Update TRACK_PROVIDER description in the man pages.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/one-interface/shorewall.conf

@@ -115,10 +115,12 @@ ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -161,11 +163,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -189,12 +189,27 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -115,10 +115,12 @@ ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -161,11 +163,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -189,12 +189,27 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -122,10 +122,12 @@ ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -144,7 +146,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -168,11 +170,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -196,12 +196,27 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/one-interface/shorewall6.conf

@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -143,6 +143,23 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -143,6 +143,23 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -143,6 +143,23 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite

@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -431,6 +431,8 @@ NOROUTES=
 EXPORT=
 export TIMESTAMP=
 noroutes=
+RECOVERING=
+export RECOVERING
 
 finished=0
 

Shorewall-lite/shorewall-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -100,6 +100,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.BGP

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#       This macro handles BGP4 traffic.
+#	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     179     				# BGP4
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	179	# BGP4

Shorewall/Macros/macro.Citrix

@@ -3,11 +3,12 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
+#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+#	ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     1494 				   # ICA
-PARAM   -       -       udp     1604    			   # ICA Browser
-PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	1494	# ICA
+PARAM	-	-	udp	1604	# ICA Browser
+PARAM	-	-	tcp	2598	# CGP Session Reliabilty

Shorewall/Macros/macro.DHCPfwd

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - DHCPfwd Macro
+#
+# /usr/share/shorewall/macro.DHCPfwd
+#
+#	This macro (bidirectional) handles forwarded DHCP traffic
+#
+###############################################################################
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	udp	67:68	67:68	# DHCP
+PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.Forward

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Forward Macro
+#
+# /usr/share/shorewall/macro.Forward
+#
+#	This macro provides an alias for DNAT.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+DNAT

Shorewall/Macros/macro.OSPF

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#       This macro handles OSPF multicast traffic
+#	This macro handles OSPF multicast traffic
 #
-#######################################################################################################
-#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
-#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
-PARAM           -               -       89      -                                                       # OSPF
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	89	# OSPF

Shorewall/Macros/macro.Razor

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-# This macro handles traffic for the Razor Antispam System
+#	This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/

Shorewall/Macros/macro.mDNS

@@ -1,12 +1,14 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.DNS
+# /usr/share/shorewall/macro.mDNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	5353
-PARAM	DEST	SOURCE	udp	5353
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.5_2';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -84,7 +84,7 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
 
     unless ( $action eq 'COUNT' ) {
@@ -185,17 +185,17 @@ sub setup_accounting() {
     if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 
 	if ( $filter_table->{accountout} ) {
-	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
     } else {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_2';
+our $VERSION = '4.5_2';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -88,6 +88,8 @@ our $family;
 
 our @builtins;
 
+our $oldmacros;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -120,6 +122,8 @@ sub initialize( $ ) {
     } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
     }
+
+    $oldmacros = 0;
 }
 
 #
@@ -213,7 +217,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
 
@@ -248,7 +252,9 @@ sub isolate_basic_target( $ ) {
 sub get_target_param( $ ) {
     my ( $target, $param ) = split '/', $_[0];
 
-    unless ( defined $param ) {
+    if ( defined $param ) {
+	warning_message "The form <macro>/<param> is deprecated in favor of <macro>(<param>)" unless $oldmacros++;
+    } else {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
     }
 
@@ -305,10 +311,10 @@ sub map_old_actions( $ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set CHAIN to the name of the iptables chain where rules are to be added.
-# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -341,6 +347,8 @@ sub createlogactionchain( $$ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
+	dont_optimize $chainref;
+
 	my $file = find_file $chain;
 
 	if ( -f $file ) {
@@ -367,6 +375,8 @@ sub createsimpleactionchain( $ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
+	dont_optimize $chainref;
+
 	my $file = find_file $action;
 
 	if ( -f $file ) {
@@ -384,7 +394,7 @@ sub createsimpleactionchain( $ ) {
 }
 
 #
-# Create an action chain and run it's associated user exit
+# Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
     my ( $action , $level ) = split_action $_[0];
@@ -574,7 +584,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -609,7 +619,7 @@ sub process_action( $$$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -834,15 +844,15 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 
 sub rejNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 
 sub dropInvalid ( $$$ ) {
@@ -860,18 +870,19 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
+    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
     }
 
-    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 
 sub Limit( $$$ ) {
@@ -897,7 +908,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
     } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
     }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_3';
 
 our $export;
 
@@ -355,15 +355,17 @@ sub generate_script_3($) {
     if ( $family == F_IPV4 ) {
 	my @ipsets = all_ipsets;
 
-	if ( @ipsets ) {
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
 	    emit ( '',
+		   'local hack',
+		   '',
 		   'case $IPSET in',
 		   '    */*)',
-		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
@@ -373,20 +375,44 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   '' );
+		   'elif [ "$COMMAND" = restore -a -z "$RECOVERING" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
 
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	    if ( @ipsets ) {
+		emit '';
 
-	    emit ( '' ,
-		   'elif [ "$COMMAND" = restart ]; then' ,
-		   '' );
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
 
-	    emit ( '' ,
-		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
 	    emit ( 'fi',
 		   '' );
 	}
@@ -536,8 +562,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
 
     $export = 0;
     $test   = 0;
@@ -569,6 +595,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
+		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -606,7 +633,7 @@ sub compiler {
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'XCONNMARK'       , 'PROVIDER_OFFSET > 0' , 's' )   if $config{PROVIDER_OFFSET};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
     if ( $scriptfilename ) {
@@ -789,14 +816,26 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting;
+    setup_accounting if $config{ACCOUNTING};
 
     if ( $scriptfilename ) {
 	#
-	# Generate the zone by zone matrix
+	# Compiling a script - generate the zone by zone matrix
 	#
 	generate_matrix;
 
+	if ( $config{OPTIMIZE} & 6 ) {
+	    progress_message2 'Optimizing Ruleset...';
+	    #
+	    # Optimize Policy Chains
+	    #
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    #
+	    # More Optimization
+	    #
+	    optimize_ruleset if $config{OPTIMIZE} & 4;
+	}
+
 	enable_script;
 	#
 	#                             I N I T I A L I Z E
@@ -818,7 +857,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test );
+	compile_stop_firewall( $test, $export );
 	#
 	# Copy the footer to the script
 	#
@@ -840,6 +879,29 @@ sub compiler {
 	#
 	enable_script, generate_aux_config if $export;
     } else {
+	#
+	# Just checking the configuration
+	#
+	if ( $preview ) {
+	    #
+	    # User wishes to preview the ruleset -- generate the rule matrix
+	    #
+	    generate_matrix;
+
+	    if ( $config{OPTIMIZE} & 6 ) {
+		progress_message2 'Optimizing Ruleset...';
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		#
+		# Ruleset Optimization
+		#
+		optimize_ruleset if $config{OPTIMIZE} & 4;
+	    }
+
+	    preview_netfilter_load;
+	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -68,6 +68,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
+				       emitstd
 				       emit_unindented
 				       save_progress_message
 				       save_progress_message_short
@@ -107,6 +108,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
+				       is_bridge
 
 				       $product
 				       $Product
@@ -127,7 +129,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_3';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -226,6 +228,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 KLUDGEFREE      => 'Repeat match',
 		 MARK            => 'MARK Target',
 		 XMARK           => 'Extended Mark Target',
+		 EXMARK          => 'Extended Mark Target 2',
 		 MANGLE_FORWARD  => 'Mangle FORWARD Chain',
 		 COMMENTS        => 'Comments',
 		 ADDRTYPE        => 'Address Type Match',
@@ -242,7 +245,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
+		 TPROXY_TARGET   => 'TPROXY Target',
 		 CAPVERSION      => 'Capability Version',
+		 KERNELVERSION   => 'Kernel Version',
 	       );
 #
 # Directories to search for configuration files
@@ -327,8 +332,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.5",
-		    CAPVERSION => 40402 ,
+		    VERSION => "4.5.4",
+		    CAPVERSION => 40503 ,
 		  );
 
     #
@@ -401,6 +406,7 @@ sub initialize( $ ) {
 	      RETAIN_ALIASES => undef,
 	      TC_ENABLED => undef,
 	      TC_EXPERT => undef,
+	      TC_PRIOMAP => undef,
 	      CLEAR_TC => undef,
 	      MARK_IN_FORWARD_CHAIN => undef,
 	      CLAMPMSS => undef,
@@ -441,12 +447,22 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      ZONE2ZONE => undef,
+	      ACCOUNTING => undef,
+	      OPTIMIZE_ACCOUNTING => undef,
+	      DYNAMIC_BLACKLIST => undef,
 	      #
 	      # Packet Disposition
 	      #
 	      MACLIST_DISPOSITION => undef,
 	      TCP_FLAGS_DISPOSITION => undef,
 	      BLACKLIST_DISPOSITION => undef,
+	      #
+	      # Mark Geometry
+	      #
+	      TC_BITS => undef,
+	      PROVIDER_BITS => undef,
+	      PROVIDER_OFFSET => undef,
+	      MASK_BITS => undef
 	    );
 
 	%validlevels = ( DEBUG   => 7,
@@ -525,6 +541,7 @@ sub initialize( $ ) {
 	      IP_FORWARDING => undef,
 	      TC_ENABLED => undef,
 	      TC_EXPERT => undef,
+	      TC_PRIOMAP => undef,
 	      CLEAR_TC => undef,
 	      MARK_IN_FORWARD_CHAIN => undef,
 	      CLAMPMSS => undef,
@@ -549,11 +566,21 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      ZONE2ZONE => undef,
+	      ACCOUNTING => undef,
+	      OPTIMIZE_ACCOUNTING => undef,
+	      DYNAMIC_BLACKLIST => undef,
 	      #
 	      # Packet Disposition
 	      #
 	      TCP_FLAGS_DISPOSITION => undef,
 	      BLACKLIST_DISPOSITION => undef,
+	      #
+	      # Mark Geometry
+	      #
+	      TC_BITS => undef,
+	      PROVIDER_BITS => undef,
+	      PROVIDER_OFFSET => undef,
+	      MASK_BITS => undef
 	    );
 
 	%validlevels = ( DEBUG   => 7,
@@ -603,6 +630,7 @@ sub initialize( $ ) {
 	       KLUDGEFREE => undef,
 	       MARK => undef,
 	       XMARK => undef,
+	       EXMARK => undef,
 	       MANGLE_FORWARD => undef,
 	       COMMENTS => undef,
 	       ADDRTYPE => undef,
@@ -616,10 +644,12 @@ sub initialize( $ ) {
 	       GOTO_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
+	       TPROXY_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
+	       KERNELVERSION => undef,
 	       );
     #
     # Directories to search for configuration files
@@ -845,6 +875,25 @@ sub emit {
     }
 }
 
+#
+# Version of emit() that writes to standard out
+#
+sub emitstd {
+    for ( @_ ) {
+	unless ( /^\s*$/ ) {
+	    my $line = $_; # This copy is necessary because the actual arguments are almost always read-only.
+	    $line =~ s/^\n// if $lastlineblank;
+	    $line =~ s/^/$indent/gm if $indent;
+	    $line =~ s/        /\t/gm;
+	    print "$line\n";
+	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
+	} else {
+	    print "\n" unless $lastlineblank;
+	    $lastlineblank = 1;
+	}
+    }
+}
+
 #
 # Write passed message to the script with newline but no indentation.
 #
@@ -1733,6 +1782,26 @@ sub default_yes_no_ipv4 ( $$ ) {
     warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 
+sub numeric_option( $$$ ) {
+    my ( $option, $default, $min ) = @_;
+
+    my $value = $config{$option};
+
+    my $val = $default;
+    
+    if ( defined $value && $value ne '' ) {
+	$val = numeric_value $value;
+	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
+    }
+
+    $val = $min if $val < $min;
+
+    $config{$option} = $val;
+}
+
+sub make_mask( $ ) {
+    0xffffffff >> ( 32 - $_[0] );
+}   
 
 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
 
@@ -1844,8 +1913,8 @@ sub check_trivalue( $$ ) {
 sub report_capability( $ ) {
     my $cap = $_[0];
     print "   $capdesc{$cap}: ";
-    if ( $cap eq 'CAPVERSION' ) {
-	my $version = $capabilities{CAPVERSION};
+    if ( $cap eq 'CAPVERSION' || $cap eq 'KERNELVERSION') {
+	my $version = $capabilities{$cap};
 	printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 );
     } else {
 	print $capabilities{$cap} ? "Available\n" : "Not Available\n";
@@ -1908,7 +1977,7 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
 
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 
@@ -1947,6 +2016,19 @@ sub qt1( $ ) {
     $? == 0;
 }
 
+#
+# Get the current kernel version
+#
+sub determine_kernelversion() {
+    my $kernelversion=`uname -r`;
+
+    if ( $kernelversion =~ /^(\d+)\.(\d+).(\d+)/ ) {
+	$capabilities{KERNELVERSION} = sprintf "%d%02d%02d", $1 , $2 , $3;
+    } else {
+	fatal_error "Unrecognized Kernel Version Format ($kernelversion)";
+    }
+}
+
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
@@ -1962,8 +2044,8 @@ sub determine_capabilities( $ ) {
     if ( $capabilities{NAT_ENABLED} ) {
 	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
 	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
 	}
     }
 
@@ -2029,7 +2111,13 @@ sub determine_capabilities( $ ) {
     $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
     $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
     $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
+    
+    if ( $family == F_IPV6 ) {
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
+    } else {
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
+    }
+
     $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
 
     $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
@@ -2047,6 +2135,7 @@ sub determine_capabilities( $ ) {
 	if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
 	    $capabilities{MARK}  = 1;
 	    $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
+	    $capabilities{EXMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" );
 	}
 
 	if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
@@ -2056,6 +2145,7 @@ sub determine_capabilities( $ ) {
 
 	$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
 	$capabilities{IPMARK_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
+	$capabilities{TPROXY_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" );
 
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
@@ -2100,6 +2190,8 @@ sub determine_capabilities( $ ) {
     qt1( "$iptables -X $sillyname1" );
 
     $capabilities{CAPVERSION} = $globals{CAPVERSION};
+
+    determine_kernelversion;
 }
 
 #
@@ -2215,6 +2307,11 @@ sub read_capabilities() {
     } else {
 	warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
     }
+
+    unless ( $capabilities{KERNELVERSION} ) {
+	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
+	$capabilities{KERNELVERSION} = 20630;
+    }
 }
 
 #
@@ -2322,7 +2419,28 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
+    
+    my $val;
+
+    if ( $capabilities{KERNELVERSION} < 20631 ) {
+	check_trivalue ( 'ROUTE_FILTER',  '' );
+    } else {
+	$val = $config{ROUTE_FILTER};
+	if ( defined $val ) {
+	    if ( $val =~ /\d+/ ) {
+		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
+	    } else {
+		check_trivalue( 'ROUTE_FILTER', '' );
+	    }
+	} else {
+	    check_trivalue( 'ROUTE_FILTER', '' );
+	}
+    }
+
+    if ( $family == F_IPV6 ) {
+	$val = $config{ROUTE_FILTER};	
+	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
+    }
 
     if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2373,9 +2491,9 @@ sub get_configuration( $ ) {
 
     unsupported_yes_no_warning 'DYNAMIC_ZONES';
     unsupported_yes_no         'BRIDGING';
-    unsupported_yes_no_warning 'SAVE_IPSETS';
     unsupported_yes_no_warning 'RFC1918_STRICT';
 
