Correct typo in process_mangle_inline()

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -235,7 +235,8 @@ for on in \
     SPARSE \
     ANNOTATED \
     VARLIB \
-    VARDIR
+    VARDIR \
+    DEFAULT_PAGER
 do
     echo "$on=${options[${on}]}"
     echo "$on=${options[${on}]}" >> shorewallrc

Shorewall-core/configure.pl

@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
+          DEFAULT_PAGER / ) {
 
     my $val = $options{$_} || '';
 

Shorewall-core/lib.cli

@@ -466,7 +466,8 @@ do_save() {
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
+	    chmod 700 $g_restorepath
+	    chmod 600 ${g_restorepath}-iptables
 	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
@@ -487,6 +488,7 @@ do_save() {
 		if ${arptables}-save > ${VARDIR}/restore-$$; then
 		    if grep -q '^-A' ${VARDIR}/restore-$$; then
 			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			chmod 600 ${g_restorepath}-arptables
 		    else
 			rm -f ${VARDIR}/restore-$$
 		    fi
@@ -533,7 +535,7 @@ do_save() {
 			#
 			# Don't save an 'empty' file
 			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets && chmod 600 ${g_restorepath}-ipsets
 		    fi
 		fi
 		;;
@@ -3553,10 +3555,40 @@ blacklist_command() {
 	    ;;
     esac
 
-    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    if $IPSET -A $g_blacklistipset $@ -exist; then
+	local message
+
+	progress_message2 "$1 Blacklisted"
+
+	if [ -n "$g_disconnect" ]; then
+	    message="$(conntrack -D -s $1 2>&1)"
+	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		if [ $VERBOSITY -gt 1 ]; then
+		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
+		else
+		    echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
+		fi
+	    fi
+
+	    if [ $g_disconnect = src-dst ]; then
+		message="$(conntrack -D -d $1 2>&1)"
+		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		    if [ $VERBOSITY -gt 1 ]; then
+			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
+		    else
+			echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
+		    fi
+		fi
+	    fi
+	fi
+    else
+	error_message "ERROR: Address $1 not blacklisted"
+	return 1
+    fi
 
     return 0
 }
+
 save_command() {
     local finished
     finished=0
@@ -3759,6 +3791,68 @@ verify_firewall_script() {
     fi
 }
 
+setup_dbl() {
+    local original
+
+    original=$DYNAMIC_BLACKLIST
+
+    case $DYNAMIC_BLACKLIST in
+	*:*,)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+	ipset*,disconnect*)
+	    if qt mywhich conntrack; then
+		g_disconnect=src
+		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
+	    else
+		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
+	    fi
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,src-dst*)
+	    #
+	    # This utility doesn't need to know about 'src-dst'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
+
+	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,timeout*)
+	    #
+	    # This utility doesn't need to know about 'timeout=nnn'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	[Nn]o)
+	    DYNAMIC_BLACKLIST='';
+	    ;;
+	[Yy]es)
+	    ;;
+	ipset|ipset::*|ipset-only|ipset-only::*)
+	    g_blacklistipset=SW_DBL$g_family
+	    ;;
+	ipset:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	ipset-only:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	*)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+    esac
+}
+
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3898,6 +3992,8 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
     if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -3905,7 +4001,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
@@ -3916,35 +4012,7 @@ get_config() {
      fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
-	    [Nn]o)
-		DYNAMIC_BLACKLIST='';
-		;;
-	    [Yy]es)
-	        ;;
-	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
-		g_blacklistipset=SW_DBL$g_family
-		;;
-	    ipset:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    *)
-		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
-		;;
-	esac
+	setup_dbl
     fi
 
     lib=$(find_file lib.cli-user)
@@ -4290,6 +4358,7 @@ shorewall_cli() {
     g_compiled=
     g_pager=
     g_blacklistipset=
+    g_disconnect=
 
     VERBOSE=
     VERBOSITY=1

Shorewall-core/shorewallrc.apple

@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.archlinux

@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.cygwin

@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
+DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.debian.systemd

@@ -21,3 +21,4 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.debian.sysvinit

@@ -21,3 +21,4 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.default

@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.openwrt

@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.redhat

@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.slackware

@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
+DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.suse

@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
+DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf

Shorewall-lite/manpages/shorewall-lite.xml

@@ -724,6 +724,23 @@
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -5190,7 +5190,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -8266,36 +8266,63 @@ EOF
 sub ensure_ipsets( @ ) {
     my $set;
 
-    if ( @_ > 1 ) {
+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+	shift;
+
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+
 	push_indent;
-	emit( "for set in @_; do" );
-	$set = '$set';
-    } else {
-	$set = $_[0];
+
+	if ( $family == F_IPV4 ) {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+	} else {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+	}
+
+	pop_indent;
+
+	emit( qq(    fi\n) );
+
     }
 
-    if ( $family == F_IPV4 ) {
-	if ( have_capability 'IPSET_V5' ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
-		   qq(    fi) );
+    if ( @_ ) {
+	if ( @_ > 1 ) {
+	    push_indent;
+	    emit( "for set in @_; do" );
+	    $set = '$set';
 	} else {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-		   qq(        \$IPSET -N $set iphash) ,
+	    $set = $_[0];
+	}
+
+	if ( $family == F_IPV4 ) {
+	    if ( have_capability 'IPSET_V5' ) {
+		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0 counters) ,
+		       qq(    fi) );
+	    } else {
+		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		       qq(        \$IPSET -N $set iphash) ,
+		       qq(    fi) );
+	    }
+	} else {
+	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
 		   qq(    fi) );
 	}
-    } else {
-	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
-	       qq(    fi) );
-    }
 
