwrt

@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.redhat

@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.slackware

@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
+DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.suse

@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
+DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf

Shorewall/Perl/Shorewall/Chains.pm

@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the chain end of the chain
+#                                                               Suppresses adding additional rules to the end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -1337,7 +1337,14 @@ sub push_rule( $$ ) {
     push @{$chainref->{rules}}, $ruleref;
     $chainref->{referenced} = 1;
     $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
+
+    if ( $debug ) {
+	if ( $ruleref->{comment} ) {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
+	} else {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
+	}
+    }
 
     $chainref->{complete} = 1 if $complete;
 
@@ -2928,13 +2935,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
@@ -2994,13 +3001,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'NONAT'           => STANDARD + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -3179,17 +3186,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
     my $chainref = shift;
-    my $digest = '';
+    my $rules = '';
 
     for ( @{$chainref->{rules}} ) {
-	if ( $digest ) {
-	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+	if ( $rules ) {
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $digest = format_rule( $chainref, $_, 1 );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
     }
 
-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1_hex $rules;
 }
 
 #
@@ -3478,7 +3485,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain for
+				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3486,7 +3493,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1 $chainref, $firstrule;
+				$progress = 1 if replace_references1( $chainref, $firstrule );
 			    }
 			}
 		    } else {
@@ -3532,7 +3539,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
+				trace( $chainref, 'P', undef, $target ) if $debug;
 				$count++;
 			    }
 
@@ -3686,7 +3693,12 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
+		    replace_references( $chainref1,
+					$chainref->{name},
+					undef,   # Target Opts
+					'',      # Comment
+					'',      # Origin
+					1 );     # Recalculate digests of modified chains
 
 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -4012,7 +4024,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;
 
-	if ( $baseref->{mode} == CAT_MODE ) {
+	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -5178,7 +5190,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";

Shorewall/Perl/Shorewall/Config.pm

@@ -577,6 +577,7 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
+our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -731,6 +732,7 @@ sub initialize( $;$$) {
     # Contents of last COMMENT line.
     #
     $comment       = '';
+    $sr_comment    = '';
     $warningcount  = 0;
     #
     # Misc Globals
@@ -895,6 +897,7 @@ sub initialize( $;$$) {
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
+	  ZERO_MARKS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2156,6 +2159,47 @@ sub split_list3( $$ ) {
     @list2;
 }
 
+#
+# This version spits a list on white-space with optional leading comma. It prevents double-quoted
+# strings from being split.
+#
+sub split_list4( $ ) {
+    my ($list ) = @_;
+    my @list1 = split( /,?\s+/, $list );
+    my @list2;
+    my $element   = '';
+    my $opencount = 0;
+
+    return @list1 unless $list =~ /"/;
+
+    @list1 = split( /(,?\s+)/, $list );
+
+    for ( my $i = 0; $i < @list1; $i += 2 ) {
+	my $e = $list1[$i];
+
+	if ( $e =~ /[^\\]"/ ) {
+	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
+		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
+		push @list2, $e;
+	    } elsif ( $element ne '' ) {
+		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
+		push @list2, join( $list1[$i - 1], $element, $e );
+		$element = '';
+	    } else {
+		$element = $e;
+	    }
+	} elsif ( $element ne '' ) {
+	    $element = join( $list1[$i - 1], $element, $e );
+	} else {
+	    push @list2, $e;
+	}
+    }
+
+    fatal_error "Mismatched_quotes ($list)" if $element ne '';
+
+    @list2;
+}
+
 #
 # Splits the columns of a config file record
 #
@@ -2225,6 +2269,8 @@ sub passed( $ ) {
     defined $val && $val ne '' && $val ne '-';
 }
 
+sub clear_comment();
+
 #
 # Pre-process a line from a configuration file.
 
