Add missing 'sleep' when waiting for wildcard interface to come up

- Also reverse the order of test and sleep when waiting for a regular
  interface to come up.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -1038,6 +1038,7 @@ sub push_rule( $$ ) {
 
     push @{$chainref->{rules}}, $ruleref;
     $chainref->{referenced} = 1;
+    $chainref->{optflags}  |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
     trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug;
 
     $ruleref;
@@ -1229,6 +1230,7 @@ sub push_irule( $$$;@ ) {
     if ( $jump ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
+	$chainref->{optflags} |= DONT_MOVE if $target eq 'RETURN';
 	$ruleref->{targetopts} = $targetopts if $targetopts;
     } else {
 	$ruleref->{target} = '';
@@ -4199,12 +4201,12 @@ sub do_user( $ ) {
 
 	if ( supplied $2 ) {
 	    $user  = $2;
-	    $user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
+	    $user  = resolve_id( $user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
 	    $rule .= "${invert}--uid-owner $user ";
 	}
 
 	if ( $group ne '' ) {
-	    $group = resolve_id( $group, 'group' ) unless $group =~ /^\d+$/;
+	    $group = resolve_id( $group, 'group' ) unless $group =~ /^\d+(-\d+)?$/;
 	    $rule .= "${invert}--gid-owner $group ";
 	}
     } elsif ( $user =~ /^(!)?(.*)$/ ) {
@@ -4212,10 +4214,10 @@ sub do_user( $ ) {
 	$user   = $2;
 
 	fatal_error "Invalid USER/GROUP (!)" if $user eq '';
-	$user = resolve_id ($user, 'user' ) unless $user =~ /\d+$/;
+	$user = resolve_id ($user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
 	$rule .= "${invert}--uid-owner $user ";
     } else {
-	$user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
+	$user  = resolve_id( $user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
 	$rule .= "--uid-owner $user ";
     }
 
@@ -6057,7 +6059,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	my $echain = newexclusionchain( $table );
 
-	my $echainref = new_chain $table, $echain;
+	my $echainref = dont_move new_chain $table, $echain;
 	#
 	# Use the current rule and send all possible matches to the exclusion chain
 	#

Shorewall/Perl/Shorewall/Config.pm

@@ -1684,11 +1684,12 @@ sub process_conditional( $$$ ) {
     if ( $keyword =~ /^IF/ ) {
 	cond_error $linenumber, "Missing IF variable" unless $rest;
 	my $invert = $rest =~ s/^!\s*//;
-
 	cond_error $linenumber, "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
 
 	push @ifstack, [ 'IF', $omitting, $omitting, $linenumber ];
 
+	$lastomit = $omitting;
+
 	if ( $rest eq '__IPV6' ) {
 	    $omitting = $family == F_IPV4;
 	} elsif ( $rest eq '__IPV4' ) {
@@ -4185,10 +4186,10 @@ sub get_configuration( $$$ ) {
     }
 
     if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
-
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
+	$globals{USER_BITS} = $userbits;
     } else {
-	$globals{USER_MASK} = 0;
+	$globals{USER_MASK} = $globals{USER_BITS} = 0;
     }
 
     if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
@@ -4606,7 +4607,7 @@ sub dump_mark_layout() {
 	     $globals{TC_MASK} );
 
     dumpout( "User",
-	     $globals{USER_MASK},
+	     $globals{USER_BITS},
 	     $globals{TC_MAX} + 1,
 	     $globals{USER_MASK},
 	     $globals{USER_MASK} );
@@ -4628,6 +4629,12 @@ sub dump_mark_layout() {
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK} );
+
+    dumpout( "TProxy",
+	     1,
+	     $globals{TPROXY_MARK},
+	     $globals{TPROXY_MARK},
+	     $globals{TPROXY_MARK} );
 }
 
 END {

Shorewall/Perl/Shorewall/Providers.pm

@@ -61,10 +61,10 @@ my  @load_interfaces;
 
 my $balancing;
 my $fallback;
-my $metrics;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
+my $tproxies;
 
 my %providers;
 
@@ -97,10 +97,10 @@ sub initialize( $ ) {
     @load_interfaces        = ();
     $balancing              = 0;
     $fallback               = 0;
-    $metrics                = 0;
     $first_default_route    = 1;
     $first_fallback_route   = 1;
     $maxload                = 0;
+    $tproxies               = 0;
 
     %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -464,10 +464,11 @@ sub process_a_provider() {
     }
 
     if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
     } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
@@ -710,8 +711,6 @@ CEOF
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
-
-	$metrics = 1;
     }
 
     emit( qq(\n) ,

Shorewall/Perl/Shorewall/Tc.pm

@@ -1642,7 +1642,7 @@ sub process_tcpri() {
 			);
 
 	    add_ijump( $mangle_table->{tcpost} ,
-		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       j    => 'CONNMARK --save-mark --mask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
@@ -1739,8 +1739,9 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		my $phyrdev = get_physical( $rdev );
+		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
 
 	    for my $class ( @tcclasses ) {
@@ -1764,7 +1765,7 @@ sub process_traffic_shaping() {
 		my $rate     = "$tcref->{rate}kbit";
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
 
-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 
 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1855,7 +1856,7 @@ sub process_traffic_shaping() {
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
 
-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Zones.pm

@@ -1622,16 +1622,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;
 
 		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
 		    $physical =~ s/\+$/*/;
 
-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
+			  '',
+			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
-			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
+			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1644,8 +1644,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
+		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);

Shorewall/Perl/lib.core

@@ -344,7 +344,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 #
 delete_default_routes() # $1 = table number
 {
-    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
+    $IP -$g_family -o route ls table $1 | fgrep default | fgrep -v metric | while read route; do
 	qt $IP -$g_family route del $route
     done
 } 

Shorewall/manpages/shorewall-providers.xml

@@ -280,7 +280,8 @@
                 url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                 When specified, the MARK, DUPLICATE and GATEWAY columns should
                 be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION.</para>
+                <option>tproxy</option> should be the only OPTION. Only one
+                <option>tproxy</option> provider is allowed.</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-tcfilters.xml

@@ -35,7 +35,7 @@
         <term>IPV4</term>
 
         <listitem>
-          <para>Following entriess apply to IPv4.</para>
+          <para>Following entries apply to IPv4.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-providers.xml

@@ -255,7 +255,8 @@
                 url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                 When specified, the MARK, DUPLICATE and GATEWAY columns should
                 be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION.</para>
+                <option>tproxy</option> should be the only OPTION. Only one
+                <option>tproxy</option> provider is allowed.</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-tcfilters.xml

@@ -35,7 +35,7 @@
         <term>IPV4</term>
 
         <listitem>
-          <para>Following entriess apply to IPv4.</para>
+          <para>Following entries apply to IPv4.</para>
         </listitem>
       </varlistentry>
 
@@ -235,6 +235,6 @@
     <para><ulink
     url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
 
-    <para></para>
+    <para/>
   </refsect1>
 </refentry>