-    if ( @_ > 1 ) {
-	emit 'done';
-	pop_indent;
+	if ( @_ > 1 ) {
+	    emit 'done';
+	    pop_indent;
+	}
     }
 }
 
@@ -8473,10 +8500,21 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
 
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
-		  '        zap_ipsets',
-		  '        $IPSET -R < ${VARDIR}/ipsets.save',
-		  '    fi' );
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
+
+	    if ( my $set = $globals{DBL_IPSET} ) {
+		emit( '        #',
+		      '        # Update the dynamic blacklisting ipset timeout value',
+		      '        #',
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      '        zap_ipsets',
+		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
+		      '    fi' );
+	    } else {
+		emit( '        zap_ipsets',
+		      '        $IPSET -R < ${VARDIR}/ipsets.save',
+		      '    fi' );
+	    }
 	}
 
 	if ( @ipsets ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -754,6 +754,8 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    DBL_IPSET               => '',
+		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
     #
@@ -897,6 +899,8 @@ sub initialize( $;$$) {
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
+	  ZERO_MARKS => undef ,
+	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -3400,7 +3404,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     $directive_callback->( 'PERL', $currentline ) if $directive_callback;
 
@@ -3853,8 +3857,10 @@ sub process_shorewallrc( $$ ) {
 	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
 	}
     } elsif ( supplied $shorewallrc{VARLIB} ) {
-	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
     }
+
+    $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
 }
 
 #
@@ -5228,7 +5234,7 @@ sub update_config_file( $ ) {
     update_default( 'USE_DEFAULT_RT', 'No' );
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          '' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
 
     my $fn;
 
@@ -6250,9 +6256,27 @@ sub get_configuration( $$$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
-	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+	    ( $key , my @options ) = split_list( $key, 'option' );
+
+	    my $options = '';
+
+	    for ( @options ) {
+		if ( $simple_options{$_} ) {
+		    $options = join( ',' , $options, $_ );
+		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+		    $globals{DBL_TIMEOUT} = $1;
+		} else {
+		    fatal_error "Invalid ipset option ($_)";
+		}
+	    }
+
+	    $globals{DBL_OPTIONS} = $options;
+
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
 
 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6260,7 +6284,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }
 
-	    add_ipset( $set );
+	    add_ipset( $globals{DBL_IPSET} = $set );
 	    
 	    $level = validate_level( $level );
 
@@ -6290,6 +6314,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
     default_yes_no 'MINIUPNPD'                  , '';
     default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
+    default_yes_no 'ZERO_MARKS'                 , '';
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
 
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
 
@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
     my ( $proto, $list ) = @_;
     my @list   = split_list( $list, 'port' );
 
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -688,7 +688,8 @@ sub add_common_rules ( $ ) {
     my $dbl_ipset;
     my $dbl_level;
     my $dbl_tag;
-    my $dbl_target;
+    my $dbl_src_target;
+    my $dbl_dst_target;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -749,8 +750,42 @@ sub add_common_rules ( $ ) {
 	}
 
 	if ( $dbl_ipset ) {
-	    if ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+		if ( $dbl_src_target eq 'dbl_src' ) {
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		    log_rule_limit( $dbl_level,
+				    $chainref,
+				    'dbl_log',
+				    'DROP',
+				    $globals{LOGLIMIT},
+				    $dbl_tag,
+				    'add',
+				    '',
+				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+		} else {
+		    $dbl_dst_target = $dbl_src_target;
+		}		    
+	    } elsif ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -763,7 +798,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_target = 'DROP'; 
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
     }
@@ -877,17 +912,17 @@ sub add_common_rules ( $ ) {
 		    #
 		    # src
 		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    

Shorewall/Perl/Shorewall/Providers.pm

@@ -125,6 +125,13 @@ sub setup_route_marking() {
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    #
+    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
+    #
+
+    if ( $config{ZERO_MARKS} ) {
+	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+    }
 
     if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -302,27 +309,14 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_default_route = 0;
     } else {
-	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -339,27 +333,14 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_fallback_route = 0;
     } else {
-	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -535,7 +516,6 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -558,7 +538,6 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -802,6 +781,10 @@ sub add_a_provider( $$ ) {
 
 	push_indent;
 
+	emit( "if interface_is_up $physical; then" );
+
+	push_indent;
+
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -816,17 +799,14 @@ sub add_a_provider( $$ ) {
 	    emit( qq([ -z "$address" ] && return\n) );
 
 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		} else {
-		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-		}
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -855,8 +835,10 @@ sub add_a_provider( $$ ) {
 	    }
 	}
 
-	emit( qq(\n),
-	      qq(rm -f \${VARDIR}/${physical}_enabled) );
+	pop_indent;
+
+	emit( qq(fi\n),
+	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
 
 	pop_indent;
@@ -941,14 +923,8 @@ CEOF
 	$address = get_interface_address $interface unless $address;
 
 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-	    }
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -962,13 +938,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    }
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1044,23 +1015,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;
 