@@ -2248,6 +2294,8 @@ sub split_line2( $$;$$$ ) {
     }
 
     $inline_matches = '';
+
+    clear_comment if $sr_comment;
     #
     # First, see if there are double semicolons on the line; what follows will be raw iptables input
     #
@@ -2354,18 +2402,37 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;
 
-	my @pairs = split( /,?\s+/, $pairs );
+	my @pairs = split_list4( $pairs );
 
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-	    $column = $columnsref->{$column};
-	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-	    $value = $1 if $value =~ /^"([^"]+)"$/;
-	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
-	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-	    $line[$column] = $value;
+
+	    if ( $value =~ /"$/ ) {
+		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
+		$value = $1;
+	    }
+
+	    if ( $column eq 'comment' ) {
+		if ( $comments_allowed ) {
+		    if ( have_capability( 'COMMENTS' ) ) {
+			$comment = $value;
+			$sr_comment = 1;
+		    } else {
+			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
+		    }
+		} else {
+		    fatal_error '"comment" is not allowed in this file';
+		}
+	    } else {
+		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+		$column = $columnsref->{$column};
+		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+		$value = $1 if $value =~ /^"([^"]+)"$/;
+		$value =~ s/\\"/"/g;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		$line[$column] = $value;
+	    }
 	}
     }
 
@@ -2395,6 +2462,7 @@ sub no_comment() {
 sub clear_comment() {
     $comment   = '';
     $nocomment = 0;
+    $sr_comment = '';
 }
 
 #
@@ -2490,7 +2558,8 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function ];
+			  $section_function,
+			  $sr_comment ];
 }
 
 #
@@ -2514,7 +2583,8 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function ) = @$arrayref;
+	  $section_function,
+	  $sr_comment ) = @$arrayref;
     } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2883,6 +2953,7 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
+			      $sr_comment = '';
 			  } else {
 			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
@@ -3236,6 +3307,7 @@ sub push_open( $;$$$$ ) {
     push @openstack, \@a;
     @includestack = ();
     $currentfile = undef;
+    $sr_comment = '';
     open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }
 
@@ -3329,7 +3401,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     $directive_callback->( 'PERL', $currentline ) if $directive_callback;
 
@@ -3782,8 +3854,10 @@ sub process_shorewallrc( $$ ) {
 	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
 	}
     } elsif ( supplied $shorewallrc{VARLIB} ) {
-	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
     }
+
+    $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
 }
 
 #
@@ -5157,7 +5231,7 @@ sub update_config_file( $ ) {
     update_default( 'USE_DEFAULT_RT', 'No' );
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          '' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
 
     my $fn;
 
@@ -6219,6 +6293,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
     default_yes_no 'MINIUPNPD'                  , '';
     default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
+    default_yes_no 'ZERO_MARKS'                 , '';
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -125,6 +125,13 @@ sub setup_route_marking() {
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    #
+    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
+    #
+
+    if ( $config{ZERO_MARKS} ) {
+	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+    }
 
     if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -686,6 +693,7 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
+			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -801,6 +809,10 @@ sub add_a_provider( $$ ) {
 
 	push_indent;
 
+	emit( "if interface_is_up $physical; then" );
+
+	push_indent;
+
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -818,14 +830,19 @@ sub add_a_provider( $$ ) {
 		if ( $family == F_IPV4 ) {
 		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
 		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 		} else {
 		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
+		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 		}
 	    }
 
-	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -854,8 +871,10 @@ sub add_a_provider( $$ ) {
 	    }
 	}
 
-	emit( qq(\n),
-	      qq(rm -f \${VARDIR}/${physical}_enabled) );
+	pop_indent;
+
+	emit( qq(fi\n),
+	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
 
 	pop_indent;
@@ -1069,7 +1088,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	emit( qq(    rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
@@ -1077,7 +1096,7 @@ CEOF
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}
 
@@ -1171,7 +1190,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    rm -f \${VARDIR}/${physical}_enabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1676,7 +1695,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1727,7 +1746,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2113,9 +2132,31 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
 
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my @interfaces;
+    my $wildcards;
 
-    if ( @$interfaces ) {
+    #
+    # First do the provider interfacess. Those that are real providers will never have wildcard physical
+    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
+    # wildcard physical names are also included in the providers table.
+    #
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+	push @interfaces, $providerref->{interface};
+	$wildcards ||= $providerref->{wildcard};
+    }
+
+    #
+    # Now do the optional wild interfaces
+    #
+    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
+	push@interfaces, $interface;
+	unless ( $wildcards ) {
+	    my $interfaceref = find_interface($interface);
+	    $wildcards = 1 if $interfaceref->{wildcard};
+	}
+    }
+
+    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
 
@@ -2126,7 +2167,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
 
 	if ( $wildcards ) {
 	    #
@@ -2143,74 +2184,76 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
 
