Correct 'sed' command

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -3566,7 +3566,7 @@ blacklist_command() {
 		if [ $VERBOSITY -gt 1 ]; then
 		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
 		else
-		    echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
+		    echo "$message" | head -n1 | sed 's/^.*: //; s/ / src /'
 		fi
 	    fi
 
@@ -3576,7 +3576,7 @@ blacklist_command() {
 		    if [ $VERBOSITY -gt 1 ]; then
 			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
 		    else
-			echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
+			echo "$message" | head -n1 | sed 's/^.*: //; s/ / dst /'
 		    fi
 		fi
 	    fi

Shorewall/Perl/Shorewall/Chains.pm

@@ -8265,6 +8265,7 @@ EOF
 
 sub ensure_ipsets( @ ) {
     my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
     if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
@@ -8277,12 +8278,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
 	}
 
 	pop_indent;
@@ -8304,7 +8305,7 @@ sub ensure_ipsets( @ ) {
 	    if ( have_capability 'IPSET_V5' ) {
 		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		       qq(        \$IPSET create $set hash:net family inet timeout 0 counters) ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8315,7 +8316,7 @@ sub ensure_ipsets( @ ) {
 	} else {
 	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
 

Shorewall/Perl/Shorewall/Config.pm

@@ -4544,11 +4544,11 @@ sub IPSet_Match() {
 }
 
 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -436,7 +436,7 @@ sub validate_portpair( $$ ) {
     #
     # Accept '-' as a port-range separator
     #
-    $pair =~ tr/-/:/;
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
     fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -134,12 +134,12 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
+		add_ijump_extended $mangle_table->{POSTROUTING} , j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
-		add_ijump $mangle_table->{OUTPUT},       j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump_extended $mangle_table->{OUTPUT},       j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface );
 	    }
 
 	    for my $host ( @hosts ) {
-		add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -3958,14 +3958,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$msource = $source if $msource eq '-';
-	$mdest   = $dest   if $msource eq '-';
+	$mdest   = $dest   if $mdest   eq '-';
 	$mprotos = $protos if $mprotos eq '-';
 
 	for my $proto (split_list( $mprotos, 'Protocol' ) ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),

Shorewall/manpages/shorewall.conf.xml

@@ -920,7 +920,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           an administrative system in directories containing the
           configurations of remote firewalls. The contents of the variable are
           the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-reload</command> and
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
           <command>remote-restart</command> commands.</para>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6.conf.xml

@@ -781,7 +781,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           an administrative system in directories containing the
           configurations of remote firewalls. The contents of the variable are
           the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-reload</command> and
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
           <command>remote-restart</command> commands.</para>
         </listitem>
       </varlistentry>

docs/configuration_file_basics.xml

@@ -2621,7 +2621,8 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     "!4000:4100").</para>
 
     <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
-    separate the two port numbers.</para>
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
 
     <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
 DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>