-	    if ( $family == F_IPV4 ) {
-		if ( $gateway ) {
-		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
-		}
+	    if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 	    } else {
-		#
-		# IPv6 doesn't support multi-hop routes
-		#
-		if ( $gateway ) {
-		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
-		}
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}
 
@@ -1070,7 +1030,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
@@ -1078,7 +1038,7 @@ CEOF
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}
 
@@ -1150,7 +1110,7 @@ CEOF
 		$via = "dev $physical";
 	    }
 
-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1172,7 +1132,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    rm -f \${VARDIR}/${physical}_enabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1499,12 +1459,7 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
-	}
+	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1557,12 +1512,7 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
-	} else {
-	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
-	}
+	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -1677,7 +1627,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1728,7 +1678,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }

Shorewall/Perl/Shorewall/Rules.pm

@@ -2891,7 +2891,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
 
-		$action .= " --timeout $timeout";
+		$action .= " --timeout $timeout --exist";
 	    }
 	}
     }
@@ -3965,7 +3965,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),
@@ -4196,8 +4196,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 
 	CHECKSUM   => {
-	    defaultchain   => 0,
-	    allowedchains  => ALLCHAINS,
+	    defaultchain   => POSTROUTING,
+	    allowedchains  => POSTROUTING | FORWARD | OUTPUT,
 	    minparams      => 0,
 	    maxparams      => 0 ,
 	    function       => sub() {

Shorewall/Perl/Shorewall/Zones.pm

@@ -1119,6 +1119,8 @@ sub process_interface( $$ ) {
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
+    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
@@ -1193,7 +1195,7 @@ sub process_interface( $$ ) {
     my %options;
 
     $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
 
     my $hostoptionsref = {};
 
@@ -1316,7 +1318,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

Shorewall/Perl/lib.runtime

@@ -599,7 +599,15 @@ debug_restore_input() {
 }
 
 interface_enabled() {
-    return $(cat ${VARDIR}/$1.status)
+    status=0
+
+    if [ -f ${VARDIR}/${1}_disabled ]; then
+	status=1
+    elif [ -f ${VARDIR}/${1}.status ]; then
+	status=$(cat ${VARDIR}/${1}.status)
+    fi
+
+    return $status
 }
 
 distribute_load() {
@@ -678,8 +686,10 @@ interface_is_usable() # $1 = interface
 
     if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi
@@ -996,9 +1006,16 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 
     if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    gateway="nexthop $gateway"
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    run_ip route replace table $2 $route
+	    if interface_is_up $3; then
+		gateway="nexthop $gateway"
+	    else
+		gateway="nexthop $gateway dead"
+	    fi
+
+	    if eval echo $route \| fgrep -q \'$gateway\'; then
+		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+		run_ip route replace table $2 $route
+	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1112,10 @@ interface_is_usable() # $1 = interface
 
     if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi

Shorewall/Samples/Universal/shorewall.conf

@@ -23,6 +23,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -128,16 +134,14 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -248,6 +254,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -34,6 +34,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,16 +145,14 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -259,6 +265,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -31,6 +31,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -136,16 +142,14 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -180,6 +184,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -256,6 +262,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -34,6 +34,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,16 +145,14 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -259,6 +265,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/configfiles/shorewall.conf

@@ -23,6 +23,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -128,16 +134,14 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=Yes
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=No
@@ -248,6 +254,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/lib.cli-std

@@ -316,6 +316,8 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
     if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -323,7 +325,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
@@ -334,35 +336,7 @@ get_config() {
     fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
-	    [Nn]o)
-		DYNAMIC_BLACKLIST='';
-		;;
-	    [Yy]es)
-	        ;;
-	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
-		g_blacklistipset=SW_DBL$g_family
-		;;
-	    ipset:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    *)
-		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
-		;;
-	esac
+	setup_dbl
     fi
 
     lib=$(find_file lib.cli-user)
@@ -1470,6 +1444,12 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1493,7 +1473,7 @@ remote_reload_command() # $* = original arguments less the command.
 
     case $# in
 	0)
-	    missing_argument
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
 	    ;;
 	1)
 	    g_shorewalldir="."
@@ -1528,6 +1508,11 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No
 
 	g_haveconfig=Yes
+
+	if [ -z "$system" ]; then
+	    system=$FIREWALL
+	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+	fi
     else
 	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
     fi

Shorewall/manpages/shorewall-mangle.xml

@@ -137,7 +137,7 @@
                 <replaceable>action</replaceable> must be an action declared
                 with the <option>mangle</option> option in <ulink
                 url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                 comma-separated list within parentheses following the
                 <replaceable>action</replaceable> name.</para>
               </listitem>
@@ -1255,6 +1255,17 @@ Normal-Service       =&gt; 0x00</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 
@@ -1365,7 +1376,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
           (Shorewall 4.5.9 and later).</para>
 
-          <programlisting>/etc/shorewall/tcrules:
+          <programlisting>/etc/shorewall/mangle:
 
        #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
        CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

Shorewall/manpages/shorewall-providers.xml

@@ -406,6 +406,16 @@
                     are present.</para>
                   </listitem>
                 </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-rules.xml

@@ -595,8 +595,7 @@
                 <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
-                </para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>The <replaceable>nflog-parameters</replaceable> are a
                 comma-separated list of up to 3 numbers:</para>
@@ -654,12 +653,12 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
                 by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 
@@ -1683,6 +1682,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall/manpages/shorewall.conf.xml

