Avoid compiler crash when LOAD_HELPERS_ONLY=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -3561,17 +3561,23 @@ blacklist_command() {
 	progress_message2 "$1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
-	    message=$(conntrack -D -s $1 2>&1)
+	    message="$(conntrack -D -s $1 2>&1)"
-	    if [ -n "$message" ]; then
+	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
-		message=$(echo $message | sed 's/^.*: //; s/ / src /')
+		if [ $VERBOSITY -gt 1 ]; then
-		progress_message2 $message
+		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
+		else
+		    echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
+		fi
 	    fi
 
 	    if [ $g_disconnect = src-dst ]; then
-		message=$(conntrack -D -d $1 2>&1)
+		message="$(conntrack -D -d $1 2>&1)"
-		if [ -n "$message" ]; then
+		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
-		    message=$(echo $message | sed 's/^.*: //; s/ / dst /')
+		    if [ $VERBOSITY -gt 1 ]; then
-		    progress_message2 $message
+			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
+		    else
+			echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
+		    fi
 		fi
 	    fi
 	fi
@@ -3815,6 +3821,15 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,timeout*)
+	    #
+	    # This utility doesn't need to know about 'timeout=nnn'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	[Nn]o)
 	    DYNAMIC_BLACKLIST='';

Shorewall-lite/manpages/shorewall-lite.xml

@@ -724,6 +724,23 @@
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -8265,37 +8265,65 @@ EOF
 
 sub ensure_ipsets( @ ) {
     my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
+
+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+	shift;
+
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
 
-    if ( @_ > 1 ) {
 	push_indent;
-	emit( "for set in @_; do" );
+
-	$set = '$set';
+	if ( $family == F_IPV4 ) {
-    } else {
+	    emit(  q(    #),
-	$set = $_[0];
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+	} else {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+	}
+
+	pop_indent;
+
+	emit( qq(    fi\n) );
+
     }
 
-    if ( $family == F_IPV4 ) {
+    if ( @_ ) {
-	if ( have_capability 'IPSET_V5' ) {
+	if ( @_ > 1 ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	    push_indent;
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	    emit( "for set in @_; do" );
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+	    $set = '$set';
-		   qq(    fi) );
 	} else {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	    $set = $_[0];
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+	}
-		   qq(        \$IPSET -N $set iphash) ,
+
+	if ( $family == F_IPV4 ) {
+	    if ( have_capability 'IPSET_V5' ) {
+		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
+		       qq(    fi) );
+	    } else {
+		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		       qq(        \$IPSET -N $set iphash) ,
+		       qq(    fi) );
+	    }
+	} else {
+	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
-    } else {
-	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
-	       qq(    fi) );
-    }
 
-    if ( @_ > 1 ) {
+	if ( @_ > 1 ) {
-	emit 'done';
+	    emit 'done';
-	pop_indent;
+	    pop_indent;
+	}
     }
 }
 
@@ -8473,10 +8501,21 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
 
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
-		  '        zap_ipsets',
+
-		  '        $IPSET -R < ${VARDIR}/ipsets.save',
+	    if ( my $set = $globals{DBL_IPSET} ) {
-		  '    fi' );
+		emit( '        #',
+		      '        # Update the dynamic blacklisting ipset timeout value',
+		      '        #',
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      '        zap_ipsets',
+		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
+		      '    fi' );
+	    } else {
+		emit( '        zap_ipsets',
+		      '        $IPSET -R < ${VARDIR}/ipsets.save',
+		      '    fi' );
+	    }
 	}
 
 	if ( @ipsets ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -754,6 +754,8 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    DBL_IPSET               => '',
+		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
     #
@@ -898,6 +900,7 @@ sub initialize( $;$$) {
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
+	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -4541,11 +4544,11 @@ sub IPSet_Match() {
 }
 
 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {
@@ -6253,16 +6256,26 @@ sub get_configuration( $$$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %valid_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
 
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
-	    ( $key, my @options ) = split_list( $key, 'option' );
+	    ( $key , my @options ) = split_list( $key, 'option' );
+
+	    my $options = '';
 
 	    for ( @options ) {
-		fatal_error "Invalid ipset option ($_)" unless $valid_options{$_};
+		if ( $simple_options{$_} ) {
+		    $options = join( ',' , $options, $_ );
+		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+		    $globals{DBL_TIMEOUT} = $1;
+		} else {
+		    fatal_error "Invalid ipset option ($_)";
+		}
 	    }
 