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $providerref = $providers{$provider};
+	for my $interface ( @interfaces ) {
+	    if ( my $provider = $provider_interfaces{ $interface } ) {
+		my $physical     = get_physical $interface;
+		my $base         = uc var_base( $physical );
+		my $providerref  = $providers{$provider};
+		my $interfaceref = known_interface( $interface );
+		my $wildbase     = uc $interfaceref->{base};
 
-	    emit( "$physical)" ), push_indent if $wildcards;
+		emit( "$physical)" ), push_indent if $wildcards;
 
-	    if ( $provider eq $physical ) {
-		#
-		# Just an optional interface, or provider and interface are the same
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
-		#
-		# Provider
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
+		if ( $provider eq $physical ) {
+		    #
+		    # Just an optional interface, or provider and interface are the same
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		} else {
+		    #
+		    # Provider
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		}
 
-	    push_indent;
-	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-	    } else {
-		emit qq(if interface_is_usable $physical; then);
-	    }
-
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'fi' );
-
-	    pop_indent;
-
-	    emit( "fi\n" );
-
-	    emit( ';;' ), pop_indent if $wildcards;
-	}
-
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
 		push_indent;
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		} else {
+		    emit qq(if interface_is_usable $physical; then);
+		}
 
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+		emit( "    SW_${base}_IS_USABLE=Yes" );
+		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
+		emit( 'fi' );
+
+		pop_indent;
+
+		emit( "fi\n" );
+
+		emit( ';;' ), pop_indent if $wildcards;
+	    } else {
+		my $physical    = get_physical $interface;
+		my $base        = uc var_base( $physical );
+		my $case        = $physical;
+		my $wild        = $case =~ s/\+$/*/;
+
+		if ( $wildcards ) {
+		    emit( "$case)" );
 		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+
+		    if ( $wild ) {
+			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+			push_indent;
+			emit ( 'if interface_is_usable $interface; then' );
+		    } else {
+			emit ( "if interface_is_usable $physical; then" );
+		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }
 
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
+		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+		emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		       'fi' );
 
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
+		if ( $wildcards ) {
+		    pop_indent, emit( 'fi' ) if $wild;
+		    emit( ';;' );
+		    pop_indent;
+		}
 	    }
 	}
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -295,7 +295,7 @@ our %validstates = ( NEW                => 0,
 #      known until the compiler has started.
 #
 #   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+#      able to re-initialize the state of its dependent modules.
 #
 sub initialize( $ ) {
     $family            = shift;
@@ -345,11 +345,11 @@ sub initialize( $ ) {
     #
     $macro_nest_level  = 0;
     #
-    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
     #
     %actions           = ();
     #
-    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
+    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
 
@@ -628,29 +628,20 @@ sub handle_nfqueue( $$ ) {
 #
 # Process an entry in the policy file.
 #
-sub process_a_policy() {
+sub process_a_policy1($$$$$$$) {
 
     our %validpolicies;
     our @zonelist;
 
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
-
-    $loglevel  = '' if $loglevel  eq '-';
-    $synparams = '' if $synparams eq '-';
-    $connlimit = '' if $connlimit eq '-';
-
-    fatal_error 'SOURCE must be specified' if $client eq '-';
-    fatal_error 'DEST must be specified'   if $server eq '-';
-    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    my $intrazone  = $clientwild && $1;
+    $intrazone  = $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
     my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone ||= $serverwild && $1;
+    $intrazone   ||= ( $serverwild && $1 );
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -758,6 +749,40 @@ sub process_a_policy() {
     }
 }
 
+sub process_a_policy() {
+
+    our %validpolicies;
+    our @zonelist;
+
+    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+
+    $loglevel  = '' if $loglevel  eq '-';
+    $synparams = '' if $synparams eq '-';
+    $connlimit = '' if $connlimit eq '-';
+
+    my $intrazone;
+
+    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+	$clients =~ s/\+$//;
+    }
+
+    if ( $servers =~ /.*,.*\+$/ ) {
+	$servers =~ s/\+$//;
+	$intrazone = 1;
+    }	
+
+    fatal_error 'SOURCE must be specified' if $clients eq '-';
+    fatal_error 'DEST must be specified'   if $servers eq '-';
+    fatal_error 'POLICY must be specified' if $policy  eq '-';
+
+    for my $client ( split_list( $clients, 'zone' ) ) {
+	for my $server ( split_list( $servers, 'zone' ) ) {
+	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+	}
+    }
+}
+
 #
 # Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
 #
@@ -1352,7 +1377,7 @@ sub new_action( $$$$$ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variable serves as arguments to the user's
+# the $chain, $level and $tag variables serve as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set $chain to the name of the iptables chain where rules are to be added.
 # Similarly, $level and $tag contain the log level and log tag respectively.
@@ -1533,7 +1558,7 @@ sub find_macro( $ )
 {
     my $macro = $_[0];
 