@@ -768,28 +768,77 @@
         role="bold">Yes</emphasis>|<emphasis
         role="bold">No</emphasis>||<emphasis
         role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
-        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.7. When set to <emphasis
           role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
-          drop</command>, <command>shorewall6 reject</command>,
-          <command>shorewall6 logdrop</command> and <command>shorewall6
+          chain-based dynamic blacklisting using <command>shorewall
+          drop</command>, <command>shorewall reject</command>,
+          <command>shorewall logdrop</command> and <command>shorewall
           logreject</command> is disabled. Default is <emphasis
           role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting is also supported. The name of the
-          set (<replaceable>setname</replaceable>) and the level
+          ipset-based dynamic blacklisting using the <command>shorewall
+          blacklist</command> command is also supported. The name of the set
+          (<replaceable>setname</replaceable>) and the level
           (<replaceable>log_level</replaceable>), if any, at which blacklisted
           traffic is to be logged may also be specified. The default set name
           is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). if <option>ipset-only</option> is given, then chain-based
+          logging). If <option>ipset-only</option> is given, then chain-based
           dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
-          matches an entry in the ipsec are dropped. If
-          <option>src-dst</option> is included, then packets whose destination
-          address matches an entry in the ipset are also dropped.</para>
+          had been specified.</para>
+
+          <para>Possible <replaceable>option</replaceable>s are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>src-dst</term>
+
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall restart</command> if
+                  RESTART=restart, otherwise <command>shorewall stop
+                  &amp;&amp; shorewall start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
 
           <para>When ipset-based dynamic blacklisting is enabled, the contents
           of the blacklist will be preserved over
@@ -862,6 +911,21 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -2009,6 +2073,9 @@ LOG:info:,bar                        net                    fw</programlisting>
           When PAGER is given, the output of verbose <command>status</command>
           commands and the <command>dump</command> command are piped through
           the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
         </listitem>
       </varlistentry>
 
@@ -2944,6 +3011,23 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall/manpages/shorewall.xml

@@ -59,7 +59,9 @@
 
       <arg choice="plain"><option>blacklist</option></arg>
 
-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg
+      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
+      ...</arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -449,9 +451,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -473,9 +475,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -497,9 +499,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -986,6 +988,23 @@
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1612,8 +1631,8 @@
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
         <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
+        [ <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
@@ -1639,7 +1658,13 @@
           directory. If compilation succeeds, then firewall is copied to
           <replaceable>system</replaceable> using scp. If the copy succeeds,
           Shorewall Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">start</emphasis> command succeeds, then the
@@ -1674,9 +1699,9 @@
         <term><emphasis role="bold">remote-reload
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1700,8 +1725,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -1736,9 +1767,9 @@
         <term><emphasis role="bold">remote-restart
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>reload</command> in
@@ -1763,8 +1794,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">restart</emphasis> command succeeds, then the

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -701,6 +701,23 @@
           The <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -25,6 +25,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -122,16 +128,14 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -160,6 +164,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -220,6 +226,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/configfiles/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=Yes
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=Yes
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=No
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/manpages/shorewall6-mangle.xml

@@ -138,7 +138,7 @@
                 <replaceable>action</replaceable> must be an action declared
                 with the <option>mangle</option> option in <ulink
                 url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                 comma-separated list within parentheses following the
                 <replaceable>action</replaceable> name.</para>
               </listitem>
@@ -1331,6 +1331,17 @@ Normal-Service       =&gt; 0x00</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall6/manpages/shorewall6-masq.xml

@@ -551,8 +551,8 @@
           <programlisting>/etc/shorewall/masq:
 
        #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
 
           <para>If INLINE_MATCHES=Yes in <ulink
@@ -562,9 +562,8 @@
           <programlisting>/etc/shorewall/masq:
 
        #INTERFACE    SOURCE         ADDRESS 
-       sit1          0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
-</programlisting>
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6-providers.xml

@@ -159,26 +159,40 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">balance</emphasis></term>
+              <term><emphasis
+              role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
-                this provider's gateway to be added to the <emphasis
-                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
-                or to the <emphasis role="bold">balance</emphasis> routing
-                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
-                option.</para>
+                <para>Added in Shorewall 4.4.25. The providers that have
+                <option>balance</option> specified will get outbound traffic
+                load-balanced among them. By default, all interfaces with
+                <option>balance</option> specified will have the same weight
+                (1). Beginning with Shorewall 5.0.13, you can change the
+                weight of an interface by specifying
+                <option>balance=</option><replaceable>weight</replaceable>
+                where <replaceable>weight</replaceable> is the weight of the
+                route out of this interface. Prior to Shorewall 5.0.13, only
+                one provider can specify this option.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">fallback</emphasis></term>
+              <term><emphasis
+              role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
-                this provider's gateway to be added to the <emphasis
-                role="bold">default</emphasis> routing table.At most one
-                provider can specify this option.</para>
+                <para>Added in Shorewall 4.4.25. Indicates that a default
+                route through the provider should be added to the default
+                routing table (table 253). If a
+                <replaceable>weight</replaceable> is given, a balanced route
+                is added with the weight of this provider equal to the
+                specified <replaceable>weight</replaceable>. If the option is
+                given without a <replaceable>weight</replaceable>, an separate
+                default route is added through the provider's gateway; the
+                route has a metric equal to the provider's NUMBER. Prior to
+                Shorewall 5.0.13, at most one provider can specify this option
+                and a <replaceable>weight</replaceable> may not be
+                given.</para>
               </listitem>
             </varlistentry>
 