+	    $globals{DBL_OPTIONS} = $options;
+
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
 
 	    if ( supplied( $set ) ) {
@@ -6271,7 +6284,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }
 
-	    add_ipset( $set );
+	    add_ipset( $globals{DBL_IPSET} = $set );
 	    
 	    $level = validate_level( $level );
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
 
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
 
@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
     my ( $proto, $list ) = @_;
     my @list   = split_list( $list, 'port' );
 
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -688,7 +688,8 @@ sub add_common_rules ( $ ) {
     my $dbl_ipset;
     my $dbl_level;
     my $dbl_tag;
-    my $dbl_target;
+    my $dbl_src_target;
+    my $dbl_dst_target;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -749,8 +750,42 @@ sub add_common_rules ( $ ) {
 	}
 
 	if ( $dbl_ipset ) {
-	    if ( $dbl_level ) {
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+		if ( $dbl_src_target eq 'dbl_src' ) {
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		    log_rule_limit( $dbl_level,
+				    $chainref,
+				    'dbl_log',
+				    'DROP',
+				    $globals{LOGLIMIT},
+				    $dbl_tag,
+				    'add',
+				    '',
+				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+		} else {
+		    $dbl_dst_target = $dbl_src_target;
+		}		    
+	    } elsif ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -763,7 +798,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_target = 'DROP'; 
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
     }
@@ -877,17 +912,17 @@ sub add_common_rules ( $ ) {
 		    #
 		    # src
 		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    

Shorewall/Perl/Shorewall/Providers.pm

@@ -309,27 +309,14 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
 	} else {
-	    #
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
-	    }
 	}
 
 	$first_default_route = 0;
     } else {
-	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -346,27 +333,14 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
 	} else {
-	    #
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
-	    }
 	}
 
 	$first_fallback_route = 0;
     } else {
-	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -542,7 +516,6 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -565,7 +538,6 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -827,18 +799,10 @@ sub add_a_provider( $$ ) {
 	    emit( qq([ -z "$address" ] && return\n) );
 
 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		} else {
-		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
-		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		}
 	    }
 
 	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
@@ -959,14 +923,8 @@ CEOF
 	$address = get_interface_address $interface unless $address;
 
 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-	    }
 	}
 
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -980,13 +938,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1062,23 +1015,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;
 
-	    if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
-		if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
-		}
 	    } else {
-		#
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
-		# IPv6 doesn't support multi-hop routes
-		#
-		if ( $gateway ) {
-		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
-		}
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}
 
@@ -1088,7 +1030,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(    rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
@@ -1168,7 +1110,7 @@ CEOF
 		$via = "dev $physical";
 	    }
 
-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1517,12 +1459,7 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
+	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
-	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1575,12 +1512,7 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
+	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
-	} else {
-	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
-	}
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',

Shorewall/Perl/Shorewall/Rules.pm

@@ -2891,7 +2891,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
 
-		$action .= " --timeout $timeout";
+		$action .= " --timeout $timeout --exist";
 	    }
 	}
     }
@@ -3958,14 +3958,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$msource = $source if $msource eq '-';
-	$mdest   = $dest   if $msource eq '-';
+	$mdest   = $dest   if $mdest   eq '-';
 	$mprotos = $protos if $mprotos eq '-';
 
 	for my $proto (split_list( $mprotos, 'Protocol' ) ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),

Shorewall/Perl/Shorewall/Zones.pm

@@ -1119,6 +1119,8 @@ sub process_interface( $$ ) {
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
+    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
@@ -1193,7 +1195,7 @@ sub process_interface( $$ ) {
     my %options;
 
     $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
 
     my $hostoptionsref = {};
 
@@ -1316,7 +1318,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

Shorewall/Perl/lib.runtime

@@ -607,7 +607,7 @@ interface_enabled() {
 	status=$(cat ${VARDIR}/${1}.status)
     fi
 
-    return status
+    return $status
 }
 
 distribute_load() {

Shorewall/Samples/Universal/shorewall.conf

@@ -23,6 +23,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -34,6 +34,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -31,6 +31,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -34,6 +34,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/configfiles/shorewall.conf

@@ -23,6 +23,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall/lib.cli-std

@@ -1444,6 +1444,12 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1467,7 +1473,7 @@ remote_reload_command() # $* = original arguments less the command.
 