-    $macro =~ s/^macro.//;
+    $macro =~ s/^macro\.//;
 
     my $macrofile = find_file "macro.$macro";
 
@@ -2957,65 +2982,63 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	# And we need the dest zone for local/loopback/off-firewall/destonly checks
 	#
 	$destref   = find_zone( $chainref->{destzone}   ) if $chainref->{destzone};
-    } else {
-	unless ( $actiontype & NATONLY ) {
-	    #
-	    # Check for illegal bridge port rule
-	    #
-	    if ( $destref->{type} & BPORT ) {
-		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		    return 0 if $wildcard;
-		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
-		}
-	    }
-
-	    $chain = rules_chain( ${sourcezone}, ${destzone} );
-	    #
-	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
-	    #
-	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
-	    $chainref->{destzone} = $destzone;
-
-	    my $policy = $chainref->{policy};
-
-	    if ( $policy eq 'NONE' ) {
+    } elsif ( ! ( $actiontype & NATONLY ) ) {
+	#
+	# Check for illegal bridge port rule
+	#
+	if ( $destref->{type} & BPORT ) {
+	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		return 0 if $wildcard;
-		fatal_error "Rules may not override a NONE policy";
+		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
-	    #
-	    # Handle Optimization level 1 when specified alone
-	    #
-	    if ( $optimize == 1 && $section == NEW_SECTION ) {
-		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
-		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:${loglevel}";
-		} else {
-		    return 0 if $basictarget eq $policy;
-		}
+	}
+
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
+	#
+	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+	#
+	( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
+	$chainref->{destzone} = $destzone;
+
+	my $policy = $chainref->{policy};
+
+	if ( $policy eq 'NONE' ) {
+	    return 0 if $wildcard;
+	    fatal_error "Rules may not override a NONE policy";
+	}
+	#
+	# Handle Optimization level 1 when specified alone
+	#
+	if ( $optimize == 1 && $section == NEW_SECTION ) {
+	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
+	    if ( $loglevel ne '' ) {
+		return 0 if $target eq "${policy}:${loglevel}";
+	    } else {
+		return 0 if $basictarget eq $policy;
 	    }
-	    #
-	    # Mark the chain as referenced and add appropriate rules from earlier sections.
-	    #
-	    $chainref = ensure_rules_chain $chain;
-	    #
-	    # Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
-	    #
-	    if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
-		my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
-		my $auxref   = $filter_table->{$auxchain};
+	}
+	#
+	# Mark the chain as referenced and add appropriate rules from earlier sections.
+	#
+	$chainref = ensure_rules_chain $chain;
+	#
+	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
+	#
+	if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
+	    my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
+	    my $auxref   = $filter_table->{$auxchain};
 
-		unless ( $auxref ) {
-		    my $save_comment = push_comment;
-		    $auxref = new_chain 'filter', $auxchain;
-		    $auxref->{blacklistsection} = 1 if $blacklist;
+	    unless ( $auxref ) {
+		my $save_comment = push_comment;
+		$auxref = new_chain 'filter', $auxchain;
+		$auxref->{blacklistsection} = 1 if $blacklist;
 
-		    add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
-		    pop_comment( $save_comment );
-		}
-
-		$chain    = $auxchain;
-		$chainref = $auxref;
+		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
+		pop_comment( $save_comment );
 	    }
+
+	    $chain    = $auxchain;
+	    $chainref = $auxref;
 	}
     }
     #
@@ -3033,7 +3056,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle actions
     #
-    my $actionchain; #Name of the action chain
+    my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
 	#
@@ -3562,7 +3585,7 @@ sub perl_action_tcp_helper($$) {
 sub process_section ($) {
     my $sect = shift;
     #
-    # split_line1 has already verified that there are exactly two tokens on the line
+    # split_line2 has already verified that there are exactly two tokens on the line
     #
     fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
     fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
@@ -3706,7 +3729,7 @@ sub process_raw_rule ( ) {
     fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
 