@@ -377,6 +391,16 @@
                     are present.</para>
                   </listitem>
                 </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-rules.xml

@@ -630,7 +630,7 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
@@ -1547,6 +1547,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -629,28 +629,77 @@
         role="bold">Yes</emphasis>|<emphasis
         role="bold">No</emphasis>||<emphasis
         role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
-        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.7. When set to <emphasis
           role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
+          chain-based dynamic blacklisting using <command>shorewall6
           drop</command>, <command>shorewall6 reject</command>,
           <command>shorewall6 logdrop</command> and <command>shorewall6
           logreject</command> is disabled. Default is <emphasis
           role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting is also supported. The name of the
-          set (<replaceable>setname</replaceable>) and the level
+          ipset-based dynamic blacklisting using <command>shorewall6
+          blacklist</command> is also supported. The name of the set
+          (<replaceable>setname</replaceable>) and the level
           (<replaceable>log_level</replaceable>), if any, at which blacklisted
           traffic is to be logged may also be specified. The default set name
           is SW_DBL6 and the default log level is <option>none</option> (no
           logging). if <option>ipset-only</option> is given, then chain-based
           dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
-          matches an entry in the ipsec are dropped. If
-          <option>src-dst</option> is included, then packets whose destination
-          address matches an entry in the ipset are also dropped.</para>
+          had been specified.</para>
+
+          <para>Possible <replaceable>option</replaceable>s are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>src-dst</term>
+
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall6 restart</command> if
+                  RESTART=restart, otherwise <command>shorewall6 stop
+                  &amp;&amp; shorewall6 start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
 
           <para>When ipset-based dynamic blacklisting is enabled, the contents
           of the blacklist will be preserved over
@@ -723,6 +772,21 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1734,6 +1798,9 @@ LOG:info:,bar                        net                    fw</programlisting>
           When PAGER is given, the output of verbose <command>status</command>
           commands and the <command>dump</command> command are piped through
           the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
         </listitem>
       </varlistentry>
 
@@ -2601,6 +2668,23 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall6/manpages/shorewall6.xml

@@ -44,8 +44,6 @@
       <arg>-<replaceable>options</replaceable></arg>
 
       <arg choice="plain"><option>allow</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -58,7 +56,9 @@
 
       <arg choice="plain"><option>blacklist</option></arg>
 
-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg choice="plain"><replaceable>address</replaceable><arg
+      choice="plain"><arg><replaceable>option
+      ...</replaceable></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -403,9 +403,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -427,9 +427,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -451,9 +451,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -954,6 +954,23 @@
           The <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1548,9 +1565,11 @@
         <term><emphasis role="bold">remote-reload
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <term/>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1574,8 +1593,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <option>-s</option> is specified and the
           <command>restart</command> command succeeds, then the remote
@@ -1610,9 +1635,9 @@
         <term><emphasis role="bold">remote- restart
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>reload</command> in
@@ -1640,6 +1665,14 @@
           Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
           ssh.</para>
 
+          <para>Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
+
           <para>If <option>-s</option> is specified and the
           <command>restart</command> command succeeds, then the remote
           Shorewall6-lite configuration is saved by executing
@@ -1673,8 +1706,8 @@
         <term><emphasis role="bold">remote-start </emphasis>
         [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
         <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1699,7 +1732,13 @@
           directory. If compilation succeeds, then firewall is copied to
           <replaceable>system</replaceable> using scp. If the copy succeeds,
           Shorewall6 Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <option>-s</option> is specified and the <emphasis
           role="bold">start</emphasis> command succeeds, then the remote

docs/MultiISP.xml

@@ -766,7 +766,7 @@ fi</programlisting>
       provider interfaces as <emphasis role="bold">optional</emphasis> (<ulink
       url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>)
       then <link linkend="LinkMonitor">install and configure
-      LSM</link>.</para>
+      FOOLSM</link>.</para>
 
       <para><ulink url="Shorewall-init.html">Shorewall-init</ulink> provides
       for handling links that go hard down and are later brought back
@@ -926,7 +926,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
     </section>
 
     <section id="Example2">
-      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
 
       <para>This section shows the differences in configuring the above
       example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -1937,8 +1937,8 @@ if [ $2 != down ]; then
     [ -f /var/lib/shorewall/eth0.info ] &amp;&amp; . /var/lib/shorewall/eth0.info
     
     if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
-        logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
-        killall lsm
+        logger -p daemon.info "eth0 IP configuration changed - restarting foolsm and Shorewall"
+        killall foolsm
         /sbin/shorewall restart
     fi
 fi
@@ -1953,9 +1953,9 @@ fi
             </listitem>
 
             <listitem>
-              <para>It assumes the use of <link linkend="lsm">LSM</link>; If
-              you aren't using lSM, you can change the log message and remove
-              the 'killall lsm'</para>
+              <para>It assumes the use of <link linkend="lsm">FOOLSM</link>;
+              If you aren't using foolsm, you can change the log message and
+              remove the 'killall foolsm'</para>
             </listitem>
 