+    default_yes_no 'SAVE_IPSETS'                , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
     default_yes_no 'MAPOLDACTIONS'              , 'Yes';
@@ -2409,8 +2527,45 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'WIDE_TC_MARKS'              , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'ACCOUNTING'                 , 'Yes';
+    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
+    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
 
-    my $val;
+    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
+    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
+    numeric_option 'PROVIDER_BITS' ,   8, 0;
+    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
+    
+    if ( $config{PROVIDER_OFFSET} ) {
+	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+    }
+
+    $val = 1;
+    
+    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
+    $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
+    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
+    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+
+    if ( $config{TC_BITS} || $config{PROVIDER_BITS} ) {
+	progress_message2 "\n   ******** Packet/Connection Mark Information ********";
+	if ( $config{TC_BITS} ) {
+	    progress_message2 "   TC Mark Values       = 1 - $globals{TC_MAX} (" . in_hex( $globals{TC_MAX} ) . ')';
+	}
+
+	progress_message2 '   Default Mask         = /' . in_hex( $globals{TC_MASK} );
+    
+	if ( $config{PROVIDER_BITS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
+		progress_message2( '   Provider Mark Values = ' . in_hex( $globals{PROVIDER_MIN} ) . ' - ' . in_hex( $globals{PROVIDER_MASK} ) );
+	    } else {
+		progress_message2( "   Provider Mark Values = 1 - $globals{PROVIDER_MASK} (" . in_hex( $globals{PROVIDER_MASK} ) . ')' );
+	    }
+	}
+    }
+
+    progress_message2 "   ****************************************************\n";
 
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
@@ -2474,12 +2629,30 @@ sub get_configuration( $ ) {
 	$globals{TC_SCRIPT} = $file;
     } elsif ( $val eq 'internal' ) {
 	$config{TC_ENABLED} = 'Internal';
+    } elsif ( $val eq 'simple' ) {
+	$config{TC_ENABLED} = 'Simple';
     } else {
 	fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
 	$config{TC_ENABLED} = '';
     }
 
-    fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED};
+    if ( $config{TC_ENABLED} ) {
+	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
+	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+    }
+
+    if ( $val = $config{TC_PRIOMAP} ) {
+	my @priomap = split ' ',$val;
+	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
+	for ( @priomap ) {
+	    fatal_error "Invalid TC_PRIOMAP entry ($_)" unless /[1-3]/;
+	    $_--;
+	}
+
+	$config{TC_PRIOMAP} = join ' ', @priomap;
+    } else {
+	$config{TC_PRIOMAP} = '1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1';
+    }
 
     default 'RESTOREFILE'           , 'restore';
     default 'IPSECFILE'             , 'zones';
@@ -2497,10 +2670,9 @@ sub get_configuration( $ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
-    $val = $config{OPTIMIZE};
-
-    fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
+    $val = numeric_value $config{OPTIMIZE};
 
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && $val <= 7;
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -2702,6 +2874,12 @@ sub generate_aux_config() {
 
 }
 
+sub is_bridge( $ ) {
+    my $dev = $_[0];
+
+    which 'brctl' and qt1( qq(brctl show $dev | tail -n +2 | grep -q "^$dev\b") );
+}
+
 END {
     cleanup;
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -302,7 +302,8 @@ sub validate_port( $$ ) {
     my $value;
 
     if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port && $port <= 65535;
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_2';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -170,8 +170,8 @@ sub process_one_masq( )
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
-    $baserule .= do_user( $user )      if $user ne '-';
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_user( $user ) if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_5';
+our $VERSION = '4.5_2';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -107,7 +107,6 @@ sub set_policy_chain($$$$$)
 	    $chainref1->{policychain} = $chainref->{name};
 	}
 
-	$chainref1->{expanded} = 1;
 	$chainref1->{policy} = $policy;
 	$chainref1->{policypair} = [ $source, $dest ];
     }
@@ -205,7 +204,7 @@ sub process_a_policy() {
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
     }
 
-    unless ( $clientwild || $serverwild ) {
+    unless ( $clientwild || $serverwild || $policy eq 'NONE' ) {
 	if ( zone_type( $server ) == BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
@@ -222,20 +221,11 @@ sub process_a_policy() {
 	    if ( $chainref->{provisional} ) {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
-	    } elsif ( $chainref->{expanded} ) {
-		$chainref->{expanded} = 0;
-		$chainref->{policy} = $policy;
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    if ( $chainref->{expanded} ) {
-		$chainref->{expanded} = 0;
-		convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
-		push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
-	    } else {
-		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
-	    }
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -372,7 +362,7 @@ sub policy_rules( $$$$$ ) {
 
     unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_rule $chainref, "-j $default" if $default && $default ne 'none';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -428,10 +418,21 @@ sub apply_policy_rules() {
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
+	my $synparms    = $chainref->{synparms};
 
 	if ( $policy ne 'NONE' ) {
-	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
-		ensure_filter_chain $name, 1;
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
+		if ( $config{OPTIMIZE} & 2 ) {
+		    #
+		    # This policy chain is empty and the only thing that we would put in it is
+		    # the policy-related stuff. Don't create it if all we are going to put in it
+		    # is a single jump. Generate_matrix() will just use the policy target when
+		    # needed.
+		    #
+		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		} else {
+		    ensure_filter_chain $name, 1;
+		}
 	    }
 
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
@@ -497,4 +498,24 @@ sub setup_syn_flood_chains() {
     }
 }
 
+#
+# Optimize Policy chains with ACCEPT policy
+#
+sub optimize_policy_chains() {
+    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
+	optimize_chain ( $chainref );
+    }
+    #
+    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
+    #
+    my $outputrules = $filter_table->{OUTPUT}{rules};
+
+    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+	optimize_chain( $filter_table->{OUTPUT} );
+    }
+
+    progress_message '  Policy chains optimized';
+    progress_message '';
+}
+
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
+	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -128,14 +130,14 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}
 
-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}
 
+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
 }

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_2';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,6 +59,8 @@ our @providers;
 
 our $family;
 
+our $lastmark;
+
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
@@ -94,7 +96,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
@@ -112,7 +114,7 @@ sub setup_route_marking() {
 	my $mark      = $providerref->{mark};
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
 	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
@@ -293,36 +295,8 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my $val = 0;
-    my $pref;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
-
-	verify_mark $mark;
-
-	if ( $val < 65535 ) {
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
-	    }
-	} else {
-	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
-	}
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-    }
-
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -363,12 +337,43 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
+	    } elsif ( $option eq 'local' ) {
+		$local = 1;
+		$track = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
+    my $val = 0;
+    my $pref;
+
+    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+
+	verify_mark $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+
+	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+	$lastmark = $val;
+
+    }
+
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -420,7 +425,13 @@ sub add_a_provider( ) {
 
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
+	if ( $gatewaycase eq 'none' ) {
+	    if ( $local ) {
+		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
+	    } else {
+		emit "run_ip route add default dev $physical table $number";
+	    }
+	}
     }
 
     if ( $mark ne '-' ) {
@@ -470,7 +481,12 @@ sub add_a_provider( ) {
 	}
     }
 
-    if ( $loose ) {
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
+    } elsif ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
 	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
@@ -589,7 +605,7 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
 	$interface = physical_name $interface;
@@ -737,12 +753,14 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
+    $lastmark = 0;
+
     my $fn = open_file 'providers';
 
     first_entry sub() {
+	progress_message2 "$doing $fn...";
 	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 	push_indent;
-	progress_message2 "$doing $fn...";
 	start_providers; };
 
     add_a_provider, $providers++ while read_a_line;
@@ -767,7 +785,7 @@ sub setup_providers() {
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if block begun in the first_entry closure
+	# This completes the if-block begun in the first_entry closure above
 	#
 	pop_indent;
 	emit "fi\n";
@@ -869,7 +887,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask         = in_hex( $globals{PROVIDER_MASK} );
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 #
 # Notrack

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.5_3';
 
 #
 # Set to one if we find a SECTION
@@ -125,7 +125,7 @@ sub process_tos() {
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ ) {
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
@@ -146,7 +146,7 @@ sub process_tos() {
 	    expand_rule
 		$chainref ,
 		$restriction ,
-		do_proto( $proto, $ports, $sports ) . do_test( $mark , 0xFF ) ,
+		do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
 		$src ,
 		$dst ,
 		'' ,
@@ -157,8 +157,8 @@ sub process_tos() {
 	}
 
 	unless ( $first_entry ) {
-	    add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced};
-	    add_rule $mangle_table->{OUTPUT},    "-j outtos" if $outtosref->{referenced};
+	    add_jump( $mangle_table->{$stdchain}, $chain,   0 ) if $pretosref->{referenced};
+	    add_jump( $mangle_table->{OUTPUT},    'outtos', 0 ) if $outtosref->{referenced};
 	}
     }
 }
@@ -214,7 +214,7 @@ sub add_rule_pair( $$$$ ) {
     my ($chainref , $predicate , $target , $level ) = @_;
 
     log_rule( $level, $chainref, "\U$target", $predicate )  if defined $level && $level ne '';
-    add_rule $chainref , "${predicate}-j $target";
+    add_jump( $chainref , $target, 0, $predicate );
 }
 
 sub setup_blacklist() {
@@ -232,7 +232,7 @@ sub setup_blacklist() {
 
 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
 
-	    add_rule $logchainref, "-j $target" ;
+	    add_jump $logchainref, $target, 1;
 
 	    $target = 'blacklog';
 	}
@@ -315,7 +315,6 @@ sub process_routestopped() {
 	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
-
 	$hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	my @hosts;
@@ -325,6 +324,7 @@ sub process_routestopped() {
 	my $rule = do_proto( $proto, $ports, $sports, 0 );
 
 	for my $host ( split /,/, $hosts ) {
+	    fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 	    validate_host $host, 1;
 	    push @hosts, "$interface|$host|$seq";
 	    push @rule, $rule;
@@ -419,17 +419,21 @@ sub setup_mss();
 sub add_common_rules() {
     my $interface;
     my $chainref;
-    my $level;
     my $target;
     my $rule;
     my $list;
     my $chain;
 
-    new_standard_chain 'dynamic';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
+    my $level     = $config{BLACKLIST_LOGLEVEL};
+    my $rejectref = dont_move new_standard_chain 'reject';
 
-    my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
-
-    add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD );
+    if ( $config{DYNAMIC_BLACKLIST} ) {
+	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   ' ' , 'DROP'   , $level ;
+	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
+	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
+    }
 
     setup_mss;
 
@@ -437,13 +441,6 @@ sub add_common_rules() {
 	add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
     }
 
-    my $rejectref = new_standard_chain 'reject';
-
-    $level = $config{BLACKLIST_LOGLEVEL};
-
-    add_rule_pair new_standard_chain( 'logdrop' ),   ' ' , 'DROP'   , $level ;
-    add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ;
-
     for $interface ( all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
     }
@@ -591,11 +588,11 @@ sub add_common_rules() {
 	    $disposition = $config{TCP_FLAGS_DISPOSITION};
 	}
 
-	add_rule $chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags ALL NONE        -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition";
-	add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL FIN,URG,PSH ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL NONE ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,RST SYN,RST ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,FIN SYN,FIN ';
+	add_jump $chainref , $disposition, 1, '-p tcp --syn --sport 0 ';
 
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
@@ -618,12 +615,12 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    new_nat_chain( 'UPnP' );
+	    dont_optimize new_nat_chain( 'UPnP' );
 
 	    $announced = 1;
 
 	    for $interface ( @$list ) {
-		add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
+		add_jump $nat_table->{PREROUTING} , 'UPnP', 0, match_source_dev ( $interface );
 	    }
 	}
 
@@ -706,7 +703,7 @@ sub setup_mac_lists( $ ) {
 		my $chain = $chainref->{name};
 
 		add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN";
-		add_rule $chainref, "-j $chain1ref->{name}";
+		add_jump $chainref, $chain1ref, 0;
 		add_rule $chainref, "-m recent --update --name $chain -j RETURN";
 		add_rule $chainref, "-m recent --set --name $chain";
 	    }
@@ -748,6 +745,7 @@ sub setup_mac_lists( $ ) {
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if defined $level && $level ne '';
 			add_rule $chainref , "${mac}${source}-j $targetref->{target}";
+
 		    }
 		} else {
 		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
@@ -834,7 +832,7 @@ sub setup_mac_lists( $ ) {
 	    run_user_exit2( 'maclog', $chainref );
 
 	    log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
-	    add_rule $chainref, "-j $target";
+	    add_jump $chainref, $target, 0;
 	}
     }
 }
@@ -958,11 +956,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     my ( $basictarget, $param ) = get_target_param $action;
     my $rule = '';
     my $actionchainref;
-    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
-
-    unless ( defined $param ) {
-	( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/;
-    }
+    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
 
     $param = '' unless defined $param;
 
@@ -1132,7 +1126,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$chain    = rules_chain( ${sourcezone}, ${destzone} );
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
+	#
+	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+	#
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
 
@@ -1155,12 +1152,22 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
 	$chainref = ensure_filter_chain $chain, 1;
+	#
+	# Don't let the rules in this chain be moved elsewhere
+	#
+	dont_move $chainref;
     }
 
     #
     # Generate Fixed part of the rule
     #
-    $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) );
+    $rule = join( '', 
+		  do_proto($proto, $ports, $sports),
+		  do_ratelimit( $ratelimit, $basictarget ) ,
+		  do_user( $user ) ,
+		  do_test( $mark , $globals{TC_MASK} ) ,
+		  do_connlimit( $connlimit ),
+		  do_time( $time ) );
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
@@ -1293,7 +1300,11 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#   - the target will be ACCEPT.
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
+	    $rule = join( '',
+			  do_proto( $proto, $ports, $sports ),
+			  do_ratelimit( $ratelimit, 'ACCEPT' ),
+			  do_user $user ,
+			  do_test( $mark , $globals{TC_MASK} ) );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -1371,7 +1382,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     "-j $tgt",
 		     $loglevel ,
 		     $log_action ,
-		     ''
+		     '' ,
 		   );
 	#
 	# Possible optimization if the rule just generated was a simple jump to the nonat chain
@@ -1625,7 +1636,7 @@ sub add_interface_jumps {
     my $fw = firewall_zone;
     my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
 
-    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
+    add_jump $filter_table->{OUTPUT} ,  ($chainref->{referenced} ? $chainref : 'ACCEPT' ), 0, '-o lo ';
     add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
 }
 
@@ -1658,7 +1669,8 @@ sub generate_matrix() {
 	if ( $chainref->{policy} ne 'CONTINUE' ) {
 	    my $policyref = $filter_table->{$chainref->{policychain}};
 	    assert( $policyref );
-	    return $policyref->{name};
+	    return $policyref->{name} if $policyref ne $chainref;
+	    return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
 	}
 