     if ( @protos > 1 ) {
-	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
+	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
     }
 
     for $source ( @source ) {
@@ -4173,8 +4196,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 
 	CHECKSUM   => {
-	    defaultchain   => 0,
-	    allowedchains  => ALLCHAINS,
+	    defaultchain   => POSTROUTING,
+	    allowedchains  => POSTROUTING | FORWARD | OUTPUT,
 	    minparams      => 0,
 	    maxparams      => 0 ,
 	    function       => sub() {
@@ -4299,7 +4322,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 
 	DSCP       => {
-	    defaultchain   => 0,
+	    defaultchain   => POSTROUTING,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 1,
 	    maxparams      => 1,

Shorewall/Perl/Shorewall/Tc.pm

@@ -350,9 +350,10 @@ sub process_simple_device() {
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
+	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1587,7 +1587,7 @@ sub known_interface($)
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
 					       physical => $physical ,
-					       base     => var_base( $physical ) ,
+					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };

Shorewall/Perl/compiler.pl

@@ -41,10 +41,7 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to this release
-#         --tcrules                   # Create mangle from tcrules
-#         --routestopped              # Create stoppedrules from routestopped
-#         --notrack                   # Create conntrack from notrack
+#         --update                    # Update configuration to current release
 #
 use strict;
 use FindBin;

Shorewall/Perl/lib.runtime

@@ -599,7 +599,15 @@ debug_restore_input() {
 }
 
 interface_enabled() {
-    return $(cat ${VARDIR}/$1.status)
+    status=0
+
+    if [ -f ${VARDIR}/${1}_disabled ]; then
+	status=1
+    elif [ -f ${VARDIR}/${1}.status ]; then
+	status=$(cat ${VARDIR}/${1}.status)
+    fi
+
+    return status
 }
 
 distribute_load() {
@@ -678,8 +686,10 @@ interface_is_usable() # $1 = interface
 
     if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi
@@ -996,9 +1006,16 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 
     if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    gateway="nexthop $gateway"
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    run_ip route replace table $2 $route
+	    if interface_is_up $3; then
+		gateway="nexthop $gateway"
+	    else
+		gateway="nexthop $gateway dead"
+	    fi
+
+	    if eval echo $route \| fgrep -q \'$gateway\'; then
+		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+		run_ip route replace table $2 $route
+	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1112,10 @@ interface_is_usable() # $1 = interface
 
     if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi

Shorewall/Samples/Universal/shorewall.conf

@@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -256,6 +256,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/configfiles/shorewall.conf

@@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/lib.cli-std

@@ -316,6 +316,8 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
     if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -323,7 +325,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac

Shorewall/manpages/shorewall-mangle.xml

@@ -355,7 +355,8 @@ DIVERTHA        -               -               tcp</programlisting>
     EF   =&gt; 0x2e</programlisting>
 
                 <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
               </listitem>
             </varlistentry>
 
@@ -1254,6 +1255,17 @@ Normal-Service       =&gt; 0x00</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 
@@ -1364,7 +1376,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
           (Shorewall 4.5.9 and later).</para>
 
-          <programlisting>/etc/shorewall/tcrules:
+          <programlisting>/etc/shorewall/mangle:
 
        #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
        CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

Shorewall/manpages/shorewall-policy.xml

@@ -35,7 +35,7 @@
       <para>This file determines what to do with a new connection request if
       we don't get a match from the /etc/shorewall/rules file . For each
       source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
     </important>
 
     <important>
@@ -61,7 +61,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
           <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
           not override the implicit intra-zone ACCEPT policy while "all+"
           does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
           <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
           not override the implicit intra-zone ACCEPT policy while "all+"
           does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -406,6 +406,16 @@
                     are present.</para>
                   </listitem>
                 </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-rules.xml

@@ -595,8 +595,7 @@
                 <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
-                </para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>The <replaceable>nflog-parameters</replaceable> are a
                 comma-separated list of up to 3 numbers:</para>
@@ -1683,6 +1682,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall/manpages/shorewall.conf.xml

@@ -307,6 +307,9 @@
                 that were active when Shorewall stopped continue to work and
                 all new connections from the firewall system itself are
                 allowed.</para>
+
+                <para>Note that the routestopped file is not supported in
+                Shorewall 5.0 and later versions.</para>
               </listitem>
             </varlistentry>
 