             <listitem>
@@ -2090,9 +2090,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
     <section id="LinkMonitor">
       <title>Gateway Monitoring and Failover</title>
 
-      <para>There is an option (LSM) available for monitoring the status of
-      provider links and taking action when a failure occurs. LSM assumes that
-      each provider has a unique nexthop gateway.</para>
+      <para>There is an option (FOOLSM) available for monitoring the status of
+      provider links and taking action when a failure occurs. FOOLSM assumes
+      that each provider has a unique nexthop gateway.</para>
 
       <para>You specify the <option>optional</option> option in
       <filename>/etc/shorewall/interfaces</filename>:</para>
@@ -2102,7 +2102,7 @@ net      eth0         detect          <emphasis role="bold">optional</emphasis>
 net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>
 
       <section id="lsm">
-        <title>Link Status Monitor (LSM)</title>
+        <title>Link Status Monitor (FOOLSM)</title>
 
         <para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
         was written by Mika Ilmaranta &lt;ilmis at nullnet.fi&gt; and performs
@@ -2116,19 +2116,25 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
           file</ulink>) before installing LSM.</para>
         </important>
 
-        <para>Like many Open Source products, LSM is poorly documented. It's
-        main configuration file is normally kept in
-        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
-        as an argument to the lsm program so you can name it anything you
-        want.</para>
+        <important>
+          <para>To avoid an achronym clash with <emphasis>Linux Security
+          Module</emphasis>, the Link Status Monitor is now called
+          <emphasis>foolsm</emphasis>.</para>
+        </important>
 
-        <para>The sample <filename>lsm.conf</filename> included with the
+        <para>Like many Open Source products, FOOLSM is poorly documented.
+        It's main configuration file is normally kept in
+        <filename>/etc/foolsm/foolsm.conf</filename>, but the file's name is
+        passed as an argument to the foolsm program so you can name it
+        anything you want.</para>
+
+        <para>The sample <filename>foolsm.conf</filename> included with the
         product shows some of the possibilities for configuration. One feature
         that is not mentioned in the sample is that an "include" directive is
         supported. This allows additional files to be sourced in from the main
         configuration file.</para>
 
-        <para>LSM monitors the status of the links defined in its
+        <para>FOOLSM monitors the status of the links defined in its
         configuration file and runs a user-provided script when the status of
         a link changes. The script name is specified in the
         <firstterm>eventscript</firstterm> option in the configuration file.
@@ -2175,33 +2181,33 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
 
         <para>It is the responsibility of the script to perform any action
         needed in reaction to the connection state change. The default script
-        supplied with LSM composes an email and sends it to $5.</para>
+        supplied with FOOLSM composes an email and sends it to $5.</para>
 
-        <para>I personally use LSM here at shorewall.net (configuration is
+        <para>I personally use FOOLSM here at shorewall.net (configuration is
         described <link linkend="Complete">below</link>). I have set things up
         so that:</para>
 
         <itemizedlist>
           <listitem>
-            <para>Shorewall [re]starts lsm during processing of the
+            <para>Shorewall [re]starts foolsm during processing of the
             <command>start</command> and <command>restore</command> commands.
-            I don't have Shorewall restart lsm during Shorewall
+            I don't have Shorewall restart foolsm during Shorewall
             <command>restart</command> because I restart Shorewall much more
             often than the average user is likely to do.</para>
           </listitem>
 
           <listitem>
-            <para>Shorewall starts lsm because I have a dynamic IP address
+            <para>Shorewall starts foolsm because I have a dynamic IP address
             from one of my providers (Comcast); Shorewall detects the default
             gateway to that provider and creates a secondary configuration
-            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
-            the link configurations. That file is included by
-            <filename>/etc/lsm/lsm.conf</filename>.</para>
+            file (<filename>/etc/foolsm/shorewall.conf</filename>) that
+            contains the link configurations. That file is included by
+            <filename>/etc/foolsm/foolsm.conf</filename>.</para>
           </listitem>
 
           <listitem>
-            <para>The script run by LSM during state change
-            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            <para>The script run by FOOLSM during state change
+            (<filename>/etc/foolsm/script) </filename>writes a<filename>
             ${VARDIR}/xxx.status</filename> file when the status of an
             interface changes. Those files are read by the
             <filename>isusable</filename> extension script (see below).</para>
@@ -2224,7 +2230,7 @@ COM_IF=eth1</programlisting>
 
         <programlisting>local status=0
 #
-# Read the status file (if any) created by /etc/lsm/script
+# Read the status file (if any) created by /etc/foolsm/script
 #
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)
 
@@ -2233,22 +2239,22 @@ return $status</programlisting>
         <para><filename>/etc/shorewall/lib.private</filename>:</para>
 