 	''; # CONTINUE policy
@@ -1740,7 +1752,7 @@ sub generate_matrix() {
     #
     # NOTRACK from firewall
     #
-    add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced};
+    add_jump $raw_table->{OUTPUT}, $notrackref, 0 if $notrackref->{referenced};
     #
     # Main source-zone matrix-generation loop
     #
@@ -1907,7 +1919,7 @@ sub generate_matrix() {
 	my @dest_zones;
 	my $last_chain = '';
 
-	if ( $config{OPTIMIZE} > 0 ) {
+	if ( $config{OPTIMIZE} & 1 ) {
 	    my @temp_zones;
 
 	    for my $zone1 ( @zones )  {
@@ -2123,7 +2135,7 @@ sub setup_mss( ) {
 	#
 	# Send all forwarded SYN packets to the 'settcpmss' chain
 	#
-	add_rule $filter_table->{FORWARD} ,  "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
+	add_jump $filter_table->{FORWARD} , $chainref, 0, '-p tcp --tcp-flags SYN,RST SYN ';
 
 	my $in_match  = '';
 	my $out_match = '';
@@ -2151,8 +2163,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $ ) {
-    my $test = shift;
+sub compile_stop_firewall( $$ ) {
+    my ( $test, $export ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2163,6 +2175,7 @@ sub compile_stop_firewall( $ ) {
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
+    local hack
 EOF
 
     $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
@@ -2191,8 +2204,8 @@ EOF
 	        restart)
 	            logger -p kern.err "ERROR:$PRODUCT restart failed"
 	            ;;
-	        restore)
-	            logger -p kern.err "ERROR:$PRODUCT restore failed"
+	        refresh)
+	            logger -p kern.err "ERROR:$PRODUCT refresh failed"
 	            ;;
             esac
 
@@ -2208,6 +2221,9 @@ EOF
 
 	        if [ -x $RESTOREPATH ]; then
 		    echo Restoring ${PRODUCT:=Shorewall}...
+                    
+                    RECOVERING=Yes
+                    export RECOVERING
 
 		    if $RESTOREPATH restore; then
 		        echo "$PRODUCT restored from $RESTOREPATH"
@@ -2303,7 +2319,9 @@ EOF
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    if ( $export || $test || is_bridge( get_physical( $interface ) ) ) {
+		add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    }
 	}
     }
 
@@ -2342,16 +2360,38 @@ EOF
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets ) {
+    if ( @ipsets || $config{SAVE_IPSETS} ) {
 	emit <<'EOF';
 
-    if [ -n "$(mywhich ipset)" ]; then
-        if $IPSET -S > ${VARDIR}/ipsets.tmp; then
+    case $IPSET in
+        */*)
+            if [ ! -x "$IPSET" ]; then
+                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+                IPSET=
+            fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+	    ;;
+    esac
+
+    if [ -n "$IPSET" ]; then
+        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+            #
+            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+            #
+            hack='| grep -v /31'
+        else
+            hack=
+        fi
+
+        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
             #
             # Don't save an 'empty' file
             #
             grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-	fi
+        fi
     fi
 EOF
     }

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_3';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,48 +79,6 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-		 target    => 'CONNMARK --save-mark --mask' ,
-		 mark      => SMALLMARK ,
-		 mask      => '0xFF' ,
-		 connmark  => 1
-	       } ,
-	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-		target    => 'CONNMARK --restore-mark --mask' ,
-		mark      => SMALLMARK ,
-		mask      => '0xFF' ,
-		connmark  => 1
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-		target    => 'RETURN' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
-		target    => 'sticky' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-		target    => 'IPMARK' ,
-		mark      => NOMARK,
-		mask      => '',
-		connmark  => 0
-	        } ,
-	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-		target    => 'MARK --or-mark' ,
-		mark      => HIGHMARK ,
-		mask      => '' } ,
-	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-		target    => 'MARK --and-mark ' ,
-		mark      => HIGHMARK ,
-		mask      => '' ,
-		connmark  => 0
-		}
-	      );
-
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -172,6 +130,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
+our $ipp2p;
 
 
 #
@@ -225,11 +184,14 @@ sub initialize( $ ) {
     @devnums   = ();
     $devnum = 0;
     $sticky = 0;
+    $ipp2p  = 0;
 }
 
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
+    our @tccmd;
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -265,9 +227,9 @@ sub process_tc_rule( ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
 
-	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
-	    $target   = $tcsref->{target} if $tcsref->{target};
-	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
+	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
+	    $target   = $tcsref->{target}                      if $tcsref->{target};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
@@ -285,8 +247,6 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my $mask = 0xffff;
-
     my ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
@@ -354,7 +314,39 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+		    } elsif ( $target eq 'TPROXY ' ) {
+			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+			
+			$chain = 'tcpre';
+
+			$cmd =~ /TPROXY\((.+?)\)$/;
+
+			my $params = $1;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+			if ( $port ) {
+			    $port = validate_port( 'tcp', $port );
+			} else {
+			    $port = 0;
+			}
+
+			$target .= "--on-port $port";
+			
+			if ( defined $ip && $ip ne '' ) {
+			    validate_address $ip, 1;
+			    $target .= " --on-ip $ip";
+			}
+
+			$target .= ' --tproxy-mark';	
 		    }
+			
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -376,11 +368,11 @@ sub process_tc_rule( ) {
 
 	    validate_mark $mark;
 
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		my $limit = $globals{TC_MASK};
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when PROVIDER_OFFSET > 0"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
@@ -390,7 +382,7 @@ sub process_tc_rule( ) {
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $mask ) .
+				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -451,6 +443,96 @@ sub process_flow($) {
     $flow;
 }
 
+sub process_simple_device() {
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
+
+    my $devnumber;
+
+    if ( $device =~ /:/ ) {
+	( my $number, $device, my $rest )  = split /:/, $device, 3;
+
+	fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
+
+	if ( defined $number ) {
+	    $devnumber = hex_value( $number );
+	    fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
+	    fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
+	    $devnum = $devnumber if $devnumber > $devnum;
+	} else {
+	    fatal_error "Missing interface NUMBER";
+	}
+    } else {
+	$devnumber = ++$devnum;
+    }
+
+    $devnums[ $devnumber ] = $device;
+
+    my $number = in_hexp $devnumber;
+
+    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
+    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
+
+    my $physical = physical_name $device;
+    my $dev      = chain_base( $physical );
+
+    if ( $type ne '-' ) {
+	if ( lc $type eq 'external' ) {
+	    $type = 'nfct-src';
+	} elsif ( lc $type eq 'internal' ) {
+	    $type = 'dst';
+	} else {
+	    fatal_error "Invalid TYPE ($type)";
+	}
+    }
+
+    $tcdevices{$device} = { number   => $devnumber ,
+			    physical => physical_name $device ,
+			    type     => $type ,
+			    in_bandwidth => $bandwidth = rate_to_kbit( $bandwidth ) ,
+			  };
+
+    push @tcdevices, $device;
+
+    emit "if interface_is_up $physical; then";
+
+    push_indent;
+
+    emit ( "${dev}_exists=Yes",
+	   "qt \$TC qdisc del dev $physical root",
+	   "qt \$TC qdisc del dev $physical ingress\n"	   
+	 );
+
+    if ( $bandwidth ) {
+	emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
+	       "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	     );
+    }
+	  
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    
+    my $i = 0;
+
+    while ( ++$i <= 3 ) {
+	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-';
+	emit '';
+    }
+
+    save_progress_message_short "   TC Device $physical defined.";
+    
+    pop_indent;
+    emit 'else';
+    push_indent;
+
+    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
+    emit "${dev}_exists=";
+    pop_indent;
+    emit "fi\n";
+ 
+    progress_message "  Simple tcdevice \"$currentline\" $done.";
+}    
+
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
@@ -648,10 +730,12 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
+	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0x3fff : 0xff );
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
 
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -755,7 +839,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -1016,6 +1100,91 @@ sub process_tc_filter( ) {
 
 }
 
+sub process_tc_priority() {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+
+    if ( $band eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
+
+    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if $capabilities{EXMARK};
+
+    if ( $interface ne '-' ) {
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+
+	my $forwardref = $mangle_table->{tcfor};
+
+	add_rule( $forwardref ,
+		  join( '', match_source_dev( $interface) , $rule ) ,
+		  1 );
+    } else {
+	my $postref = $mangle_table->{tcpost};
+	
+	if ( $address ne '-' ) {
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    add_rule( $postref ,
+		      join( '', match_source_net( $address) , $rule ) ,
+		      1 );
+	} else {
+	    add_rule( $postref , 
+		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      1 );
+
+	    if ( $ports ne '-' ) {
+		my $protocol = resolve_proto $proto;
+
+		if ( $proto =~ /^ipp2p/ ) {
+		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
+		    $ipp2p = 1;
+		}
+
+		add_rule( $postref , 
+			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
+			  1 )
+		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
+	    }
+	}
+    }
+}
+
+sub setup_simple_traffic_shaping() {
+    my $interfaces;
+
+    save_progress_message "Setting up Traffic Control...";
+
+    my $fn = open_file 'tcinterfaces';
+
+    if ( $fn ) {
+	first_entry "$doing $fn...";
+	process_simple_device, $interfaces++ while read_a_line;
+    } else {
+	$fn = find_file 'tcinterfaces';
+    }
+
+    my $fn1 = open_file 'tcpri';
+
+    if ( $fn1 ) {
+	first_entry sub { progress_message2 "$doing $fn1...";
+			  warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
+		      };
+	process_tc_priority while read_a_line;
+
+	clear_comment;
+
+	if ( $ipp2p ) {
+	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
+	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	}
+    }
+}
+
 sub setup_traffic_shaping() {
     our $lastrule = '';
 
@@ -1211,7 +1380,7 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
@@ -1223,29 +1392,25 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
 
-	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+	    unless ( $config{TRACK_PROVIDERS} ) {
+		#
+		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
+		#
+		for my $interface ( @routemarked_interfaces ) {
+		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		}
 	    }
 	}
 
-	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
-	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
+	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
+	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
 	if ( $capabilities{MANGLE_FORWARD} ) {
-	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
-	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
-	}
-
-	if ( $config{HIGH_ROUTE_MARKS} ) {
-	    for my $chain qw(INPUT FORWARD) {
-		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
-	    }
-	    #
-	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
-	    #
-	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' );
+	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
+	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
     }
 
@@ -1254,12 +1419,61 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	setup_simple_traffic_shaping;
     }
 
     if ( $config{TC_ENABLED} ) {
+	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+			  target    => 'CONNMARK --save-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			  target    => 'CONNMARK --restore-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			  target    => 'RETURN' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			  target    => 'sticky' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			  target    => 'IPMARK' ,
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			  target    => 'MARK --or-mark' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' } ,
+			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+			  target    => 'MARK --and-mark ' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			  target    => 'TPROXY',
+			  mark      => HIGHMARK,
+			  mask      => '',
+			  connmark  => '' },
+		      );
+
 	if ( my $fn = open_file 'tcrules' ) {
 
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry "$doing $fn...";
 
 	    process_tc_rule while read_a_line;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_0';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -75,7 +75,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_0';
 
 #
 # IPSEC Option types
@@ -147,6 +147,7 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
+#                                     include     => [ <if1>, ... ]
 #                                   }
 #                 }
 #
@@ -170,14 +171,18 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IPLIST_IF_OPTION   => 6,
 	       STRING_IF_OPTION   => 7,
 
-	       MASK_IF_OPTION     => 7,
+	       MASK_IF_OPTION     => 15,
 
-	       IF_OPTION_ZONEONLY => 8,
-	       IF_OPTION_HOST     => 16,
+	       IF_OPTION_ZONEONLY => 16,
+	       IF_OPTION_HOST     => 32,
 	   };
 
 our %validinterfaceoptions;
 
+our %defaultinterfaceoptions = ( routefilter => 1 );
+
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
+
 our %validhostoptions;
 
 #
@@ -217,7 +222,7 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => BINARY_IF_OPTION ,
+				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
@@ -248,7 +253,7 @@ sub initialize( $ ) {
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => NUMERIC_IF_OPTION,
+				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
@@ -665,7 +670,7 @@ sub add_group_to_zone($$$$$)
 
     fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
 
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -722,8 +727,8 @@ sub firewall_zone() {
 #
 # Process a record in the interfaces file
 #
-sub process_interface( $ ) {
-    my $nextinum = $_[0];
+sub process_interface( $$ ) {
+    my ( $nextinum , $export ) = @_;
     my $netsref = '';
     my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
@@ -850,9 +855,10 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -924,6 +930,12 @@ sub process_interface( $ ) {
 	$hostoptionsref = \%hostoptions;
 
     }
+    #
+    # Automatically set 'routeback' for local bridges
+    #
+    unless ( $export || $wildcard || $options{routeback} ) {
+	$options{routeback} = $hostoptionsref->{routeback} = is_bridge $physical;
+    }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
@@ -965,7 +977,7 @@ sub validate_interfaces_file( $ ) {
 
     first_entry "$doing $fn...";
 
-    push @ifaces, process_interface( $nextinum++) while read_a_line;
+    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
 
     #
     # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1181,15 +1193,13 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
+	$interface = $1;
+	$hosts = $2;
+	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
     } else {
-	if ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ ) {
-	    $interface = $1;
-	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
-	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
-	} else {
-	    fatal_error "Invalid HOST(S) column contents: $hosts";
-	}
+	fatal_error "Invalid HOST(S) column contents: $hosts";
     }
 
     if ( $type == BPORT ) {

Shorewall/Perl/compiler.pl

@@ -36,6 +36,7 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
+#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -58,6 +59,7 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
+    [ --preview ]
     [ --family={4|6} ]
 ';
 
@@ -78,6 +80,7 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
+my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -98,6 +101,7 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
+			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -115,4 +119,5 @@ compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
+	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/prog.footer6

@@ -79,7 +79,7 @@ COMMAND="$1"
 
 [ -n "${PRODUCT:=Shorewall6}" ]
 
-kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
     error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
     status=2

Shorewall/Perl/prog.header

@@ -255,7 +255,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -294,7 +294,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -606,6 +606,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -1102,7 +1103,7 @@ clear_firewall() {
     echo 1 > /proc/sys/net/ipv4/ip_forward
 
     if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
+	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null

Shorewall/Perl/prog.header6

@@ -268,7 +268,7 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -304,7 +304,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"

Shorewall/changelog.txt

@@ -1,371 +1,65 @@
-Changes in Shorewall 4.4.5
+Changes in 4.5.4
 
-1)  Fix 15-port limit removal change.
+1) Autodetect local bridges.
 
-2)  Fix handling of interfaces with the 'bridge' option.
+2) Add 'show macro' command.
 
-3)  Generate error for port number 0
+Changes in 4.5.3
 
-4)  Allow zone::serverport in rules DEST column.
+1) Fix logging NONAT rules.
 
-5)  Allow specific policy to supersede a wildcard policy.
+2) Don't let fw-fw be optimized away.
 
-6)  Fix 'show policies' in Shorewall6.
+3) Don't optimize away non-empty rules chains.
 
-7)  Limit the maximum provider mark to 0xf0000.
+4) Represent masks in hex.
 
-Changes in Shorewall 4.4.4
+5) Don't specify a mask in tcpri-generated rules.
 
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
+6) Add TPROXY support.
 