@@ -481,8 +484,8 @@
 
           <para>ALL sends all packets through the blacklist chains.</para>
 
-          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
-          is specified.</para>
+          <para>Note: The ESTABLISHED state may not be specified if
+          FASTACCEPT=Yes is specified.</para>
         </listitem>
       </varlistentry>
 
@@ -577,13 +580,14 @@
         <listitem>
           <para>If this option is set to <emphasis role="bold">No</emphasis>
           then Shorewall won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people who prefer to
-          configure traffic shaping when the network interfaces come up rather
-          than when the firewall is started. If that is what you want to do,
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          /etc/shorewall/tcstart file. That way, your traffic shaping rules
-          can still use the “fwmark” classifier based on packet marking
-          defined in <ulink
+          [<command>re</command>]<command>start</command> or
+          <command>reload</command>. This setting is intended for use by
+          people who prefer to configure traffic shaping when the network
+          interfaces come up rather than when the firewall is started. If that
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          not supply an /etc/shorewall/tcstart file. That way, your traffic
+          shaping rules can still use the “fwmark” classifier based on packet
+          marking defined in <ulink
           url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
           If not specified, CLEAR_TC=Yes is assumed.</para>
         </listitem>
@@ -677,8 +681,8 @@
 
         <listitem>
           <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/route_stopped files cause an 'ip rule del' command to
-          be generated in addition to an 'ip rule add' command. Setting this
+          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
+          generated in addition to an 'ip rule add' command. Setting this
           option to No, causes the 'ip rule del' command to be omitted.</para>
         </listitem>
       </varlistentry>
@@ -829,7 +833,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           helpers file from the administrative system into the script. When
           set to No or not specified, the compiler will not copy the modules
           or helpers file from <filename>/usr/share/shorewall</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>
 
           <para>When compiling for direct use by Shorewall, causes the
           contents of the local module or helpers file to be copied into the
@@ -863,7 +867,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
           cleared the packet mark in the first rule in the mangle FORWARD
           chain. This behavior is maintained with the default setting of this
           option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -2005,6 +2009,9 @@ LOG:info:,bar                        net                    fw</programlisting>
           When PAGER is given, the output of verbose <command>status</command>
           commands and the <command>dump</command> command are piped through
           the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
         </listitem>
       </varlistentry>
 
@@ -2194,18 +2201,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
         </listitem>
       </varlistentry>
@@ -2275,7 +2282,7 @@ INLINE          -       -       -       ; -j REJECT
           restored unconditionally at the top of the mangle OUTPUT and
           PREROUTING chains, even if the saved mark is zero. When this option
           is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
           not being routed correctly on output, try setting this option to
           <emphasis role="bold">No</emphasis>.</para>
         </listitem>
@@ -2451,10 +2458,9 @@ INLINE          -       -       -       ; -j REJECT
 
         <listitem>
           <para>This option is used to specify the shell program to be used to
-          run the Shorewall compiler and to interpret the compiled script. If
-          not specified or specified as a null value, /bin/sh is assumed.
-          Using a light-weight shell such as ash or dash can significantly
-          improve performance.</para>
+          interpret the compiled script. If not specified or specified as a
+          null value, /bin/sh is assumed. Using a light-weight shell such as
+          ash or dash can significantly improve performance.</para>
         </listitem>
       </varlistentry>
 
@@ -2941,6 +2947,23 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -220,6 +220,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/configfiles/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/manpages/shorewall6-mangle.xml

@@ -356,7 +356,8 @@ DIVERTHA        -               -               tcp</programlisting>
     EF   =&gt; 0x2e</programlisting>
 
                 <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
               </listitem>
             </varlistentry>
 
@@ -633,7 +634,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                   <listitem>
                     <para>The third number specifies the number of log
                     messages that should be buffered in the kernel before they
-                    are sent to user space. The default is 1. </para>
+                    are sent to user space. The default is 1.</para>
                   </listitem>
                 </itemizedlist>
               </listitem>
@@ -1330,6 +1331,17 @@ Normal-Service       =&gt; 0x00</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall6/manpages/shorewall6-policy.xml

@@ -35,7 +35,7 @@
       <para>This file determines what to do with a new connection request if
       we don't get a match from the /etc/shorewall6/rules file . For each
       source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
     </important>
 