         <programlisting>###############################################################################
-# Create /etc/lsm/shorewall.conf
+# Create /etc/foolsm/shorewall.conf
 # Remove the current interface status files
-# Start lsm
+# Start foolsm
 ###############################################################################
-start_lsm() {
+start_foolsm() {
    #
-   # Kill any existing lsm process(es)
+   # Kill any existing foolsm process(es)
    #
-   killall lsm 2&gt; /dev/null
+   killall foolsm 2&gt; /dev/null
    #
-   # Create the Shorewall-specific part of the LSM configuration. This file is
-   # included by /etc/lsm/lsm.conf
+   # Create the Shorewall-specific part of the FOOLSM configuration. This file is
+   # included by /etc/foolsm/foolsm.conf
    #
    # Avvanta has a static gateway while Comcast's is dynamic
    #
-   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
+   cat &lt;&lt;EOF &gt; /etc/foolsm/shorewall.conf
 connection {
     name=Avvanta
     checkip=206.124.146.254
@@ -2264,14 +2270,9 @@ connection {
 }
 EOF
    #
-   # Since LSM assumes that interfaces start in the 'up' state, remove any
-   # existing status files that might have an interface in the down state
+   # Run FOOLSM -- by default, it forks into the background
    #
-   rm -f /var/lib/shorewall/*.status
-   #
-   # Run LSM -- by default, it forks into the background
-   #
-   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
+   /usr/sbin/foolsm -c /etc/foolsm/foolsm.conf &gt;&gt; /var/log/foolsm
 }</programlisting>
 
         <para>eth0 has a dynamic IP address so I need to use the
@@ -2286,22 +2287,22 @@ EOF
         <para><filename>/etc/shorewall/started</filename>:</para>
 
         <programlisting>##################################################################################
-# [re]start lsm if this is a 'start' command or if lsm isn't running
+# [re]start foolsm if this is a 'start' command or if foolsm isn't running
 ##################################################################################
-if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
-    start_lsm
+if [ "$COMMAND" = start -o -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
+    start_foolsm
 fi</programlisting>
 
         <para><filename>/etc/shorewall/restored</filename>:</para>
 
         <programlisting>##################################################################################
-# Start lsm if it isn't running
+# Start foolsm if it isn't running
 ##################################################################################
-if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
-   start_lsm
+if [ -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
+   start_foolsm
 fi</programlisting>
 
-        <para><filename>/etc/lsm/lsm.conf</filename>:</para>
+        <para><filename>/etc/foolsm/foolsm.conf</filename>:</para>
 
         <programlisting>#
 # Defaults for the connection entries
@@ -2309,7 +2310,7 @@ fi</programlisting>
 defaults {
   name=defaults
   checkip=127.0.0.1
-  eventscript=/etc/lsm/script
+  eventscript=/etc/foolsm/script
   max_packet_loss=20
   max_successive_pkts_lost=7
   min_packet_loss=5
@@ -2322,10 +2323,11 @@ defaults {
   ttl=0
 }
 
-include /etc/lsm/shorewall.conf</programlisting>
+include /etc/foolsm/shorewall.conf</programlisting>
 
-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
-        - note that this script must be executable by root)<programlisting>#!/bin/sh
+        <para><filename>/etc/foolsm/script</filename> (Shorewall 4.4.23 and
+        later - note that this script must be executable by
+        root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2382,7 +2384,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
 
-Your LSM Daemon
+Your FOOLSM Daemon
 
 EOM
 
@@ -2394,7 +2396,7 @@ else
    ${VARDIR}/firewall disable ${DEVICE}
 fi
 
-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm
 
 exit 0
 
@@ -2457,7 +2459,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
 
-Your LSM Daemon
+Your FOOLSM Daemon
 
 EOM
 
@@ -2466,9 +2468,9 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status
 
-<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/foolsm 2&gt;&amp;1</emphasis>
 
-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm
 
 exit 0
 

docs/configuration_file_basics.xml

@@ -782,7 +782,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
 
     <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
 
-    <para> As shown in that example, when the comment contains whitespace, it
+    <para>As shown in that example, when the comment contains whitespace, it
     must be enclosed in double quotes and any embedded double quotes must be
     escaped using a backslash ("\").</para>
   </section>
@@ -2619,6 +2619,13 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     <para>Also, unless otherwise documented, a port range can be preceded by
     '!' to specify "All ports except those in this range" (e.g.,
     "!4000:4100").</para>
+
+    <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>
   </section>
 
   <section id="Portlists">
@@ -2800,6 +2807,182 @@ redirect                      =&gt; 137</programlisting>
     above.</para>
   </section>
 
+  <section id="TIME">
+    <title>TIME Columns</title>
+
+    <para>Several of the files include a TIME colum that allows you to specify
+    times when the rule is to be applied. Contents of this column is a list of
+    <replaceable>timeelement</replaceable>s separated by apersands
+    (&amp;).</para>
+
+    <para>Each <replaceable>timeelement</replaceable> is one of the
+    following:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the starting time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the ending time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>contiguous</term>
+
+        <listitem>
+          <para>Added in Shoreawll 5.0.12. When <emphasis
+          role="bold">timestop</emphasis> is smaller than <emphasis
+          role="bold">timestart</emphasis> value, match this as a single time
+          period instead of distinct intervals. See the Examples below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>utc</term>
+
+        <listitem>
+          <para>Times are expressed in Greenwich Mean Time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>localtz</term>
+
+        <listitem>
+          <para>Deprecated by the Netfilter team in favor of <emphasis
+          role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
+          Time (default).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>kerneltz</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
+          Time (requires iptables 1.4.12 or later).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>weekdays=ddd[,ddd]...</term>
+
+        <listitem>
+          <para>where <replaceable>ddd</replaceable> is one of
+          <option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
+          <option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
+          <option>Sun</option></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>monthdays=dd[,dd],...</term>
+
+        <listitem>
+          <para>where <replaceable>dd</replaceable> is an ordinal day of the
+          month</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the starting date and time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the ending date and time.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Examples:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>To match on weekends, use:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Sat,Sun</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Or, to match (once) on a national holiday block:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24&amp;datestop=2016-12-27</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Since the stop time is actually inclusive, you would need the
+        following stop time to not match the first second of the new
+        day:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24T17:00&amp;datestop=2016-12-27T23:59:59</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>During Lunch Hour</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>The fourth Friday in the month:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Fri&amp;monthdays=22,23,24,25,26,27,28</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Matching across days might not do what is expected. For
+        instance,</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Mon&amp;timestart=23:00&amp;timestop=01:00</para>
+
+          <para>Will match Monday, for one hour from midnight to 1 a.m., and
+          then again for another hour from 23:00 onwards. If this is unwanted,
+          e.g. if you would like 'match for two hours from Montay 23:00
+          onwards' you need to also specify the <emphasis
+          role="bold">contiguous</emphasis> option in the example
+          above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </section>
+
   <section id="Switches">
     <title>Switches</title>
 