-2)  Fix access to uninitialized variable.
+Changes in 4.5.2
 
-3)  Add logrotate scripts.
+1) Extend OPTIMIZE & 4 to all tables.
 
-4)  Allow long port lists in /etc/shorewall/routestopped.
+2) Add OPTIMIZE_ACCOUNTING.
 
-5)  Implement 'physical' interface option.
+3) Add -p option to check.
 
-6)  Implement ZONE2ZONE option.
+Changes in 4.5.1
 
-7)  Suppress duplicate COMMENT warnings.
+1)  Fix syntax error in /sbin/shorewall.
 
-8)  Implement 'show policies' command.
+2)  Don't generate source type rule for ICMP/ICMPv6.
 
-9)  Fix route_rule suppression for down provider.
+3)  Add <device> argument to 'show tc'.
 
-10) Suppress redundant tests for provider availability in route rules
-    processing.
+4)  Fix 'save' when DYNAMIC_BLACKLIST=No
 
-11) Implement the '-l' option to the 'show' command.
+5)  Allow COMMENTs in tcpri.
 
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
+6)  More ACCEPT optimization with OPTIMIZE & 2.
 
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+7)  OPTIMIZE & 4.
 
-Changes in Shorewall 4.4.3
+8)  Allow ipp2p in tcpri.
 
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
+Changes in 4.5.0
 
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
+1)  Allow control over how the Mark is used.
 
-3)  Rename 'object' to 'script' in compiler and config modules.
+2)  Generate warning on <macro>/<param>.
 
-4)  Correct RETAIN_ALIASES=No.
+3)  Add a new optimization option.
 
-5)  Fix detection of IP config.
+4)  Combine identical logging chains.
 
-6)  Fix nested zones.
+5)  Added ACCOUNTING and DYNAMIC_BLACKLIST options.
 
-7)  Move all function declarations from prog.footer to prog.header
+6)  Don't unconditionally pass traffic from routemarked interfaces
+    through the tcpre chain.
 
-8)  Remove superfluous variables from generated script
-
-9)  Make 'track' the default.
-
-10)  Add TRACK_PROVIDERS option.
-
-11)  Fix IPv6 address parsing bug.
-
-12)  Add hack to work around iproute IPv6 bug in route handling
-
-13)  Correct messages issued when an optional provider is not usable.
-
-14)  Fix optional interfaces.
-
-15)  Add 'limit' option to tcclasses.
-
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
-
-Changes in Shorewall 4.4.0
-
-1)  Fix 'compile ... -' so that it no longer requires '-v-1'
-
-2)  Fix rule generation for logging nat rules with no exclusion.
-
-3)  Fix log record formatting.
-
-4)  Restore ipset binding
-
-5)  Fix 'upnpclient' with required interfaces.
-
-6)  Fix provider number in masq file.
-
-Changes in Shorewall 4.4.0-RC2
-
-1)  Fix capabilities file with Shorewall6.
-
-2)  Allow Shorewall6 to recognize TC, IP and IPSET
-
-3)  Make 'any' a reserved zone name.
-
-4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
-
-Changes in Shorewall 4.4.0-RC1
-
-1)  Delete duplicate Git macro.
-
-2)  Fix routing when no providers.
-
-3)  Add 'any' as a SOURCE/DEST in rules.
-
-4)  Fix NONAT on child zone.
-
-5)  Fix rpm -U from earlier versions
-
-6)  Generate error on 'status' by non-root.
-
-7)  Get rid of prog.functions and prog.functions6
-
-Changes in Shorewall 4.4.0-Beta4
-
-1)  Add more macros.
-
-2)  Correct broadcast address detection
-
-3) Fix 'show dynamic'
-
-4) Fix BGP and OSFP macros.
-
-5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
-
-Changes in Shorewall 4.4.0-Beta3
-
-1)  Add new macros.
-
-2)  Work around mis-configured interfaces.
-
-3)  Fix 'show dynamic'.
-
-4)  Check for xt_LOG.
-
-5)  Fix 'findgw'
-
-Changes in Shorewall 4.4.0-Beta2
-
-1)  The 'find_first_interface_address()' and
-    'find_first_interface_address_if_any()' functions have been restored to
-    lib.base.
-
-2)  Integerize r2q before inserting it into 'tc qdisc add root'
-    command.
-
-3)  Remove '-h' from the help text for install.sh in Shorewall and
-    Shorewall6.
-
-4)  Delete the 'continue' file from the Shorewall package.
-
-5)  Add 'upnpclient' interface option.
-
-6)  Fix handling of optional interfaces.
-
-7)  Add 'iptrace' and 'noiptrace' command.
-
-8)  Add 'USER/GROUP' column to masq file.
-
-9)  Added lib.private.
-
-Changes in Shorewall 4.4.0-Beta1
-
-1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
-
-2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
-
-Changes in Shorewall 4.3.12
-
-1) Eliminate 'large quantum' warnings.
-
-2) Add HFSC support.
-
-3) Delete support for ipset binding. Jozsef has removed the capability
-   from ipset.
-
-4) Add TOS and LENGTH columns to tcfilters file.
-
-5) Fix 'reset' command.
-
-6) Fix 'findgw'.
-
-7) Remove 'norfc1918' support.
-
-Changes in Shorewall 4.3.11
-
-1) Reduce the number of arguments passed in may cases.
-
-2) Fix SCTP source port handling in tcfilters.
-
-3) Add 'findgw' user exit.
-
-4) Add macro.Trcrt
-
-Changes in Shorewall 4.3.10
-
-1) Fix handling of shared optional providers.
-
-2) Add WIDE_TC_MARKS option.
-
-3) Allow compile to STDOUT.
-
-4) Fix handling of class IDs.
-
-5) Deprecate use of an interface in the SOURCE column of
-   /etc/shorewall/masq.
-
-6) Fix handling of 'all' in the SOURCE of DNAT- rules.
-
-7) Fix compile for export.
-
-8) Optimize IPMARK.
-
-9) Implement nested HTB classes.
-
-10) Fix 'iprange' command.
-
-11) Make traffic shaping work better with IPv6.
-
-12) Externalize 'flow'.
-
-13) Fix 'start' with AUTOMAKE=Yes
-
-Changes in Shorewall 4.3.9
-
-1) Logging rules now create separate chain.
-
-2) Fix netmask genereation in tcfilters.
-
-3) Allow Shorewall6 with kernel 2.6.24
-
-4) Avoid 'Invalid BROADCAST address' errors.
-
-5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
-
-6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
-
-7) Add IPMARK support
-
-Changes in Shorewall 4.3.8
-
-1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
-
-2) Use 'startup_error' for those errors caught early.
-
-3) Fix swping
-
-4) Detect gateway via dhclient leases file.
-
-5) Suppress leading whitespace on certain continuation lines.
-
-6) Use iptables[6]-restore to stop the firewall.
-
-7) Add AUTOMAKE option
-
-8) Remove SAME support.
-
-9) Allow 'compile' without a pathname.
-
-10) Fix LOG_MARTIANS=Yes.
-
-11) Adapt I. Buijs's hashlimit patch.
-
-Changes in Shorewall 4.3.7
-
-1)  Fix forward treatment of interface options.
-
-2)  Replace $VARDIR/.restore with $VARDIR/firewall
-
-3)  Fix DNAT- parsing of DEST column.
-
-4)  Implement dynamic zones
-
-5)  Allow 'HOST' options on bridge ports.
-
-6)  Deprecate old macro parameter syntax.
-
-Changes in Shorewall 4.3.6
-
-1)  Add SAME tcrules target.
-
-2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
-
-3)  Fix split_list1()
-
-4)  Fix Shorewall6 file location bugs.
-
-Changes in Shorewall 4.3.5
-
-1)  Remove support for shorewall-shell.
-
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
-
-3)  Add nets= OPTION in interfaces file.
+7)  Automatically assign mark values.
 
+8)  Simplified Traffic Shaping
 

Shorewall/configfiles/shorewall.conf

@@ -117,6 +117,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -135,7 +137,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -193,6 +195,23 @@ TRACK_PROVIDERS=No
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=
+
+MASK_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE		TYPE	IN-BANDWIDTH
+

Shorewall/configfiles/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1 @@
-There are no known problems in Shorewall version 4.4.5
+There are no known problems in Shorewall 4.5.4

Shorewall/lib.base

@@ -29,8 +29,8 @@
 #   and /usr/share/shorewall-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_LIBVERSION=40503
+SHOREWALL_CAPVERSION=40503
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -220,7 +220,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -259,7 +259,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -813,6 +813,8 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    EXMARK=
+    TPROXY_TARGET=
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
@@ -914,6 +916,7 @@ determine_capabilities() {
 	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 
 	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -923,6 +926,7 @@ determine_capabilities() {
 
 	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IPTABLES -t mangle -F $chain
 	qt $IPTABLES -t mangle -X $chain
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -965,6 +969,7 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -1010,6 +1015,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
@@ -1026,6 +1032,7 @@ report_capabilities() {
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
+	report_capability "TPROXY Target" $TPROXY_TARGET
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1069,6 +1076,7 @@ report_capabilities1() {
     report_capability1 KLUDGEFREE
     report_capability1 MARK
     report_capability1 XMARK
+    report_capability1 EXMARK
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
@@ -1085,8 +1093,10 @@ report_capabilities1() {
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
     report_capability1 PERSISTENT_SNAT
+    report_capability1 TPROXY_TARGET
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION
 }
 
 # Function to truncate a string -- It uses 'cut -b -<n>'

Shorewall/lib.cli

@@ -177,9 +177,13 @@ show_tc() {
 	fi
     }
 
-    ip -o link list | while read inx interface details; do
-	show_one_tc ${interface%:}
-    done
+    if [ $# -gt 0 ]; then
+	show_one_tc $1
+    else
+	ip -o link list | while read inx interface details; do
+	    show_one_tc ${interface%:}
+	done
+    fi
 
 }
 
@@ -263,6 +267,70 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
+do_save() {
+    local status
+    status=0
+
+    if [ -f ${VARDIR}/firewall ]; then
+	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $RESTOREPATH
+	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+	    chmod +x $RESTOREPATH
+	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    run_user_exit save
+	else
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
+	fi
+    else
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	status=1
+    fi
+
+    case ${SAVE_IPSETS:=No} in 
+	[Yy]es)
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			IPSET=
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+		    ;;
+	    esac
+
+	    if [ -n "$IPSET" ]; then
+		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+                    #
+                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+                    #
+		    hack='| grep -v /31'
+		else
+		    hack=
+		fi
+
+		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+                    #
+                    # Don't save an 'empty' file
+                    #
+		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${RESTOREPATH}-ipsets
+		fi
+	    fi
+	    ;;
+	[Nn]o)
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+	    ;;
+    esac
+
+    return $status
+}
+
 save_config() {
 
     local result
@@ -285,24 +353,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/firewall ]; then
-			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/firewall $RESTOREPATH
-				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-				chmod +x $RESTOREPATH
-				echo "   Currently-running Configuration Saved to $RESTOREPATH"
-				run_user_exit save
-			    else
-			        rm -f ${VARDIR}/restore-$$
-				echo "   ERROR: Currently-running Configuration Not Saved" >&2
-			    fi
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -453,7 +512,9 @@ show_command() {
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -487,10 +548,11 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
-	    show_tc
+	    shift
+	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
@@ -597,6 +659,18 @@ show_command() {
 			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			fi
 
+			return
+			;;
+		    macro)
+			[ $# -ne 2 ] && usage 1
+			for directory in $(split $CONFIG_PATH); do
+			    if [ -f ${directory}/macro.$2 ]; then
+				echo "Shorewall $version Macro $2 at $HOSTNAME - $(date)"
+				cat ${directory}/macro.$2
+				return
+			    fi
+			done
+			echo "   WARNING: Macro $2 not found" >&2
 			return
 			;;
 		    macros)
@@ -728,7 +802,10 @@ dump_command() {
     heading "Raw Table"
     $IPTABLES -t raw -L $IPT_OPTIONS
 
-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+    heading "Conntrack Table ($count out of $max)"
     [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"
@@ -942,6 +1019,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
+    if ! chain_exists dynamic; then
+	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	[ -n "$nolock" ] || mutex_off
+	exit 2
+    fi
+
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -1048,7 +1131,7 @@ add_command() {
     local interface host hostlist zone ipset
     if ! shorewall_is_started ; then
 	echo "Shorewall Not Started" >&2
-	exit 2;
+	exit 2
     fi
 
     case "$IPSET" in
@@ -1254,6 +1337,11 @@ allow_command() {
     [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
+	if ! chain_exists dynamic; then
+	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    exit 2
+	fi
+
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift

Shorewall/modules

@@ -54,6 +54,8 @@ loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
 loadmodule xt_tcpmss
+loadmodule xt_IPMARK
+loadmodule xt_TPROXY
 #
 # Helpers
 #

Shorewall/shorewall

@@ -73,7 +73,7 @@ get_config() {
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -362,6 +362,7 @@ compiler() {
     [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
     [ -n "$TIMESTAMP" ] && options="$options --timestamp"
     [ -n "$TEST" ] && options="$options --test"
+    [ -n "$PREVIEW" ] && options="$options --preview"
     [ "$debugging" = trace ] && options="$options --debug"
     [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
     #
@@ -642,6 +643,10 @@ check_command() {
 			    DEBUG=Yes;
 			    option=${option#d}
 			    ;;
+			r*)
+			    PREVIEW=Yes;
+			    option=${option#r}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1231,8 +1236,10 @@ reload_command() # $* = original arguments less the command.
 	    ensure_config_path
 	fi
 
+	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
     fi
@@ -1349,7 +1356,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
     echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1382,13 +1389,14 @@ usage() # $1 = exit status
     echo "   show config"
     echo "   show connections"
     echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
     echo "   show ip"
     echo "   show [ -m ] log"
+    echo "   show macro <macro>"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
     echo "   show policies"
-    echo "   show tc"
+    echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
@@ -1591,6 +1599,8 @@ FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 REFRESHCHAINS=
+RECOVERING=
+export RECOVERING
 
 for library in $LIBRARIES; do
     if [ -f $library ]; then
@@ -1750,6 +1760,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
+	    if ! chain_exists dynamic; then
+		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		exit 2
+	    fi
+
 	    [ -n "$nolock" ] || mutex_on
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
@@ -1762,6 +1777,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
+	    if ! chain_exists dynamic; then
+		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		exit 2
+	    fi
+
 	    [ -n "$nolock" ] || mutex_on
 	    block logdrop Dropped $*
 	    [ -n "$nolock" ] || mutex_off

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -106,6 +106,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite

@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -417,6 +417,8 @@ USE_VERBOSITY=
 NOROUTES=
 EXPORT=
 export TIMESTAMP=
+RECOVERING=
+export RECOVERING
 noroutes=
 
 finished=0

Shorewall6-lite/shorewall6-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -91,6 +91,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6/action.Drop

@@ -22,7 +22,7 @@
 #
 # Reject 'auth'
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -35,7 +35,7 @@ dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/DROP
+SMB(DROP)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/action.Reject