     case $# in
 	0)
-	    missing_argument
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
 	    ;;
 	1)
 	    g_shorewalldir="."
@@ -1502,6 +1508,11 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No
 
 	g_haveconfig=Yes
+
+	if [ -z "$system" ]; then
+	    system=$FIREWALL
+	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+	fi
     else
 	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
     fi

Shorewall/manpages/shorewall-rules.xml

@@ -653,12 +653,12 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
                 by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -485,7 +485,7 @@
           <para>ALL sends all packets through the blacklist chains.</para>
 
           <para>Note: The ESTABLISHED state may not be specified if
-          FASTACCEPT=Yes is specified. </para>
+          FASTACCEPT=Yes is specified.</para>
         </listitem>
       </varlistentry>
 
@@ -768,9 +768,7 @@
         role="bold">Yes</emphasis>|<emphasis
         role="bold">No</emphasis>||<emphasis
         role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
-        role="bold">src-dst</emphasis>][,<emphasis
-        role="bold">disconnect</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.7. When set to <emphasis
@@ -786,20 +784,61 @@
           (<replaceable>log_level</replaceable>), if any, at which blacklisted
           traffic is to be logged may also be specified. The default set name
           is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). if <option>ipset-only</option> is given, then chain-based
+          logging). If <option>ipset-only</option> is given, then chain-based
           dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
+          had been specified.</para>
-          matches an entry in the ipsec are dropped. If
-          <option>src-dst</option> is included, then packets whose destination
-          address matches an entry in the ipset are also dropped.</para>
 
-          <para>The <option>disconnect</option> option was added in Shorewall
+          <para>Possible <replaceable>option</replaceable>s are:</para>
-          5.0.13 and requires that the conntrack utility be installed on the
+
-          firewall system. When an address is blacklisted using the
+          <variablelist>
-          <command>blacklist</command> command, all connections originating
+            <varlistentry>
-          from that address are disconnected. if the <option>src-dst</option>
+              <term>src-dst</term>
-          option was also specified, then all connections to that address are
+
-          also disconnected.</para>
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall restart</command> if
+                  RESTART=restart, otherwise <command>shorewall stop
+                  &amp;&amp; shorewall start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
 
           <para>When ipset-based dynamic blacklisting is enabled, the contents
           of the blacklist will be preserved over
@@ -872,6 +911,21 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

Shorewall/manpages/shorewall.xml

@@ -59,7 +59,9 @@
 
       <arg choice="plain"><option>blacklist</option></arg>
 
-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg
+      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
+      ...</arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -449,9 +451,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -473,9 +475,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -497,9 +499,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -986,6 +988,23 @@
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1612,8 +1631,8 @@
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
         <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [ <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
@@ -1639,7 +1658,13 @@
           directory. If compilation succeeds, then firewall is copied to
           <replaceable>system</replaceable> using scp. If the copy succeeds,
           Shorewall Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">start</emphasis> command succeeds, then the
@@ -1674,9 +1699,9 @@
         <term><emphasis role="bold">remote-reload
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1700,8 +1725,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
-          ssh.</para>
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -1736,9 +1767,9 @@
         <term><emphasis role="bold">remote-restart
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>reload</command> in
@@ -1763,8 +1794,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
-          ssh.</para>
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">restart</emphasis> command succeeds, then the

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -701,6 +701,23 @@
           The <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -25,6 +25,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/configfiles/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/manpages/shorewall6-masq.xml

@@ -551,8 +551,8 @@
           <programlisting>/etc/shorewall/masq:
 
        #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
 
           <para>If INLINE_MATCHES=Yes in <ulink
@@ -562,9 +562,8 @@
           <programlisting>/etc/shorewall/masq:
 
        #INTERFACE    SOURCE         ADDRESS 
-       sit1          0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       sit1          ::/0           2001:470:a:227::2</programlisting>
-</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6-providers.xml

