Avoid compiler crash when LOAD_HELPERS_ONLY=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -8265,6 +8265,7 @@ EOF
 
 sub ensure_ipsets( @ ) {
     my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
     if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
@@ -8277,12 +8278,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
 	}
 
 	pop_indent;
@@ -8304,7 +8305,7 @@ sub ensure_ipsets( @ ) {
 	    if ( have_capability 'IPSET_V5' ) {
 		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		       qq(        \$IPSET create $set hash:net family inet timeout 0 counters) ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8315,7 +8316,7 @@ sub ensure_ipsets( @ ) {
 	} else {
 	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
 

Shorewall/Perl/Shorewall/Config.pm

@@ -4544,11 +4544,11 @@ sub IPSet_Match() {
 }
 
 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {
@@ -6262,15 +6262,19 @@ sub get_configuration( $$$$ ) {
 
 	    ( $key , my @options ) = split_list( $key, 'option' );
 
+	    my $options = '';
+
 	    for ( @options ) {
-		unless ( $simple_options{$_} ) {
+		if ( $simple_options{$_} ) {
-		    if ( $_ =~ s/^timeout=(\d+)$// ) {
+		    $options = join( ',' , $options, $_ );
+		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
 		    $globals{DBL_TIMEOUT} = $1;
 		} else {
 		    fatal_error "Invalid ipset option ($_)";
 		}
 	    }
-	    }
+
+	    $globals{DBL_OPTIONS} = $options;
 
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
 
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
 
@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
     my ( $proto, $list ) = @_;
     my @list   = split_list( $list, 'port' );
 
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -688,7 +688,8 @@ sub add_common_rules ( $ ) {
     my $dbl_ipset;
     my $dbl_level;
     my $dbl_tag;
-    my $dbl_target;
+    my $dbl_src_target;
+    my $dbl_dst_target;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -749,8 +750,42 @@ sub add_common_rules ( $ ) {
 	}
 
 	if ( $dbl_ipset ) {
-	    if ( $dbl_level ) {
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+		if ( $dbl_src_target eq 'dbl_src' ) {
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		    log_rule_limit( $dbl_level,
+				    $chainref,
+				    'dbl_log',
+				    'DROP',
+				    $globals{LOGLIMIT},
+				    $dbl_tag,
+				    'add',
+				    '',
+				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+		} else {
+		    $dbl_dst_target = $dbl_src_target;
+		}		    
+	    } elsif ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -763,7 +798,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_target = 'DROP'; 
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
     }
@@ -877,17 +912,17 @@ sub add_common_rules ( $ ) {
 		    #
 		    # src
 		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    

Shorewall/Perl/Shorewall/Rules.pm

@@ -2891,7 +2891,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
 
-		$action .= " --timeout $timeout";
+		$action .= " --timeout $timeout --exist";
 	    }
 	}
     }
@@ -3958,14 +3958,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$msource = $source if $msource eq '-';
-	$mdest   = $dest   if $msource eq '-';
+	$mdest   = $dest   if $mdest   eq '-';
 	$mprotos = $protos if $mprotos eq '-';
 
 	for my $proto (split_list( $mprotos, 'Protocol' ) ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),

Shorewall/manpages/shorewall.conf.xml

@@ -798,7 +798,7 @@
                 <para>Normally, only packets whose source address matches an
                 entry in the ipset are dropped. If <option>src-dst</option> is
                 included, then packets whose destination address matches an
-                entry in the ipset are also dropped. </para>
+                entry in the ipset are also dropped.</para>
               </listitem>
             </varlistentry>
 
@@ -920,7 +920,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           an administrative system in directories containing the
           configurations of remote firewalls. The contents of the variable are
           the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-reload</command> and
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
           <command>remote-restart</command> commands.</para>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6-masq.xml

@@ -551,8 +551,8 @@
           <programlisting>/etc/shorewall/masq:
 
        #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
 
           <para>If INLINE_MATCHES=Yes in <ulink
@@ -562,9 +562,8 @@
           <programlisting>/etc/shorewall/masq:
 
        #INTERFACE    SOURCE         ADDRESS 
-       sit1          0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       sit1          ::/0           2001:470:a:227::2</programlisting>
-</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6.conf.xml

@@ -647,7 +647,7 @@
           is SW_DBL6 and the default log level is <option>none</option> (no
           logging). if <option>ipset-only</option> is given, then chain-based
           dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. </para>
+          had been specified.</para>
 
           <para>Possible <replaceable>option</replaceable>s are:</para>
 
@@ -781,7 +781,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           an administrative system in directories containing the
           configurations of remote firewalls. The contents of the variable are
           the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-reload</command> and
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
           <command>remote-restart</command> commands.</para>
         </listitem>
       </varlistentry>

docs/configuration_file_basics.xml

@@ -2619,6 +2619,13 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     <para>Also, unless otherwise documented, a port range can be preceded by
     '!' to specify "All ports except those in this range" (e.g.,
     "!4000:4100").</para>
+
+    <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>
   </section>
 
   <section id="Portlists">
@@ -2969,8 +2976,8 @@ redirect                      =&gt; 137</programlisting>
           then again for another hour from 23:00 onwards. If this is unwanted,
           e.g. if you would like 'match for two hours from Montay 23:00
           onwards' you need to also specify the <emphasis
-          role="bold">contiguous</emphasis> option in the example above.
+          role="bold">contiguous</emphasis> option in the example
-          </para>
+          above.</para>
         </listitem>
       </varlistentry>
     </variablelist>