@@ -18,7 +18,7 @@
 #
 # Don't log 'auth' -- REJECT
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -32,7 +32,7 @@ dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/REJECT
+SMB(REJECT)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -371,6 +371,26 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 
+#
+# Install the TC Interfaces file
+#
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
+fi
+
+#
+# Install the TC Priority file
+#
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
+fi
+
 #
 # Install the TOS file
 #

Shorewall6/lib.base

@@ -32,8 +32,8 @@
 #   by the compiler.
 #
 
-SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_LIBVERSION=40503
+SHOREWALL_CAPVERSION=40503
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -260,7 +260,7 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -296,7 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -696,8 +696,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
-    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
     CONNTRACK_MATCH=
     NEW_CONNTRACK_MATCH=
     OLD_CONNTRACK_MATCH=
@@ -724,6 +722,8 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    EXMARK=
+    TPROXY_TARGET=
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
@@ -747,6 +747,8 @@ determine_capabilities() {
 	exit 1
     fi
 
+    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     if ! $IP6TABLES -N $chain; then
@@ -822,6 +824,7 @@ determine_capabilities() {
 	if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 
 	if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -831,6 +834,7 @@ determine_capabilities() {
 
 	qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IP6TABLES -t mangle -F $chain
 	qt $IP6TABLES -t mangle -X $chain
 	qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -872,6 +876,7 @@ determine_capabilities() {
     qt $IP6TABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -916,6 +921,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
@@ -930,6 +936,7 @@ report_capabilities() {
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "TPROXY Target" $TPROXY_TARGET
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -972,6 +979,7 @@ report_capabilities1() {
     report_capability1 KLUDGEFREE
     report_capability1 MARK
     report_capability1 XMARK
+    report_capability1 EXMARK
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
@@ -986,8 +994,10 @@ report_capabilities1() {
     report_capability1 GOTO_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 TPROXY_TARGET
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION    
 }
 
 detect_gateway() # $1 = interface

Shorewall6/lib.cli

@@ -158,9 +158,13 @@ show_tc() {
 	fi
     }
 
-    ip -o link list | while read inx interface details; do
-	show_one_tc ${interface%:}
-    done
+    if [ $# -gt 0 ]; then
+	show_one_tc $1
+    else
+	ip -o link list | while read inx interface details; do
+	    show_one_tc ${interface%:}
+	done
+    fi
 
 }
 
@@ -244,6 +248,30 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
+do_save() {
+    local status
+    status=0
+
+    if [ -f ${VARDIR}/firewall ]; then
+	if $iptables_save > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $RESTOREPATH
+	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+	    chmod +x $RESTOREPATH
+	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    run_user_exit save
+	else
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
+	fi
+    else
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	status=1
+    fi
+
+    return $status
+}
+
 save_config() {
 
     local result
@@ -266,24 +294,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
-			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/firewall ]; then
-			    if $iptables_save > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/firewall $RESTOREPATH
-				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-				chmod +x $RESTOREPATH
-				echo "   Currently-running Configuration Saved to $RESTOREPATH"
-				run_user_exit save
-			    else
-			        rm -f ${VARDIR}/restore-$$
-				echo "   ERROR: Currently-running Configuration Not Saved" >&2
-			    fi
+		    if chain_exists dynamic; then
+			if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -406,7 +425,9 @@ show_command() {
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$PRODUCT $version Connections ($count of $max) at $HOSTNAME - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -433,7 +454,7 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
 	    show_tc
@@ -659,7 +680,10 @@ dump_command() {
     heading "Raw Table"
     $IP6TABLES -t raw -L $IPT_OPTIONS
 
-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+    heading "Conntrack Table ($count out of $max)"
     grep '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"
@@ -691,8 +715,8 @@ dump_command() {
 
     show_routing
 
-    heading "ARP"
-    arp -na
+    heading "Neighbors"
+    ip -6 neigh ls
 
     if qt mywhich lsmod; then
 	heading "Modules"
@@ -878,6 +902,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
+    if ! chain_exists dynamic; then
+	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	[ -n "$nolock" ] || mutex_off
+	exit 2
+    fi
+
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -999,6 +1029,11 @@ allow_command() {
     [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
+	if ! chain_exists dynamic; then
+	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    exit 2
+	fi
+
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift

Shorewall6/modules

@@ -85,6 +85,7 @@ loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
 loadmodule cls_fw
+loadmodule cls_flow
 loadmodule act_police
 #
 # Extensions

Shorewall6/shorewall6

@@ -73,7 +73,7 @@ get_config() {
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -279,6 +279,7 @@ compiler() {
     [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
     [ -n "$TIMESTAMP" ] && options="$options --timestamp"
     [ -n "$TEST" ] && options="$options --test"
+    [ -n "$PREVIEW" ] && options="$options --preview"
     [ "$debugging" = trace ] && options="$options --debug"
     [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
     [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@@ -552,6 +553,10 @@ check_command() {
 			    PROFILE=Yes
 			    option=${option#p}
 			    ;;
+			r*)
+			    PREVIEW=Yes;
+			    option=${option#r}
+			    ;;
 			d*)
 			    DEBUG=Yes;
 			    option=${option#d}
@@ -1267,7 +1272,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
     echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1494,7 +1499,8 @@ fi
 FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
-REFRESHCHAINS=
+RECOVERING=
+export RECOVERING
 
 for library in $LIBRARIES; do
     if [ -f $library ]; then
@@ -1652,7 +1658,7 @@ case "$COMMAND" in
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    fatal_error "Shorewall6 is not started"
+	    fatal_error "$PRODUCT is not started"
 	fi
 	;;
     logdrop)

Shorewall6/shorewall6.conf

@@ -117,7 +117,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -149,6 +149,23 @@ TRACK_PROVIDERS=No
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=
+
+MASK_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -95,6 +95,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall6/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall6-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE		TYPE	IN-BANDWIDTH
+

Shorewall6/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall6 version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall6-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

docs/Accounting.xml

@@ -44,6 +44,11 @@
   <section id="Basics">
     <title>Accounting Basics</title>
 
+    <para>Shorewall's accounting facility is enabled by the ACCOUNTING setting
+    in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
+    This option was added in Shorewall 4.5.0 and defaults to 'Yes'. Versions
+    prior to 4.5.0 unconditionally enable accounting.</para>
+
     <para>Shorewall accounting rules are described in the file
     <filename><filename>/etc/shorewall/accounting</filename></filename>. By
     default, the accounting rules are placed in a chain called

docs/Actions.xml

@@ -26,6 +26,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -619,7 +621,9 @@ Limit:info:SSHA,3,60   net               $FW            tcp         22</programl
       <para>For those who are curious, the Limit action is implemented as
       follows:</para>
 
-      <programlisting>my @tag = split /,/, $tag;
+      <programlisting>use Shorewall::Chains;
+
+my @tag = split /,/, $tag;
 
 fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
     unless @tag == 3;

docs/Build.xml

@@ -20,6 +20,8 @@
     <copyright>
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -201,7 +203,12 @@
           <term>xmlto (I use version 0.0.18-182.27)</term>
 
           <listitem>
-            <para>Required to convert the XML manpages to manpages.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
+            not all versions of xmlto will work (those released by Debian and
+            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
+            find that xmlto fails, install
+            tools<filename>/build/xmlto</filename> in <filename
+            class="directory">/usr/local/bin</filename>.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -249,14 +256,6 @@
           </listitem>
         </varlistentry>
 
-        <varlistentry>
-          <term>GPG</term>
-
-          <listitem>
-            <para>Command to be used for signing your packages</para>
-          </listitem>
-        </varlistentry>
-
         <varlistentry>
           <term>GIT</term>
 
@@ -336,6 +335,22 @@
                   <para>Build the shorewall6-lite package.</para>
                 </listitem>
               </varlistentry>
+
+              <varlistentry>
+                <term>h</term>
+
+                <listitem>
+                  <para>Build the html document package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>x</term>
+
+                <listitem>
+                  <para>Build the xml document package.</para>
+                </listitem>
+              </varlistentry>
             </variablelist>
           </listitem>
         </varlistentry>
@@ -437,7 +452,7 @@
           <term><emphasis>release</emphasis></term>
 
           <listitem>
-            <para>The version number of the release to update.</para>
+            <para>The version number of the release to upload.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -445,13 +460,13 @@
       <para>Example 1 - Upload release 4.3.7:</para>
 
       <blockquote>
-        <para><command>upload 4.3.7</command></para>
+        <para><command>upload44 4.3.7</command></para>
       </blockquote>
 
       <para>Example 2 - Upload shorewall-perl-4.3.7.3:</para>
 
       <blockquote>
-        <para><command>upload -p 4.3.7.3</command></para>
+        <para><command>upload44 -p 4.3.7.3</command></para>
       </blockquote>
     </section>
   </section>

docs/Documentation_Index.xml

@@ -5,7 +5,7 @@
   <!--/$Id$-->
 
   <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -161,14 +161,13 @@
 
           <row>
             <entry><ulink url="Build.html">Building Shorewall from
-            SVN</ulink></entry>
+            GIT</ulink></entry>
 
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="traffic_shaping.htm">Traffic
-            Shaping/QOS</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple </ulink></entry>
           </row>
 
           <row>
@@ -178,8 +177,9 @@
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
           </row>
 
           <row>
@@ -188,7 +188,8 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
           </row>
 
           <row>
@@ -198,8 +199,7 @@
             <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
             NAT)</entry>
 
-            <entry><ulink url="upgrade_issues.htm">Upgrade
-            Issues</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
           </row>
 
           <row>
@@ -208,8 +208,8 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -219,7 +219,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -228,7 +229,7 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -238,8 +239,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -250,8 +250,8 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -260,8 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -270,7 +270,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>

docs/FAQ.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Shorewall FAQs</title>
+    <title>Shorewall 4.4/4.5 FAQs</title>
 
     <authorgroup>
       <corpauthor>Shorewall Community</corpauthor>
@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -2007,8 +2007,8 @@ iptables: Invalid argument
       which requires them to be up and configured when Shorewall starts but
       Shorewall is being started before NetworkManager.</title>
 
-      <para>Answer: I faced a similar problem which I solved as
-      follows:</para>
+      <para><emphasis role="bold">Answer</emphasis>: I faced a similar problem
+      which I solved as follows:</para>
 
       <itemizedlist>
         <listitem>
@@ -2029,6 +2029,22 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
         </listitem>
       </itemizedlist>
     </section>
+
+    <section id="faq87">
+      <title>(FAQ 87) My firewall starts and restarts fine but if I try
+      'shorewall restore', the script fails because none of my shell variables
+      from /etc/shorewall/params are set. Why?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: You probably need to set
+      EXPORTPARAMS=Yes. During <emphasis role="bold">start</emphasis> and
+      <emphasis role="bold">restart</emphasis>,
+      <filename>/etc/shorewall/params</filename> is processed by the shell
+      after <emphasis role="bold">set -a</emphasis>; as a result, all param
+      settings become part of the shell's environment and are inherited by the
+      running script. The shell does not process
+      <filename>/etc/shorewall/params</filename> when processing the <emphasis
+      role="bold">restore</emphasis> command. </para>
+    </section>
   </section>
 
   <section id="MultiISP">

docs/IPv6Support.xml

@@ -419,6 +419,15 @@ ACCEPT         net                 $FW:<2002:ce7c:92b4::3>     tcp
           <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
 #                                                                             PORT(S)
 ACCEPT         net:wlan0:&lt;2002:ce7c:92b4::3&gt;     tcp                         22</programlisting>
+
+          <para>Beginning with Shorewall 4.4.6 and 4.5.4, square brackets ("["
+          and "]") may also be used.</para>
+
+          <para>Example (<filename>/etc/shorewall6/rules</filename>):</para>
+
+          <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
+#                                                                             PORT(S)
+ACCEPT         net:wlan0:[2002:ce7c:92b4::3]     tcp                         22</programlisting>
         </listitem>
       </varlistentry>
 

docs/LennyToSqueeze.xml

@@ -5,8 +5,8 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Shorewall Issues when Upgrading from Debian Lenny to
-    Squeeze</title>
+    <title>Issues when Upgrading to Shorewall 4.4 (Upgrading from Debian Lenny
+    to Squeeze)</title>
 
     <authorgroup>
       <author>
@@ -21,6 +21,8 @@
     <copyright>
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -38,11 +40,11 @@
   <section>
     <title>Introduction</title>
 
-    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
-    soon include Shorewall 4.4. Because there are significant differences
-    between the two product versions, some users may experience upgrade
-    issues. This article outlines those issues and offers advice for dealing
-    with them.</para>
+    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze
+    includes Shorewall 4.4. Because there are significant differences between
+    the two product versions, some users may experience upgrade issues. This
+    article outlines those issues and offers advice for dealing with
+    them.</para>
 
     <note>
       <para>Although this article is targeted specifically at Lenny -&gt;
@@ -354,7 +356,7 @@
           <term>SAVE_IPSETS</term>
 
           <listitem>
-            <para>Shorewall 4.4 will issue a warning if you set
+            <para>Shorewall 4.4.0-4.4.5 will issue a warning if you set
             SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
 
             <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
@@ -665,6 +667,12 @@ NONAT           loc             -               tcp     80</programlisting>
       traffic based on the contents of the <filename>routestopped</filename>
       file at the last <command>start</command> or
       <command>restart</command>.</para>
+
+      <para>If you change the <filename>routestopped</filename> file and now
+      want to stop the firewall, you can run this sequence of commands:</para>
+
+      <programlisting><command>shorewall compile
+shorewall stop</command></programlisting>
     </section>
 
     <section id="tos">
@@ -890,57 +898,32 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
       Shorewall configuration file, the name must be preceded by a plus sign
       (+) as with the shell-based compiler.</para>
 
-      <para>Shorewall 4.4 is out of the ipset load/reload business with the
-      exception of ipsets used for dynamic zones. With scripts generated by
-      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
-      there is no opportunity for Shorewall to load/reload your ipsets since
-      that cannot be done while there are any current rules using
-      ipsets.</para>
+      <para>Shorewall 4.4.6 re-introduced SAVE_IPSETS=Yes with slightly
+      different semantics:</para>
 
-      <para>So:</para>
-
-      <orderedlist numeration="upperroman">
+      <itemizedlist>
         <listitem>
-          <para>Your ipsets must be loaded before Shorewall starts. You are
-          free to try to do that with the following code in
-          <filename>/etc/shorewall/init (it works for me; your mileage may
-          vary)</filename>:</para>
-
-          <programlisting>if [ "$COMMAND" = start ]; then
-    ipset -U :all: :all:
-    ipset -U :all: :default:
-    ipset -F
-    ipset -X
-    ipset -R &lt; /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The file <filename>/etc/shorewall/ipsets</filename> will
-          normally be produced using the <command>ipset -S</command> command.
-          I have this in my<filename> /etc/shorewall/stop</filename>
-          file:</para>
-
-          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
-    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
-    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The above extension scripts will work most of the time but
-          will fail in a <command>shorewall stop</command> -
-          <command>shorewall start</command> sequence if you use ipsets in
-          your routestopped file (see <link
-          linkend="routestopped">below</link>).</para>
+          <para>The contents of the ipsets are saved during processing of the
+          <command>stop</command> command in addition to during processing of
+          the <command>save</command> command.</para>
         </listitem>
 