@@ -159,26 +159,40 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">balance</emphasis></term>
+              <term><emphasis
+              role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
+                <para>Added in Shorewall 4.4.25. The providers that have
-                this provider's gateway to be added to the <emphasis
+                <option>balance</option> specified will get outbound traffic
-                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
+                load-balanced among them. By default, all interfaces with
-                or to the <emphasis role="bold">balance</emphasis> routing
+                <option>balance</option> specified will have the same weight
-                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
+                (1). Beginning with Shorewall 5.0.13, you can change the
-                option.</para>
+                weight of an interface by specifying
+                <option>balance=</option><replaceable>weight</replaceable>
+                where <replaceable>weight</replaceable> is the weight of the
+                route out of this interface. Prior to Shorewall 5.0.13, only
+                one provider can specify this option.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">fallback</emphasis></term>
+              <term><emphasis
+              role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
+                <para>Added in Shorewall 4.4.25. Indicates that a default
-                this provider's gateway to be added to the <emphasis
+                route through the provider should be added to the default
-                role="bold">default</emphasis> routing table.At most one
+                routing table (table 253). If a
-                provider can specify this option.</para>
+                <replaceable>weight</replaceable> is given, a balanced route
+                is added with the weight of this provider equal to the
+                specified <replaceable>weight</replaceable>. If the option is
+                given without a <replaceable>weight</replaceable>, an separate
+                default route is added through the provider's gateway; the
+                route has a metric equal to the provider's NUMBER. Prior to
+                Shorewall 5.0.13, at most one provider can specify this option
+                and a <replaceable>weight</replaceable> may not be
+                given.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -630,7 +630,7 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed

Shorewall6/manpages/shorewall6.conf.xml

@@ -629,9 +629,7 @@
         role="bold">Yes</emphasis>|<emphasis
         role="bold">No</emphasis>||<emphasis
         role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
-        role="bold">src-dst</emphasis>][,<emphasis
-        role="bold">disconnect</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.7. When set to <emphasis
@@ -649,18 +647,59 @@
           is SW_DBL6 and the default log level is <option>none</option> (no
           logging). if <option>ipset-only</option> is given, then chain-based
           dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
+          had been specified.</para>
-          matches an entry in the ipsec are dropped. If
-          <option>src-dst</option> is included, then packets whose destination
-          address matches an entry in the ipset are also dropped.</para>
 
-          <para>The <option>disconnect</option> option was added in Shorewall
+          <para>Possible <replaceable>option</replaceable>s are:</para>
-          5.0.13 and requires that the conntrack utility be installed on the
+
-          firewall system. When an address is blacklisted using the
+          <variablelist>
-          <command>blacklist</command> command, all connections originating
+            <varlistentry>
-          from that address are disconnected. if the <option>src-dst</option>
+              <term>src-dst</term>
-          option was also specified, then all connections to that address are
+
-          also disconnected.</para>
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall6 restart</command> if
+                  RESTART=restart, otherwise <command>shorewall6 stop
+                  &amp;&amp; shorewall6 start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
 
           <para>When ipset-based dynamic blacklisting is enabled, the contents
           of the blacklist will be preserved over
@@ -733,6 +772,21 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

Shorewall6/manpages/shorewall6.xml

@@ -44,8 +44,6 @@
       <arg>-<replaceable>options</replaceable></arg>
 
       <arg choice="plain"><option>allow</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -58,7 +56,9 @@
 
       <arg choice="plain"><option>blacklist</option></arg>
 
-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg choice="plain"><replaceable>address</replaceable><arg
+      choice="plain"><arg><replaceable>option
+      ...</replaceable></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -403,9 +403,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -427,9 +427,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -451,9 +451,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -954,6 +954,23 @@
           The <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
           add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1548,9 +1565,11 @@
         <term><emphasis role="bold">remote-reload
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
+
+        <term/>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1574,8 +1593,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
+          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
-          ssh.</para>
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <option>-s</option> is specified and the
           <command>restart</command> command succeeds, then the remote
@@ -1610,9 +1635,9 @@
         <term><emphasis role="bold">remote- restart
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>reload</command> in
@@ -1640,6 +1665,14 @@
           Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
           ssh.</para>
 
+          <para>Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
+
           <para>If <option>-s</option> is specified and the
           <command>restart</command> command succeeds, then the remote
           Shorewall6-lite configuration is saved by executing
@@ -1673,8 +1706,8 @@
         <term><emphasis role="bold">remote-start </emphasis>
         [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
         <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        [-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1699,7 +1732,13 @@
           directory. If compilation succeeds, then firewall is copied to
           <replaceable>system</replaceable> using scp. If the copy succeeds,
           Shorewall6 Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <option>-s</option> is specified and the <emphasis
           role="bold">start</emphasis> command succeeds, then the remote

docs/MultiISP.xml

@@ -766,7 +766,7 @@ fi</programlisting>
       provider interfaces as <emphasis role="bold">optional</emphasis> (<ulink
       url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>)
       then <link linkend="LinkMonitor">install and configure
-      LSM</link>.</para>
+      FOOLSM</link>.</para>
 