     <important>
@@ -61,7 +61,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
           <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
           not override the implicit intra-zone ACCEPT policy while "all+"
           does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
           <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
           not override the implicit intra-zone ACCEPT policy while "all+"
           does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-providers.xml

@@ -377,6 +377,16 @@
                     are present.</para>
                   </listitem>
                 </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-rules.xml

@@ -1547,6 +1547,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -239,6 +239,9 @@
                 that were active when Shorewall stopped continue to work and
                 all new connections from the firewall system itself are
                 allowed.</para>
+
+                <para>Note that the routestopped file is not supported in
+                Shorewall 5.0 and later versions.</para>
               </listitem>
             </varlistentry>
 
@@ -497,13 +500,14 @@
         <listitem>
           <para>If this option is set to <emphasis role="bold">No</emphasis>
           then Shorewall6 won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people that prefer to
-          configure traffic shaping when the network interfaces come up rather
-          than when the firewall is started. If that is what you want to do,
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          /etc/shorewall6/tcstart file. That way, your traffic shaping rules
-          can still use the “fwmark” classifier based on packet marking
-          defined in <ulink
+          [<command>re</command>]<command>start</command> or
+          <command>reload</command>. This setting is intended for use by
+          people that prefer to configure traffic shaping when the network
+          interfaces come up rather than when the firewall is started. If that
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          not supply an /etc/shorewall6/tcstart file. That way, your traffic
+          shaping rules can still use the “fwmark” classifier based on packet
+          marking defined in <ulink
           url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
           If not specified, CLEAR_TC=No is assumed.</para>
 
@@ -604,10 +608,9 @@
 
         <listitem>
           <para>If set to Yes (the default value), entries in the
-          /etc/shorewall6/route_stopped files cause an 'ip rule del' command
-          to be generated in addition to an 'ip rule add' command. Setting
-          this option to No, causes the 'ip rule del' command to be
-          omitted.</para>
+          /etc/shorewall6/rtrules file cause an 'ip rule del' command to be
+          generated in addition to an 'ip rule add' command. Setting this
+          option to No, causes the 'ip rule del' command to be omitted.</para>
         </listitem>
       </varlistentry>
 
@@ -691,7 +694,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           helpers file from the administrative system into the script. When
           set to No or not specified, the compiler will not copy the modules
           or helpers file from <filename>/usr/share/shorewall6</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>
 
           <para>When compiling for direct use by Shorewall6, causes the
           contents of the local module or helpers file to be copied into the
@@ -725,7 +728,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
           cleared the packet mark in the first rule in the mangle FORWARD
           chain. This behavior is maintained with the default setting of this
           option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1731,6 +1734,9 @@ LOG:info:,bar                        net                    fw</programlisting>
           When PAGER is given, the output of verbose <command>status</command>
           commands and the <command>dump</command> command are piped through
           the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
         </listitem>
       </varlistentry>
 
@@ -1922,18 +1928,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
         </listitem>
       </varlistentry>
@@ -1982,7 +1988,7 @@ INLINE          -       -       -       ; -j REJECT
           restored unconditionally at the top of the mangle OUTPUT and
           PREROUTING chains, even if the saved mark is zero. When this option
           is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
           not being routed correctly on output, try setting this option to
           <emphasis role="bold">No</emphasis>.</para>
         </listitem>
@@ -2598,6 +2604,23 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

docs/configuration_file_basics.xml

@@ -774,6 +774,17 @@ DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</pro
     <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
 ; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
 DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
+
+    <para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
+    to individual rules using the <option>comment</option> keyword.</para>
+
+    <para>Example from the rules file:</para>
+
+    <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
+
+    <para>As shown in that example, when the comment contains whitespace, it
+    must be enclosed in double quotes and any embedded double quotes must be
+    escaped using a backslash ("\").</para>
   </section>
 
   <section>
@@ -1371,6 +1382,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
     ?COMMENT line in the rules file and the generated rule will show <emphasis
     role="bold">/* Allow SSH from home */</emphasis> when displayed through
     the Shorewall show and dump commands.</para>
+
+    <para>Beginning with Shorewall 5.0.11, the <link linkend="Pairs">alternate
+    input format </link>allows attaching comments to individual rules in the
+    files listed above.</para>
   </section>
 
   <section id="CONFIG_PATH">
@@ -2785,6 +2800,182 @@ redirect                      =&gt; 137</programlisting>
     above.</para>
   </section>
 