         <listitem>
-          <para>Your ipsets may not be reloaded until Shorewall is stopped or
-          cleared.</para>
+          <para>The contents of the ipsets are restored during processing of
+          the <command>start</command> command in addition to during
+          processing of the <command>restore</command> command. When
+          <command>restore</command> is being run when Shorewall is not in the
+          stopped state (such as when it is run to recover from a failed
+          <command>start</command>, <command>restart</command> or
+          <command>refresh</command>) ipsets are not restored.</para>
         </listitem>
 
         <listitem>
-          <para>If you specify ipsets in your routestopped file then Shorewall
-          must be cleared in order to reload your ipsets.</para>
+          <para>Specifying an ipset in <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-routestopped
+          </ulink>(5) is prohibited when SAVE_IPSETS=Yes.</para>
         </listitem>
-      </orderedlist>
+      </itemizedlist>
     </section>
   </section>
 

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 4.3 Manpages</title>
+    <title>Shorewall 4.4/4.5 Manpages</title>
 
     <authorgroup>
       <author>
@@ -24,6 +24,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -137,6 +139,13 @@
         url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
         speed of devices for traffic shaping.</member>
 
+        <member><ulink
+        url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
+        Specify devices for simplified traffic shaping.</member>
+
+        <member><ulink url="manpages/shorewall-tcpri.html">tcpri</ulink> -
+        Classify traffic for simplified traffic shaping.</member>
+
         <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
         Define packet marking rules, usually for traffic shaping.</member>
 

docs/Manpages6.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall6 4.3 Manpages</title>
+    <title>Shorewall6 4.4/4.5 Manpages</title>
 
     <authorgroup>
       <author>
@@ -24,6 +24,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -122,6 +124,13 @@
         url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
         speed of devices for traffic shaping.</member>
 
+        <member><ulink
+        url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
+        Specify interfaces for simplified traffic shaping.</member>
+
+        <member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
+        Classify traffic for simplified traffic shaping.</member>
+
         <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
         - Define packet marking rules, usually for traffic shaping.</member>
 

docs/ManualChains.xml

@@ -72,6 +72,32 @@
         for normal processing.</para>
       </listitem>
     </itemizedlist>
+
+    <para>As shown in the following example, manual chains are created using a
+    call to &amp;Shorewall::Chains::new_manual_chain. That function returns a
+    reference to the newly-created chain.</para>
+
+    <para>By default, chains are subject to optimize 4 (see OPTIMIZE in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)). You can
+    exempt your chain from that optimization by calling one of two
+    functions:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>&amp;Shorewall::Chains::dont_delete - exempt the chain from all
+        optimizations.</para>
+      </listitem>
+
+      <listitem>
+        <para>&amp;Shorewall::Chains::dont_optimize - exempt the chain from
+        all optimizations except that the chain will be omitted from the
+        configuration if there are no branches to the chain.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Both functions accept the name of the chain or a reference to the
+    chain as a single argument and both return a reference to the chain (to
+    the chain's table entry).</para>
   </section>
 
   <section id="Example">

docs/MultiISP.xml

@@ -28,6 +28,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -105,8 +107,11 @@
       <title>Overview</title>
 
       <para>Let's assume that a firewall is connected via two separate
-      Ethernet interfaces to two different ISPs as in the following
-      diagram.</para>
+      Ethernet interfaces to two different ISPs.<footnote>
+          <para>While we describe a setup using different ISPs in this
+          article, the facility also works with two uplinks from the same
+          ISP.</para>
+        </footnote> as in the following diagram.</para>
 
       <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
 
@@ -249,6 +254,34 @@
                     url="manpages/shorewall.conf.html">shorewall.conf
                     </ulink>(5) and use mark values in the range 0x10000 -
                     0xFF0000 with the low-order 16 bits being zero.</para>
+
+                    <note>
+                      <para>In Shorewall 4.5.0, WIDE_TC_MARKS and
+                      HIGH_ROUTE_MARKS were superseded by a new set of options
+                      in <ulink
+                      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5):</para>
+
+                      <itemizedlist>
+                        <listitem>
+                          <para>TC_BITS - The number of bits occupied by the
+                          traffic shaping classification mark.</para>
+                        </listitem>
+
+                        <listitem>
+                          <para>PROVIDER_BITS - The number of bits occupied by
+                          the Provider mark value.</para>
+                        </listitem>
+
+                        <listitem>
+                          <para>PROVIDER_OFFSET - The number of bits to the
+                          right of the provider field.</para>
+                        </listitem>
+                      </itemizedlist>
+
+                      <para>The default values for these options are based on
+                      the settings of HIGH_ROUTE_MARKS and WIDE_TC_MARKS to
+                      provide upward compatability.</para>
+                    </note>
                   </listitem>
                 </itemizedlist>
               </listitem>
@@ -1137,8 +1170,8 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
 
         <listitem>
           <para>Packets are sent through the main routing table by a routing
-          rule with priority 999. In ), the priority range 1-998 may be used
-          for inserting rules that bypass the main table.</para>
+          rule with priority 999. The priority range 1-998 may be used for
+          inserting rules that bypass the main table.</para>
         </listitem>
 
         <listitem>
@@ -1180,7 +1213,10 @@ shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional<
       <title>Gateway Monitoring and Failover</title>
 
       <para>There are a couple of options available for monitoring the status
-      of provider links and taking action when a failure occurs.</para>
+      of provider links and taking action when a failure occurs. Both of these
+      options assume that each provider has a unique nexthop gateway; if two
+      or more providers use the same gateway router then neither option is
+      suitable.</para>
 
       <para>You specify the <option>optional</option> option in
       <filename>/etc/shorewall/interfaces</filename>:</para>

docs/OpenVZ.xml

@@ -135,7 +135,7 @@ server:~ # </programlisting>
     <section>
       <title>Shorewall Configuration</title>
 
-      <para>We recommend handlintg the strange OpenVZ configuration in
+      <para>We recommend handling the strange OpenVZ configuration in
       Shorewall as follows:</para>
 
       <para><filename>/etc/shorewall/zones</filename>:</para>
@@ -233,7 +233,7 @@ vz       venet0             -              routeback,rp_filter=0</programlisting
     </variablelist>
 
     <para>if you see annoying error messages as shown below during
-    start/restart, remove the module-init-tools package.</para>
+    start/restart, remove the module-init-tools package from the VE.</para>
 
     <programlisting>server:/etc/shorewall # shorewall restart
 Compiling...
@@ -476,7 +476,7 @@ INT_IF=eth1
 net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
             role="bold">proxyarp=1</emphasis>
 loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=1,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
       in <filename>/etc/shorewall/route_rules</filename>:</para>
 

docs/Shorewall-perl.xml

@@ -229,7 +229,7 @@
 
           <para>Compile-time extension scripts are executed using the Perl
           'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
-          returns a 'true' value; otherwise, the Shorweall-perl compiler will
+          returns a 'true' value; otherwise, the Shorewall-perl compiler will
           assume that the script failed and will abort the compilation.</para>
 
           <para>When a script is invoked, the <emphasis
@@ -288,7 +288,7 @@
 
             <listitem>
               <para>There is only a single "pass as-is to iptables" argument
-              (so you must quote that part</para>
+              (so you must quote that part)</para>
             </listitem>
           </itemizedlist>
 
@@ -361,23 +361,27 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
           used in a Shorewall configuration file, the name must be preceded by
           a plus sign (+) as with the shell-based compiler.</para>
 
-          <para>Shorewall is now out of the ipset load/reload business with
-          the exception of ipsets used for dynamic zones. With scripts
-          generated by the Perl-based Compiler, the Netfilter rule set is
-          never cleared. That means that there is no opportunity for Shorewall
-          to load/reload your ipsets since that cannot be done while there are
-          any current rules using ipsets.</para>
+          <para>From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
+          of the ipset load/reload business with the exception of ipsets used
+          for dynamic zones:</para>
 
-          <para>So:</para>
+          <blockquote>
+            <para>With scripts generated by the Perl-based Compiler, the
+            Netfilter rule set is never cleared. That means that there is no
+            opportunity for Shorewall to load/reload your ipsets since that
+            cannot be done while there are any current rules using
+            ipsets.</para>
 
-          <orderedlist numeration="upperroman">
-            <listitem>
-              <para>Your ipsets must be loaded before Shorewall starts. You
-              are free to try to do that with the following code in
-              <filename>/etc/shorewall/init (it works for me; your mileage may
-              vary)</filename>:</para>
+            <para>So:</para>
 
-              <programlisting>if [ "$COMMAND" = start ]; then
+            <orderedlist numeration="upperroman">
+              <listitem>
+                <para>Your ipsets must be loaded before Shorewall starts. You
+                are free to try to do that with the following code in
+                <filename>/etc/shorewall/init (it works for me; your mileage
+                may vary)</filename>:</para>
+
+                <programlisting>if [ "$COMMAND" = start ]; then
     ipset -U :all: :all:
     ipset -U :all: :default:
     ipset -F
@@ -385,37 +389,43 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
     ipset -R &lt; /etc/shorewall/ipsets
 fi</programlisting>
 
-              <para>The file <filename>/etc/shorewall/ipsets</filename> will
-              normally be produced using the <command>ipset -S</command>
-              command. I have this in my<filename>
-              /etc/shorewall/stop</filename> file:</para>
+                <para>The file <filename>/etc/shorewall/ipsets</filename> will
+                normally be produced using the <command>ipset -S</command>
+                command. I have this in my<filename>
+                /etc/shorewall/stop</filename> file:</para>
 
-              <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
+                <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
     mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
     mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
 fi</programlisting>
 
-              <para>The above extension scripts will work most of the time but
-              will fail in a <command>shorewall stop</command> -
-              <command>shorewall start</command> sequence if you use ipsets in
-              your routestopped file (see below).</para>
-            </listitem>
+                <para>The above extension scripts will work most of the time
+                but will fail in a <command>shorewall stop</command> -
+                <command>shorewall start</command> sequence if you use ipsets
+                in your routestopped file (see below).</para>
+              </listitem>
 
-            <listitem>
-              <para>Your ipsets may not be reloaded until Shorewall is stopped
-              or cleared.</para>
-            </listitem>
+              <listitem>
+                <para>Your ipsets may not be reloaded until Shorewall is
+                stopped or cleared.</para>
+              </listitem>
 
-            <listitem>
-              <para>If you specify ipsets in your routestopped file then
-              Shorewall must be cleared in order to reload your ipsets.</para>
-            </listitem>
-          </orderedlist>
+              <listitem>
+                <para>If you specify ipsets in your routestopped file then
+                Shorewall must be cleared in order to reload your
+                ipsets.</para>
+              </listitem>
+            </orderedlist>
 
-          <para>As a consequence, scripts generated by the Perl-based compiler
-          will ignore <filename>/etc/shorewall/ipsets</filename> and will
-          issue a warning if you set SAVE_IPSETS=Yes in
-          <filename>shorewall.conf</filename>.</para>
+            <para>As a consequence, scripts generated by the Perl-based
+            compiler will ignore <filename>/etc/shorewall/ipsets</filename>
+            and will issue a warning if you set SAVE_IPSETS=Yes in
+            <filename>shorewall.conf</filename>.</para>
+          </blockquote>
+
+          <para>Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
+          once again supported. See <ulink
+          url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
 
         <listitem>

docs/Shorewall_Squid_Usage.xml

@@ -285,4 +285,41 @@ ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
     </example>
   </section>
+
+  <section id="TPROXY">
+    <title>Transparent with TPROXY</title>
+
+    <para>Shorewall 4.5.3 contains experimental support for TPROXY. TPROXY
+    differs from REDIRECT in that it does not modify the IP header. Because
+    the IP header stays intact, TPROXY requires policy routing to direct the
+    packets to the proxy server running on the firewall. This approach
+    requires TPROXY support in your kernel and iptables and Squid 3. See
+    <ulink
+    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
+
+    <para>The following configuration works with Squid running on the firewall
+    itself.</para>
+
+    <para><filename>/etc/shorewall/interfaces:</filename></para>
+
+    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+-            lo               -                 -</programlisting>
+
+    <para><filename>/etc/shorewall/providers</filename>:</para>
+
+    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
+Tproxy    1        1        -           lo        -            local</programlisting>
+
+    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
+    eth1):</para>
+
+    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
+TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
+
+    <para>/etc/shorewall/rules:</para>
+
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+ACCEPT    Z        $FW    tcp     SP
+ACCEPT    $FW      net    tcp     80</programlisting>
+  </section>
 </article>

docs/UPnP.xml

@@ -20,6 +20,8 @@
     <copyright>
       <year>2005</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -101,21 +103,9 @@ net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
     <para>If your fw-&gt;loc policy is not ACCEPT then you need this
     rule:</para>
 
-    <programlisting>#ACTION            SOURCE  DEST
-allowoutUPnP       $FW     loc</programlisting>
-
-    <note>
-      <para>To use 'allowoutUPnP', your iptables and kernel must support the
-      'owner match' feature (see the output of "shorewall show capabilities")
-      and you may not be running kernel version 2.6.14 or later. If you are
-      running 2.6.14 or later, then replace the above rule with:</para>
-    </note>
-
-    <blockquote>
-      <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
+    <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
 #                                                            PORT(S)    DESTINATION  LIMIT    GROUP
 ACCEPT             $FW     loc    all       -                -          -            -        root</programlisting>
-    </blockquote>
 
     <para>If your loc-&gt;fw policy is not ACCEPT then you need this
     rule:</para>
@@ -152,6 +142,6 @@ forwardUPnP        net     loc</programlisting>
     <para>The <emphasis role="bold">upnpclient</emphasis> option causes
     Shorewall to detect the default gateway through the interface and to
     accept UDP packets from that gateway. Note that, like all aspects of UPnP,
-    this is a security hole so use this option at your own risk. </para>
+    this is a security hole so use this option at your own risk.</para>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -156,6 +156,12 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
   <section id="Dynamic">
     <title>Dynamic Blacklisting</title>
 
+    <para>Dynamic blacklisting is enabled unconditionally in Shorewall
+    versions prior to 4.5.0. Beginning with 4.5.0, dynamic blacklisting is
+    enabled by default but may be disabled by setting DYNAMIC_BLACKLIST=No in
+    <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
+    (5).</para>
+
     <para>Dynamic blacklisting doesn't use any configuration parameters but is
     rather controlled using /sbin/shorewall[-lite] commands:</para>
 

docs/bridge-Shorewall-perl.xml

@@ -22,6 +22,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -101,7 +103,8 @@
 
       <listitem>
         <para>Your kernel must contain Netfilter physdev match support
-        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
+        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y --
+        recent kernels call this option CONFIG_NETFILTER_XT_MATCH_PHYSDEV).
         Physdev match is standard in the 2.6 kernel series but must be patched
         into the 2.4 kernels (see <ulink
         url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and
@@ -650,7 +653,7 @@ br0             192.168.1.0/24  routeback
     port to have a unique name. The <option>physical</option> interface option
     was added in Shorewall 4.4.4 to work around this problem. The above
     configuration may be defined using the following in
-    <filename>/etc/shorewall/interfaces</filename>: </para>
+    <filename>/etc/shorewall/interfaces</filename>:</para>
 
     <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
        world            br0             -               bridge