       <para><ulink url="Shorewall-init.html">Shorewall-init</ulink> provides
       for handling links that go hard down and are later brought back
@@ -926,7 +926,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
     </section>
 
     <section id="Example2">
-      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
 
       <para>This section shows the differences in configuring the above
       example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -1937,8 +1937,8 @@ if [ $2 != down ]; then
     [ -f /var/lib/shorewall/eth0.info ] &amp;&amp; . /var/lib/shorewall/eth0.info
     
     if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
-        logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
+        logger -p daemon.info "eth0 IP configuration changed - restarting foolsm and Shorewall"
-        killall lsm
+        killall foolsm
         /sbin/shorewall restart
     fi
 fi
@@ -1953,9 +1953,9 @@ fi
             </listitem>
 
             <listitem>
-              <para>It assumes the use of <link linkend="lsm">LSM</link>; If
+              <para>It assumes the use of <link linkend="lsm">FOOLSM</link>;
-              you aren't using lSM, you can change the log message and remove
+              If you aren't using foolsm, you can change the log message and
-              the 'killall lsm'</para>
+              remove the 'killall foolsm'</para>
             </listitem>
 
             <listitem>
@@ -2090,9 +2090,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
     <section id="LinkMonitor">
       <title>Gateway Monitoring and Failover</title>
 
-      <para>There is an option (LSM) available for monitoring the status of
+      <para>There is an option (FOOLSM) available for monitoring the status of
-      provider links and taking action when a failure occurs. LSM assumes that
+      provider links and taking action when a failure occurs. FOOLSM assumes
-      each provider has a unique nexthop gateway.</para>
+      that each provider has a unique nexthop gateway.</para>
 
       <para>You specify the <option>optional</option> option in
       <filename>/etc/shorewall/interfaces</filename>:</para>
@@ -2102,7 +2102,7 @@ net      eth0         detect          <emphasis role="bold">optional</emphasis>
 net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>
 
       <section id="lsm">
-        <title>Link Status Monitor (LSM)</title>
+        <title>Link Status Monitor (FOOLSM)</title>
 
         <para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
         was written by Mika Ilmaranta &lt;ilmis at nullnet.fi&gt; and performs
@@ -2116,19 +2116,25 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
           file</ulink>) before installing LSM.</para>
         </important>
 
-        <para>Like many Open Source products, LSM is poorly documented. It's
+        <important>
-        main configuration file is normally kept in
+          <para>To avoid an achronym clash with <emphasis>Linux Security
-        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
+          Module</emphasis>, the Link Status Monitor is now called
-        as an argument to the lsm program so you can name it anything you
+          <emphasis>foolsm</emphasis>.</para>
-        want.</para>
+        </important>
 
-        <para>The sample <filename>lsm.conf</filename> included with the
+        <para>Like many Open Source products, FOOLSM is poorly documented.
+        It's main configuration file is normally kept in
+        <filename>/etc/foolsm/foolsm.conf</filename>, but the file's name is
+        passed as an argument to the foolsm program so you can name it
+        anything you want.</para>
+
+        <para>The sample <filename>foolsm.conf</filename> included with the
         product shows some of the possibilities for configuration. One feature
         that is not mentioned in the sample is that an "include" directive is
         supported. This allows additional files to be sourced in from the main
         configuration file.</para>
 
-        <para>LSM monitors the status of the links defined in its
+        <para>FOOLSM monitors the status of the links defined in its
         configuration file and runs a user-provided script when the status of
         a link changes. The script name is specified in the
         <firstterm>eventscript</firstterm> option in the configuration file.
@@ -2175,33 +2181,33 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
 
         <para>It is the responsibility of the script to perform any action
         needed in reaction to the connection state change. The default script
-        supplied with LSM composes an email and sends it to $5.</para>
+        supplied with FOOLSM composes an email and sends it to $5.</para>
 
-        <para>I personally use LSM here at shorewall.net (configuration is
+        <para>I personally use FOOLSM here at shorewall.net (configuration is
         described <link linkend="Complete">below</link>). I have set things up
         so that:</para>
 
         <itemizedlist>
           <listitem>
-            <para>Shorewall [re]starts lsm during processing of the
+            <para>Shorewall [re]starts foolsm during processing of the
             <command>start</command> and <command>restore</command> commands.
-            I don't have Shorewall restart lsm during Shorewall
+            I don't have Shorewall restart foolsm during Shorewall
             <command>restart</command> because I restart Shorewall much more
             often than the average user is likely to do.</para>
           </listitem>
 