@@ -2942,8 +3125,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
     role="bold">optional</emphasis> option in the OPTIONS column.</para>
 
     <para>When an interface is marked as optional, Shorewall will determine
-    the interface state at <command>start</command> and
-    <command>restart</command> and adjust its configuration
+    the interface state at <command>start</command>, <command>reload</command>
+    and <command>restart</command> and adjust its configuration
     accordingly.</para>
 
     <itemizedlist>
@@ -2996,13 +3179,13 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
 
     <para>Shorewall allows you to have configuration directories other than
     <filename class="directory">/etc/shorewall</filename>. The shorewall
-    <command>check</command>, <command>start</command> and
-    <command>restart</command> commands allow you to specify an alternate
-    configuration directory and Shorewall will use the files in the alternate
-    directory rather than the corresponding files in /etc/shorewall. The
-    alternate directory need not contain a complete configuration; those files
-    not in the alternate directory will be read from <filename
-    class="directory">/etc/shorewall</filename>.<important>
+    <command>check</command>, <command>start</command>,
+    <command>reload</command> and <command>restart</command> commands allow
+    you to specify an alternate configuration directory and Shorewall will use
+    the files in the alternate directory rather than the corresponding files
+    in /etc/shorewall. The alternate directory need not contain a complete
+    configuration; those files not in the alternate directory will be read
+    from <filename class="directory">/etc/shorewall</filename>.<important>
         <para>Shorewall requires that the file
         <filename>/etc/shorewall/shorewall.conf</filename> to always exist.
         Certain global settings are always obtained from that file. If you

docs/shorewall_logging.xml

@@ -239,9 +239,9 @@
         </listitem>
       </orderedlist>
 
-      <para>If your kernel has ULOG target support (and most vendor-supplied
-      kernels do), you may also specify a log level of ULOG (must be all
-      caps). When ULOG is used, Shorewall will direct Netfilter to log the
+      <para>If your kernel has NFLOG target support (and most vendor-supplied
+      kernels do), you may also specify a log level of NFLOG (must be all
+      caps). When NFLOG is used, Shorewall will direct Netfilter to log the
       related messages via the ULOG target which will send them to a process
       called <quote>ulogd</quote>. The ulogd program is included in most
       distributions and is also available from <ulink
@@ -250,7 +250,7 @@
       file.</para>
 
       <note>
-        <para>The ULOG logging mechanism is <emphasis
+        <para>The NFLOG logging mechanism is <emphasis
         role="underline">completely separate</emphasis> from syslog. Once you
         switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
         have absolutely no effect on your Shorewall logging (except for
@@ -259,11 +259,11 @@
 
       <para>You will need to change all instances of log levels (usually
       <quote>info</quote>) in your Shorewall configuration files to
-      <quote>ULOG</quote> - this includes entries in the policy, rules and
+      <quote>NFLOG</quote> - this includes entries in the policy, rules and
       shorewall.conf files. Here's what I had at one time:</para>
 
       <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
-params:LOG=ULOG
+params:LOG=NFOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
 policy:all              all             REJECT          $LOG
@@ -287,9 +287,8 @@ gateway:/etc/shorewall#                                               </programl
       <quote><command>logwatch</command></quote> and
       <quote><command>dump</command></quote> commands.</para>
 
-      <para>The NFLOG target, a successor to ULOG, is supported shorewall.
-      Both ULOG and NFLOG may be followed by a list of up to three numbers in
-      parentheses.</para>
+      <para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
+      be followed by a list of up to three numbers in parentheses.</para>
 
       <itemizedlist>
         <listitem>
@@ -342,6 +341,11 @@ stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:
 [firewall]
 file="/var/log/firewall"
 sync=1</programlisting>
+
+      <note>
+        <para>This sample config file assumes that NFLOG is being used in
+        logging rules and policies.</para>
+      </note>
     </section>
   </section>
 
@@ -470,7 +474,7 @@ sync=1</programlisting>
       <para><ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
       url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
-      number of options whose values are log levels. Beginnint with Shorewall
+      number of options whose values are log levels. Beginning with Shorewall
       5.0.0, these specifcations may include a log tag as described <link
       linkend="LogTags">above</link>.</para>
     </section>