+  <section id="TIME">
+    <title>TIME Columns</title>
+
+    <para>Several of the files include a TIME colum that allows you to specify
+    times when the rule is to be applied. Contents of this column is a list of
+    <replaceable>timeelement</replaceable>s separated by apersands
+    (&amp;).</para>
+
+    <para>Each <replaceable>timeelement</replaceable> is one of the
+    following:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the starting time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the ending time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>contiguous</term>
+
+        <listitem>
+          <para>Added in Shoreawll 5.0.12. When <emphasis
+          role="bold">timestop</emphasis> is smaller than <emphasis
+          role="bold">timestart</emphasis> value, match this as a single time
+          period instead of distinct intervals. See the Examples below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>utc</term>
+
+        <listitem>
+          <para>Times are expressed in Greenwich Mean Time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>localtz</term>
+
+        <listitem>
+          <para>Deprecated by the Netfilter team in favor of <emphasis
+          role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
+          Time (default).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>kerneltz</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
+          Time (requires iptables 1.4.12 or later).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>weekdays=ddd[,ddd]...</term>
+
+        <listitem>
+          <para>where <replaceable>ddd</replaceable> is one of
+          <option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
+          <option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
+          <option>Sun</option></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>monthdays=dd[,dd],...</term>
+
+        <listitem>
+          <para>where <replaceable>dd</replaceable> is an ordinal day of the
+          month</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the starting date and time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the ending date and time.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Examples:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>To match on weekends, use:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Sat,Sun</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Or, to match (once) on a national holiday block:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24&amp;datestop=2016-12-27</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Since the stop time is actually inclusive, you would need the
+        following stop time to not match the first second of the new
+        day:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24T17:00&amp;datestop=2016-12-27T23:59:59</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>During Lunch Hour</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>The fourth Friday in the month:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Fri&amp;monthdays=22,23,24,25,26,27,28</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Matching across days might not do what is expected. For
+        instance,</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Mon&amp;timestart=23:00&amp;timestop=01:00</para>
+
+          <para>Will match Monday, for one hour from midnight to 1 a.m., and
+          then again for another hour from 23:00 onwards. If this is unwanted,
+          e.g. if you would like 'match for two hours from Montay 23:00
+          onwards' you need to also specify the <emphasis
+          role="bold">contiguous</emphasis> option in the example above.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </section>
+
   <section id="Switches">
     <title>Switches</title>
 
@@ -2927,8 +3118,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
     role="bold">optional</emphasis> option in the OPTIONS column.</para>
 
     <para>When an interface is marked as optional, Shorewall will determine
-    the interface state at <command>start</command> and
-    <command>restart</command> and adjust its configuration
+    the interface state at <command>start</command>, <command>reload</command>
+    and <command>restart</command> and adjust its configuration
     accordingly.</para>
 
     <itemizedlist>
@@ -2981,13 +3172,13 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
 
     <para>Shorewall allows you to have configuration directories other than
     <filename class="directory">/etc/shorewall</filename>. The shorewall
-    <command>check</command>, <command>start</command> and
-    <command>restart</command> commands allow you to specify an alternate
-    configuration directory and Shorewall will use the files in the alternate
-    directory rather than the corresponding files in /etc/shorewall. The
-    alternate directory need not contain a complete configuration; those files
-    not in the alternate directory will be read from <filename
-    class="directory">/etc/shorewall</filename>.<important>
+    <command>check</command>, <command>start</command>,
+    <command>reload</command> and <command>restart</command> commands allow
+    you to specify an alternate configuration directory and Shorewall will use
+    the files in the alternate directory rather than the corresponding files
+    in /etc/shorewall. The alternate directory need not contain a complete
+    configuration; those files not in the alternate directory will be read
+    from <filename class="directory">/etc/shorewall</filename>.<important>
         <para>Shorewall requires that the file
         <filename>/etc/shorewall/shorewall.conf</filename> to always exist.
         Certain global settings are always obtained from that file. If you

docs/support.xml

@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
           </listitem>
 
           <listitem>
-            <para>Post the <filename>/tmp/status.txt</filename> file as an
-            attachment compressed with gzip or bzip2.</para>
+            <para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
+            as an attachment compressed with gzip or bzip2.</para>
           </listitem>
 
           <listitem>