           <listitem>
-            <para>Shorewall starts lsm because I have a dynamic IP address
+            <para>Shorewall starts foolsm because I have a dynamic IP address
             from one of my providers (Comcast); Shorewall detects the default
             gateway to that provider and creates a secondary configuration
-            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
+            file (<filename>/etc/foolsm/shorewall.conf</filename>) that
-            the link configurations. That file is included by
+            contains the link configurations. That file is included by
-            <filename>/etc/lsm/lsm.conf</filename>.</para>
+            <filename>/etc/foolsm/foolsm.conf</filename>.</para>
           </listitem>
 
           <listitem>
-            <para>The script run by LSM during state change
+            <para>The script run by FOOLSM during state change
-            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            (<filename>/etc/foolsm/script) </filename>writes a<filename>
             ${VARDIR}/xxx.status</filename> file when the status of an
             interface changes. Those files are read by the
             <filename>isusable</filename> extension script (see below).</para>
@@ -2224,7 +2230,7 @@ COM_IF=eth1</programlisting>
 
         <programlisting>local status=0
 #
-# Read the status file (if any) created by /etc/lsm/script
+# Read the status file (if any) created by /etc/foolsm/script
 #
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)
 
@@ -2233,22 +2239,22 @@ return $status</programlisting>
         <para><filename>/etc/shorewall/lib.private</filename>:</para>
 
         <programlisting>###############################################################################
-# Create /etc/lsm/shorewall.conf
+# Create /etc/foolsm/shorewall.conf
 # Remove the current interface status files
-# Start lsm
+# Start foolsm
 ###############################################################################
-start_lsm() {
+start_foolsm() {
    #
-   # Kill any existing lsm process(es)
+   # Kill any existing foolsm process(es)
    #
-   killall lsm 2&gt; /dev/null
+   killall foolsm 2&gt; /dev/null
    #
-   # Create the Shorewall-specific part of the LSM configuration. This file is
+   # Create the Shorewall-specific part of the FOOLSM configuration. This file is
-   # included by /etc/lsm/lsm.conf
+   # included by /etc/foolsm/foolsm.conf
    #
    # Avvanta has a static gateway while Comcast's is dynamic
    #
-   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
+   cat &lt;&lt;EOF &gt; /etc/foolsm/shorewall.conf
 connection {
     name=Avvanta
     checkip=206.124.146.254
@@ -2264,14 +2270,9 @@ connection {
 }
 EOF
    #
-   # Since LSM assumes that interfaces start in the 'up' state, remove any
+   # Run FOOLSM -- by default, it forks into the background
-   # existing status files that might have an interface in the down state
    #
-   rm -f /var/lib/shorewall/*.status
+   /usr/sbin/foolsm -c /etc/foolsm/foolsm.conf &gt;&gt; /var/log/foolsm
-   #
-   # Run LSM -- by default, it forks into the background
-   #
-   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
 
         <para>eth0 has a dynamic IP address so I need to use the
@@ -2286,22 +2287,22 @@ EOF
         <para><filename>/etc/shorewall/started</filename>:</para>
 
         <programlisting>##################################################################################
-# [re]start lsm if this is a 'start' command or if lsm isn't running
+# [re]start foolsm if this is a 'start' command or if foolsm isn't running
 ##################################################################################
-if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+if [ "$COMMAND" = start -o -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
-    start_lsm
+    start_foolsm
 fi</programlisting>
 
         <para><filename>/etc/shorewall/restored</filename>:</para>
 
         <programlisting>##################################################################################
-# Start lsm if it isn't running
+# Start foolsm if it isn't running
 ##################################################################################
-if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+if [ -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
-   start_lsm
+   start_foolsm
 fi</programlisting>
 
-        <para><filename>/etc/lsm/lsm.conf</filename>:</para>
+        <para><filename>/etc/foolsm/foolsm.conf</filename>:</para>
 
         <programlisting>#
 # Defaults for the connection entries
@@ -2309,7 +2310,7 @@ fi</programlisting>
 defaults {
   name=defaults
   checkip=127.0.0.1
-  eventscript=/etc/lsm/script
+  eventscript=/etc/foolsm/script
   max_packet_loss=20
   max_successive_pkts_lost=7
   min_packet_loss=5
@@ -2322,10 +2323,11 @@ defaults {
   ttl=0
 }
 