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2008</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -697,9 +697,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
     </orderedlist>
 
     <note>
-      <para>Only the $VAR and ${VAR} forms of variable expansion are
-      supported. You may not use the more exotic forms supported by the shell
-      ($VAR, ${VAR}, ${VAR:=val}, ...)</para>
+      <para>Within your configuration files, only the $VAR and ${VAR} forms of
+      variable expansion are supported. You may not use the more exotic forms
+      supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
     </note>
   </section>
 
@@ -1239,6 +1239,241 @@ Comcast 2        0x20000 main       COM_IF     detect          balance
     class="devicefile">tun*</filename> in the COPY column.</para>
   </section>
 
+  <section id="Marks">
+    <title>Packet/Connection Marks</title>
+
+    <para>Shorewall makes use of Netfilter Packet/Connection Marks in two
+    ways:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>For <ulink url="traffic_shaping.htm">traffic
+        shaping</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>For <ulink url="MultiISP.html">policy routing</ulink> (Multi-ISP
+        support).</para>
+      </listitem>
+    </orderedlist>
+
+    <para>The use of marks for traffic shaping classification is optional.
+    Traffic shaping classes may be defined with the <emphasis
+    role="bold">classify</emphasis> option which avoids the need to assign a
+    mark value to the class. The assignment of a unique mark value to each
+    <firstterm>provider</firstterm> is required in most Multi-ISP
+    configurations.</para>
+
+    <para>Traffic shaping was implemented before policy routing. Traffic
+    shaping packet and connection marks were initially limited to the values
+    1-255.</para>
+
+    <para>When Multi-ISP support was added, packet marks assigned to providers
+    were also restricted to the range 1-255. This worked because the provider
+    mark is assigned in the <ulink url="NetfilterOverview.html">PREROUTING and
+    OUTPUT chains and is only needed until the packet is routed</ulink>.
+    Traffic shaping marks can then be assigned in the FORWARD or POSTROUTING
+    chains.</para>
+
+    <para>The <emphasis role="bold">track</emphasis> provider option requires
+    that the provider's mark be stored in the connection mark. So if <emphasis
+    role="bold">track</emphasis> was used, the user could not store the
+    traffic shaping mark in the connection because it would overwrite the
+    provider mark. To solve this problem, the HIGH_ROUTE_MARK option was added
+    to <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
+    With HIGH_ROUTE_MARKS=Yes, the traffic shaping mark remained in the
+    low-order byte of the mark value while the traffic-shaping mark value was
+    stored in the next byte.</para>
+
+    <para>In the introduction of per-IP traffic-shaping classes Shorewall 4.4,
+    there was a need for more than 255 distinct mark-based traffic shaping
+    classes. To accomodate that need, the WIDE_TC_MARKS option was introduced.
+    With WIDE_TC_MARKS=Yes, the provider mark is moved left one additional
+    byte in the mark and the traffic-shaping mark is widened to 14 bits. The
+    two bits between the traffic-shaping mark and provider mark are
+    unused.</para>
+
+    <para>Netfilter marks are only 32 bits wide, even on 64-bit architectures.
+    So with WIDE_TC_MARKS=Yes and HIGH_ROUTE_MARKS=Yes, 22 of the 32 bits are
+    used and allocating bits for additional uses becomes difficult. To address
+    that issue, Shorewall 4.5 introduced the notion of
+    <firstterm>variable-width mark fields</firstterm>.</para>
+
+    <para>Variable-width marks are controlled by four options in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>TC_BITS</term>
+
+        <listitem>
+          <para>Number of bits reserved at the low-order end of of the mark
+          for traffic classification. May be zero (0) if traffic shaping marks
+          are not used.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>MASK_BITS</term>
+
+        <listitem>
+          <para>Number of 1 bits in the default mask when specifying a test on
+          the packet or connection mark. These tests appear in the TEST column
+          of <ulink
+          url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink> (5)
+          and in the MARK columns of <ulink
+          url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+          (5), <ulink
+          url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) and
+          <ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
+          (5).</para>
+
+          <para>The bits defined by the default mask are also retained after a
+          packet is routed. The remaining bits are cleared.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_BITS</term>
+
+        <listitem>
+          <para>Number of bits reserved in the mark for provider marks. May be
+          zero if policy routing is not used.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_OFFSET</term>
+
+        <listitem>
+          <para>The offset, in bits, of the provider mark value from the
+          low-order end of the mark. If zero, the provider mark and traffic
+          shaping mark occupy the same part of the mark.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>To make the transition to variable-width marks as transparent as
+    possible, the default values of the new options are derived from the
+    settings of the old ones.</para>
+
+    <table>
+      <title>Default Values of Variable-width Mark Field Options</title>
+
+      <tgroup cols="6">
+        <tbody>
+          <row>
+            <entry><emphasis role="bold">HIGH_ROUTE_MARKS</emphasis></entry>
+
+            <entry><emphasis role="bold">WIDE_TC_MARKS</emphasis></entry>
+
+            <entry><emphasis role="bold">TC_BITS</emphasis></entry>
+
+            <entry><emphasis role="bold">MASK_BITS</emphasis></entry>
+
+            <entry><emphasis role="bold">PROVIDER_BITS</emphasis></entry>
+
+            <entry><emphasis role="bold">PROVIDER_OFFSET</emphasis></entry>
+          </row>
+
+          <row>
+            <entry>No</entry>
+
+            <entry>No</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>0</entry>
+          </row>
+
+          <row>
+            <entry>Yes</entry>
+
+            <entry>No</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+          </row>
+
+          <row>
+            <entry>No</entry>
+
+            <entry>Yes</entry>
+
+            <entry>14</entry>
+
+            <entry>16</entry>
+
+            <entry>8</entry>
+
+            <entry>0</entry>
+          </row>
+
+          <row>
+            <entry>Yes</entry>
+
+            <entry>Yes</entry>
+
+            <entry>14</entry>
+
+            <entry>16</entry>
+
+            <entry>8</entry>
+
+            <entry>16</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+
+    <para>These defaults may be overridden by explicitly setting the new
+    options.</para>
+
+    <para>There are a couple of restrictions regarding the setting of those
+    options.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>MASK_BITS must be greater than or equal to TC_BITS. Shorewall
+        will automatically adjust the value (given or defaulted) to meet this
+        requirment.</para>
+      </listitem>
+
+      <listitem>
+        <para>If PROVIDER_OFFSET is non-zero, then its value must be greater
+        than or equal to MASK_BITS. Shorewall will automatically adjust the
+        given value of PROVIDER_OFFSET to meet this requirement.</para>
+      </listitem>
+
+      <listitem>
+        <para>The sum of PROVIDER_BITS and PROVIDER_OFFSET (adjusted) must be
+        less than or equal to 32.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Under verbosity levels 1 and 2 (see VERBOSITY in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)), the
+    compiler reports on the effect of the settings.</para>
+
+    <para>Example (with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes and the new
+    options left at their default values):</para>
+
+    <programlisting>        ******** Packet/Connection Mark Information ********
+        TC Mark Values       = 1 - 16383 (0x3fff)
+        Default Mask         = /0xffff
+        Provider Mark Values = 0x10000 - 0xff0000
+        ****************************************************</programlisting>
+  </section>
+
   <section id="Levels">
     <title>Shorewall Configurations</title>
 

docs/dhcp.xml

@@ -26,6 +26,8 @@
 
       <year>2005</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -85,8 +87,8 @@
         <para>Specify the <quote>dhcp</quote> option for this interface in the
         <ulink
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
-        file. This will generate rules that will allow DHCP to and from
-        your firewall system.</para>
+        file. This will generate rules that will allow DHCP to and from your
+        firewall system.</para>
       </listitem>
 
       <listitem>
@@ -131,8 +133,8 @@
         <para>Specify the <quote>dhcp</quote> option for the bridge interface
         in the <ulink
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
-        file. This will generate rules that will allow DHCP to and from
-        your firewall system as well as through the bridge.</para>
+        file. This will generate rules that will allow DHCP to and from your
+        firewall system as well as through the bridge.</para>
       </listitem>
     </itemizedlist>
   </section>
@@ -148,6 +150,16 @@
         relayed.</para>
       </listitem>
 
+      <listitem>
+        <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
+        the server zone:</para>
+
+        <programlisting>#ACTION        SOURCE        DEST        PROTO       DEST
+#                                                    PORT(S)
+ACCEPT         ZONEA         ZONEB       udp         67:68
+ACCEPT         ZONEB         ZONEA       udp         67:68</programlisting>
+      </listitem>
+
       <listitem>
         <para>If the server is configured with 'ping-check' true, then you
         must <ulink url="ping.htm">allow 'ping'</ulink> from the server's zone

docs/simple_traffic_shaping.xml

@@ -0,0 +1,227 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Simple Traffic Shaping/Control</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2009</year>
+
+      <year>2010</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Traffic shaping and control was originally introduced into Shorewall
+    in version 2.2.5. That facility was based on Arne Bernin's
+    <firstterm>tc4shorewall</firstterm> and is generally felt to be complex
+    and difficult to use.</para>
+
+    <para>In Shorewall 4.5.0, a second traffic shaping facility that is simple
+    to understand and to configure was introduced. This newer facility is
+    described in this document while the original facility is documented in
+    <ulink url="traffic_shaping.htm">Complex Traffic
+    Shaping/Control</ulink>.</para>
+  </section>
+
+  <section>
+    <title>Enabling Simple Traffic Shaping</title>
+
+    <para>Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
+    <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). You
+    then add an entry for your external interface to <ulink
+    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
+    (<filename>/etc/shorewall/tcinterfaces</filename>).</para>
+
+    <para>Assuming that your external interface is eth0:</para>
+
+    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
+eth0                   External</programlisting>
+
+    <para>With this simple configuration, packets to be sent through interface
+    eth0 will be assigned to a priority band based on the value of their TOS
+    field:</para>
+
+    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
+------------------------------------------------------------
+0x0     0     Normal Service           0 Best Effort     2
+0x2     1     Minimize Monetary Cost   1 Filler          3
+0x4     2     Maximize Reliability     0 Best Effort     2
+0x6     3     mmc+mr                   0 Best Effort     2
+0x8     4     Maximize Throughput      2 Bulk            3
+0xa     5     mmc+mt                   2 Bulk            3
+0xc     6     mr+mt                    2 Bulk            3
+0xe     7     mmc+mr+mt                2 Bulk            3
+0x10    8     Minimize Delay           6 Interactive     1
+0x12    9     mmc+md                   6 Interactive     1
+0x14    10    mr+md                    6 Interactive     1
+0x16    11    mmc+mr+md                6 Interactive     1
+0x18    12    mt+md                    4 Int. Bulk       2
+0x1a    13    mmc+mt+md                4 Int. Bulk       2
+0x1c    14    mr+mt+md                 4 Int. Bulk       2
+0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
+
+    <para>When dequeueing, band 1 is tried first and only if it did not
+    deliver a packet does the system try band 2, and so onwards. Maximum
+    reliability packets should therefore go to band 1, minimum delay to band 2
+    and the rest to band 3.</para>
+
+    <note>
+      <para>If you run both an IPv4 and an IPv6 firewall on your system, you
+      should define each interface in only one of the two
+      configurations.</para>
+    </note>
+  </section>
+
+  <section>
+    <title>Customizing Simple Traffic Shaping</title>
+
+    <para>The default mapping of TOS to bands can be changed using the
+    TC_PRIOMAP setting in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The default
+    setting of this option is:</para>
+
+    <programlisting>TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"</programlisting>
+
+    <para>These entries map Linux Priority to priority BAND. So only entries
+    0, 1, 2, 4 and 6 in the map are relevant to TOS-&gt;BAND mapping.</para>
+
+    <para>Further customizations can be defined in <ulink
+    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5)
+    (<filename>/etc/shorewall/tcpri</filename>). Using that file, you
+    can:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Assign traffic entering the firewall on a particular interface
+        to a specific priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+2               -             -                -                eth1</programlisting>
+
+        <para>In this example, traffic from eth1 will be assigned to priority
+        band 2.</para>
+
+        <note>
+          <para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
+          column must contain '-'.</para>
+        </note>
+      </listitem>
+
+      <listitem>
+        <para>Assign traffic from a particular IP address to a specific
+        priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+1               -             -             192.168.1.44</programlisting>
+
+        <para>In this example, traffic from 192.168.1.44 will be assigned to
+        priority band 1.</para>
+
+        <note>
+          <para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
+          columns must be empty.</para>
+        </note>
+      </listitem>
+
+      <listitem>
+        <para>Assign traffic to/from a particular application to a specific
+        priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+1             udp           1194</programlisting>
+
+        <para>In that example, OpenVPN traffic is assigned to priority band
+        1.</para>
+      </listitem>
+
+      <listitem>
+        <para>Assign traffic that uses a particular Netfilter helper to a
+        particular priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+1               -             -             -                   -                sip</programlisting>
+
+        <para>In this example, SIP and associated RTP traffic will be assigned
+        to priority band 1 (assuming that the nf_conntrack_sip helper is
+        loaded).</para>
+      </listitem>
+    </orderedlist>
+
+    <para>It is suggested that entries specifying an INTERFACE be placed the
+    top of the file. That way, the band assigned to a particular packet will
+    be the <emphasis role="bold">last</emphasis> entry matched by the packet.
+    Packets which match no entry in <ulink
+    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) are
+    assigned to priority bands using their TOS field as previously
+    described.</para>
+
+    <para>One cause of high latency on interactive traffic can be that queues
+    are building up at your ISP's gateway router. If you suspect that is
+    happening in your case, you can try to eliminate the problem by using the
+    IN-BANDWIDTH setting in <ulink
+    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5).
+    The contents of the column are a <replaceable>rate</replaceable>. For
+    defining the rate, use <emphasis role="bold">kbit</emphasis> or <emphasis
+    role="bold">kbps</emphasis> (for Kilobytes per second) and make sure there
+    is NO space between the number and the unit (it is 100kbit not 100 kbit).
+    <emphasis role="bold">mbit</emphasis>, <emphasis
+    role="bold">mbps</emphasis> or a raw number (which means bytes) can be
+    used, but note that only integer numbers are supported (0.5 is not valid).
+    To pick an appropriate setting, we recommend that you start by setting
+    IN-BANDWIDTH significantly below your measured download bandwidth (20% or
+    so). While downloading, measure the ping response time from the firewall
+    to the upstream router as you gradually increase the setting. The optimal
+    setting is at the point beyond which the ping time increases sharply as
+    you increase the setting.</para>
+
+    <para>Simple Traffic Shaping is only appropriate on interfaces where
+    output queuing occurs. As a consequence, you usually only use it on
+    extermal interfaces. There are cases where you may need to use it on an
+    internal interface (a VPN interface, for example). If so, just add an
+    entry to <ulink
+    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5):</para>
+
+    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
+tun0                   Internal</programlisting>
+  </section>
+
+  <section>
+    <title>Additional Reading</title>
+
+    <para>The PRIO(8) (tc-prio) manpage has additional information on the
+    facility that Shorewall Simple Traffic Shaping is based on.</para>
+
+    <caution>
+      <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
+      refers to them as bands 0-2.</para>
+    </caution>
+  </section>
+</article>

docs/standalone.xml

@@ -127,6 +127,10 @@
       <para>Points at which configuration changes are recommended are flagged
       with <inlinegraphic fileref="images/BD21298_.gif"
       format="GIF" />.</para>
+
+      <para>Configuration notes that are unique to Debian and it's derivatives
+      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
+      format="GIF" />.</para>
     </section>
   </section>
 