-include /etc/lsm/shorewall.conf</programlisting>
+include /etc/foolsm/shorewall.conf</programlisting>
 
-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
+        <para><filename>/etc/foolsm/script</filename> (Shorewall 4.4.23 and
-        - note that this script must be executable by root)<programlisting>#!/bin/sh
+        later - note that this script must be executable by
+        root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2382,7 +2384,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
 
-Your LSM Daemon
+Your FOOLSM Daemon
 
 EOM
 
@@ -2394,7 +2396,7 @@ else
    ${VARDIR}/firewall disable ${DEVICE}
 fi
 
-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm
 
 exit 0
 
@@ -2457,7 +2459,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
 
-Your LSM Daemon
+Your FOOLSM Daemon
 
 EOM
 
@@ -2466,9 +2468,9 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status
 
-<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/foolsm 2&gt;&amp;1</emphasis>
 
-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm
 
 exit 0
 

docs/configuration_file_basics.xml

@@ -2619,6 +2619,13 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     <para>Also, unless otherwise documented, a port range can be preceded by
     '!' to specify "All ports except those in this range" (e.g.,
     "!4000:4100").</para>
+
+    <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>
   </section>
 
   <section id="Portlists">
@@ -2969,8 +2976,8 @@ redirect                      =&gt; 137</programlisting>
           then again for another hour from 23:00 onwards. If this is unwanted,
           e.g. if you would like 'match for two hours from Montay 23:00
           onwards' you need to also specify the <emphasis
-          role="bold">contiguous</emphasis> option in the example above.
+          role="bold">contiguous</emphasis> option in the example
-          </para>
+          above.</para>
         </listitem>
       </varlistentry>
     </variablelist>

docs/shorewall_logging.xml

@@ -239,9 +239,9 @@
         </listitem>
       </orderedlist>
 
-      <para>If your kernel has ULOG target support (and most vendor-supplied
+      <para>If your kernel has NFLOG target support (and most vendor-supplied
-      kernels do), you may also specify a log level of ULOG (must be all
+      kernels do), you may also specify a log level of NFLOG (must be all
-      caps). When ULOG is used, Shorewall will direct Netfilter to log the
+      caps). When NFLOG is used, Shorewall will direct Netfilter to log the
       related messages via the ULOG target which will send them to a process
       called <quote>ulogd</quote>. The ulogd program is included in most
       distributions and is also available from <ulink
@@ -250,7 +250,7 @@
       file.</para>
 
       <note>
-        <para>The ULOG logging mechanism is <emphasis
+        <para>The NFLOG logging mechanism is <emphasis
         role="underline">completely separate</emphasis> from syslog. Once you
         switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
         have absolutely no effect on your Shorewall logging (except for
@@ -259,11 +259,11 @@
 
       <para>You will need to change all instances of log levels (usually
       <quote>info</quote>) in your Shorewall configuration files to
-      <quote>ULOG</quote> - this includes entries in the policy, rules and
+      <quote>NFLOG</quote> - this includes entries in the policy, rules and
       shorewall.conf files. Here's what I had at one time:</para>
 
       <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
-params:LOG=ULOG
+params:LOG=NFOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
 policy:all              all             REJECT          $LOG
@@ -287,9 +287,8 @@ gateway:/etc/shorewall#                                               </programl
       <quote><command>logwatch</command></quote> and
       <quote><command>dump</command></quote> commands.</para>
 
-      <para>The NFLOG target, a successor to ULOG, is supported shorewall.
+      <para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
-      Both ULOG and NFLOG may be followed by a list of up to three numbers in
+      be followed by a list of up to three numbers in parentheses.</para>
-      parentheses.</para>
 
       <itemizedlist>
         <listitem>
@@ -342,6 +341,11 @@ stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:
 [firewall]
 file="/var/log/firewall"
 sync=1</programlisting>
+
+      <note>
+        <para>This sample config file assumes that NFLOG is being used in
+        logging rules and policies.</para>
+      </note>
     </section>
   </section>
 
@@ -470,7 +474,7 @@ sync=1</programlisting>
       <para><ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
       url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
-      number of options whose values are log levels. Beginnint with Shorewall
+      number of options whose values are log levels. Beginning with Shorewall
       5.0.0, these specifcations may include a log tag as described <link
       linkend="LogTags">above</link>.</para>
     </section>