@@ -194,6 +198,8 @@
       </listitem>
     </orderedlist>
 
+    <graphic align="left" fileref="images/openlogo-nd-25.png" />
+
     <warning>
       <para><emphasis role="bold">Note to Debian Users</emphasis></para>
 
@@ -452,7 +458,7 @@ root@lists:~# </programlisting>
     <itemizedlist>
       <listitem>
         <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
       </listitem>
 
       <listitem>
@@ -556,7 +562,8 @@ SSH(ACCEPT) net       $FW           </programlisting>
     disabled so that your system won't try to start Shorewall before
     configuration is complete. Once you have completed configuration of your
     firewall, you must edit /etc/shorewall/shorewall.conf and set
-    STARTUP_ENABLED=Yes.</para>
+    STARTUP_ENABLED=Yes.<graphic align="left"
+    fileref="images/openlogo-nd-25.png" /></para>
 
     <important>
       <para>Users of the .deb package must edit

docs/three-interface.xml

@@ -156,8 +156,9 @@
       with <inlinegraphic fileref="images/BD21298_.gif"
       format="GIF" />.</para>
 
-      <para>Configuration notes that are unique to LEAF/Bering are marked with
-      <inlinegraphic fileref="images/leaflogo.gif" format="GIF" />.</para>
+      <para>Configuration notes that are unique to Debian and it's derivatives
+      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
+      format="GIF" />.</para>
     </section>
   </section>
 
@@ -178,7 +179,8 @@
 
     <para>The configuration files for Shorewall are contained in the directory
     <filename>/etc/shorewall</filename> -- for simple setups, you will only
-    need to deal with a few of these as described in this guide.<warning>
+    need to deal with a few of these as described in this guide.<graphic
+    align="left" fileref="images/openlogo-nd-25.png" /><warning>
         <para><emphasis role="bold">Note to Debian Users</emphasis></para>
 
         <para>If you install using the .deb, you will find that your <filename
@@ -226,8 +228,8 @@
       </listitem>
 
       <listitem>
-        <para>If you installed using a Shorewall 4.x .deb, the samples are in
-        <filename
+        <para><graphic fileref="images/openlogo-nd-25.png" />If you installed
+        using a Shorewall 4.x .deb, the samples are in <filename
         class="directory">/usr/share/doc/shorewall-common/examples/three-interfaces</filename>.
         You do not need the shorewall-doc package to have access to the
         samples.</para>
@@ -675,9 +677,8 @@ root@lists:~# </programlisting>
     class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
     column empty. Entering your static IP in column 3 makes processing
-    outgoing packets a little more efficient.</para>
-
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    outgoing packets a little more efficient.<graphic align="left"
+    fileref="images/openlogo-nd-25.png" /></para>
 
     <para><emphasis role="bold">If you are using the Debian package, please
     check your <filename>shorewall.conf</filename> file to ensure that the
@@ -725,7 +726,7 @@ root@lists:~# </programlisting>
     <itemizedlist>
       <listitem>
         <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
       </listitem>
 
       <listitem>
@@ -1077,7 +1078,8 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
     configuration is complete. Once you have completed configuration of your
     firewall, you can enable Shorewall startup by editing
     <filename>/etc/shorewall/shorewall.conf</filename> and setting
-    STARTUP_ENABLED=Yes.<important>
+    STARTUP_ENABLED=Yes.<graphic align="left"
+    fileref="images/openlogo-nd-25.png" /><important>
         <para>Users of the <filename>.deb</filename> package must edit
         <filename>/etc/default/shorewall</filename> and set
         <varname>startup=1</varname>.</para>

docs/traffic_shaping.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Traffic Shaping/Control</title>
+    <title>Complex Traffic Shaping/Control</title>
 
     <authorgroup>
       <author>
@@ -24,7 +24,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -93,6 +93,14 @@
   <section id="Intro">
     <title>Introduction</title>
 
+    <para>Beginning with Shorewall 4.5.0, Shorewall includes two separate
+    implementations of traffic shaping. This document describes the original
+    implementation which is complex and difficult to configure. A much simpler
+    version is described in <ulink role="bold"
+    url="simple_traffic_shaping.html">Simple Traffic Shaping/Control</ulink>
+    and is highly recommended unless you really need to delay certain traffic
+    passing through your firewall.</para>
+
     <para>Shorewall has builtin support for traffic shaping and control. This
     support does not cover all options available (and especially all
     algorithms that can be used to queue traffic) in the Linux kernel but it
@@ -183,6 +191,13 @@
         url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
         assign packet marks to different types of traffic using entries in the
         <filename>/etc/shorewall/tcrules</filename> file.</para>
+
+        <note>
+          <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+          which specifies the width in bits of the traffic shaping mark field.
+          The default is based on the setting of WIDE_TC_MARKS so as to
+          provide upward compatibility.</para>
+        </note>
       </listitem>
     </orderedlist>
 
@@ -479,6 +494,13 @@ ppp0           6000kbit         500kbit</programlisting>
           if the device specified in the INTERFACE column has the <emphasis
           role="bold">classify</emphasis> option in
           <filename>/etc/shorewall/tcdevices</filename>.</para>
+
+          <note>
+            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+            which specifies the width in bits of the traffic shaping mark
+            field. The default is based on the setting of WIDE_TC_MARKS so as
+            to provide upward compatibility.</para>
+          </note>
         </listitem>
 
         <listitem>
@@ -606,25 +628,26 @@ ppp0           6000kbit         500kbit</programlisting>
 
             <listitem>
               <para>flow=<emphasis>keys</emphasis> - Shorewall attaches an SFQ
-              queuing discipline to each leaf HTB class. SFQ ensures that each
-              <firstterm>flow</firstterm> gets equal access to the interface.
-              The default definition of a flow corresponds roughly to a
-              Netfilter connection. So if one internal system is running
+              queuing discipline to each leaf HTB and HFSC class. SFQ ensures
+              that each <firstterm>flow</firstterm> gets equal access to the
+              interface. The default definition of a flow corresponds roughly
+              to a Netfilter connection. So if one internal system is running
               BitTorrent, for example, it can have lots of 'flows' and can
               thus take up a larger share of the bandwidth than a system
               having only a single active connection. The
               <option>flow</option> classifier (module cls_flow) works around
               this by letting you define what a 'flow' is. The clasifier must
               be used carefully or it can block off all traffic on an
-              interface! The flow option can be specified for an HTB leaf
-              class (one that has no sub-classes). We recommend that you use
-              the following:</para>
+              interface! The flow option can be specified for an HTB or HFSC
+              leaf class (one that has no sub-classes). We recommend that you
+              use the following:</para>
 
               <simplelist>
-                <member>Shaping internet-bound traffic: flow=nfct-src</member>
+                <member>Shaping internet-bound traffic: <emphasis
+                role="bold">flow=nfct-src</emphasis></member>
 
-                <member>Shaping traffic bound for your local net:
-                flow=dst</member>
+                <member>Shaping traffic bound for your local net: <emphasis
+                role="bold">flow=dst</emphasis></member>
               </simplelist>
 
               <para>These will cause a 'flow' to consists of the traffic
@@ -644,6 +667,59 @@ ppp0           6000kbit         500kbit</programlisting>
               tracking fields. As shown above, we recommend flow=nfct-src;
               that means that we want to use the source IP address
               <emphasis>before SNAT</emphasis> as the key.</para>
+
+              <note>
+                <para>Shorewall cannot determine ahead of time if the flow
+                classifier is available in your kernel (especially if it was
+                built into the kernel as opposed to being loaded as a module).
+                Consequently, you should check ahead of time to ensure that
+                both your kernel and 'tc' utility support the feature.</para>
+
+                <para>You can test the 'tc' utility by typing (as
+                root):</para>
+
+                <blockquote>
+                  <para><command>tc filter add flow help</command></para>
+                </blockquote>
+
+                <para>If flow is supported, you will see:</para>
+
+                <programlisting>   Usage: ... flow ...
+
+      [mapping mode]: map key KEY [ OPS ] ...
+      [hashing mode]: hash keys KEY-LIST ...
+
+   ...</programlisting>
+
+                <para>If 'flow' is not supported, you will see:</para>
+
+                <programlisting>   Unknown filter "flow", hence option "help" is unparsable</programlisting>
+
+                <para>If your kernel supports module autoloading, just type
+                (as root):</para>
+
+                <blockquote>
+                  <para><command>modprobe cls_flow</command></para>
+                </blockquote>
+
+                <para>If 'flow' is supported, no output is produced;
+                otherwise, you will see:</para>
+
+                <programlisting>   FATAL: Module cls_flow not found.</programlisting>
+
+                <para>If your kernel is not modularized or does not support
+                module autoloading, look at your kernel configuration (either
+                <filename>/proc/config.gz</filename> or the
+                <filename>.config</filename> file in <filename
+                class="directory">/lib/modules/&lt;kernel-version&gt;/build/</filename></para>
+
+                <para>If 'flow' is supported, you will see: NET_CLS_FLOW=m or
+                NET_CLS_FLOW=y.</para>
+
+                <para>For modularized kernels, Shorewall will attempt to load
+                <filename>/lib/modules/&lt;kernel-version&gt;/net/sched/cls_flow.ko</filename>
+                by default.</para>
+              </note>
             </listitem>
 
             <listitem>
@@ -754,12 +830,21 @@ ppp0           6000kbit         500kbit</programlisting>
           <para>MARK or CLASSIFY - MARK specifies the mark value is to be
           assigned in case of a match. This is an integer in the range 1-255
           (1-16383 if you set WIDE_TC_MARKS=Yes in <ulink
-          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ).
-          This value may be optionally followed by <quote>:</quote> and either
-          <quote>F</quote>, <quote>P</quote> or "T" to designate that the
-          marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
-          respectively. If this additional specification is omitted, the chain
-          used to mark packets will be determined as follows:</para>
+          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
+          ).</para>
+
+          <note>
+            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+            which specifies the width in bits of the traffic shaping mark
+            field. The default is based on the setting of WIDE_TC_MARKS so as
+            to provide upward compatibility.</para>
+          </note>
+
+          <para>This value may be optionally followed by <quote>:</quote> and
+          either <quote>F</quote>, <quote>P</quote> or "T" to designate that
+          the marking will occur in the FORWARD, PREROUTING or POSTROUTING
+          chains respectively. If this additional specification is omitted,
+          the chain used to mark packets will be determined as follows:</para>
 
           <itemizedlist>
             <listitem>
@@ -1392,17 +1477,13 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
         <title>Configuration to replace Wondershaper</title>
 
         <para>You are able to fully replace the wondershaper script by using
-        the buitin traffic control.You can find example configuration files at
-        <ulink
-        url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
-        Please note that they are just examples and need to be adjusted to
-        work for you. In this example it is assumed that your interface for
-        your Internet connection is ppp0 (for DSL), if you use another
-        connection type, you have to change it. You also need to change the
-        settings in the tcdevices.wondershaper file to reflect your line
-        speed. The relevant lines of the config files follow here. Please note
-        that this is just a 1:1 replacement doing exactly what wondershaper
-        should do. You are free to change it...</para>
+        the buitin traffic control.. In this example it is assumed that your
+        interface for your Internet connection is ppp0 (for DSL), if you use
+        another connection type, you have to change it. You also need to
+        change the settings in the tcdevices.wondershaper file to reflect your
+        line speed. The relevant lines of the config files follow here. Please
+        note that this is just a 1:1 replacement doing exactly what
+        wondershaper should do. You are free to change it...</para>
 
         <section id="realtcd">
           <title>tcdevices file</title>
@@ -1686,10 +1767,10 @@ ppp0            1       10kbit          50kbit          1           tcp-ack,tos-
 ppp0            2       300kbit         full            2
 ppp0            3       300kbit         full            2
 ppp0            4       90kbit          200kbit         3           default
-eth0            1       100kbit         500kbit         1           tcp-ack
-eth0            2       3mbit           6mbit           2
-eth0            3       3mbit           6mbit           3
-eth0            4       94mbit          full            4           default #for local traffic</programlisting></para>
+eth1            1       100kbit         500kbit         1           tcp-ack
+eth1            2       3mbit           6mbit           2
+eth1            3       3mbit           6mbit           3
+eth1            4       94mbit          full            4           default #for local traffic</programlisting></para>
 
     <para>/etc/shorewall/tcrules:<programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)

docs/two-interface.xml

@@ -130,8 +130,9 @@
       with <inlinegraphic fileref="images/BD21298_.gif"
       format="GIF" />.</para>
 
-      <para>Configuration notes that are unique to LEAF/Bering are marked with
-      <inlinegraphic fileref="images/leaflogo.gif" format="GIF" />.</para>
+      <para>Configuration notes that are unique to Debian and it's derivatives
+      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
+      format="GIF" />.</para>
     </section>
   </section>
 
@@ -156,7 +157,8 @@
     <para>The configuration files for Shorewall are contained in the directory
     <filename class="directory">/etc/shorewall</filename> -- for simple
     setups, you will only need to deal with a few of these as described in
-    this guide.<warning>
+    this guide.<graphic align="left"
+    fileref="images/openlogo-nd-25.png" /><warning>
         <para><emphasis role="bold">Note to Debian and Ubuntu
         Users</emphasis></para>
 
@@ -628,7 +630,7 @@ root@lists:~# </programlisting>
     column 3 (SNAT) makes the processing of outgoing packets a little more
     efficient.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <graphic align="left" fileref="images/openlogo-nd-25.png" />
 
     <para>I<emphasis role="bold">f you are using the Debian package, please
     check your <filename>shorewall.conf</filename> file to ensure that the
@@ -676,7 +678,7 @@ root@lists:~# </programlisting>
     <itemizedlist>
       <listitem>
         <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
       </listitem>
 
       <listitem>
@@ -995,7 +997,8 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
     disabled so that your system won't try to start Shorewall before
     configuration is complete. Once you have completed configuration of your
     firewall, you must edit /etc/shorewall/shorewall.conf and set
-    STARTUP_ENABLED=Yes.<important>
+    STARTUP_ENABLED=Yes.<graphic align="left"
+    fileref="images/openlogo-nd-25.png" /><important>
         <para>Users of the .deb package must edit <filename
         class="directory">/etc/default/</filename><filename>shorewall</filename>
         and set <varname>startup=1</varname>.</para>

manpages/shorewall-accounting.xml

@@ -28,6 +28,9 @@
     their packet and byte counters using the <command>shorewall show
     accounting</command> command.</para>
 
+    <para>This file is not processed if ACCOUNTING=No in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>

manpages/shorewall-notrack.xml

@@ -24,7 +24,7 @@
     <title>Description</title>
 
     <para>The notrack file is used to exempt certain traffic from Netfilter
-    connection tracking. Traffic matching entries in this fill will not be
+    connection tracking. Traffic matching entries in this file will not be
     tracked.</para>
 
     <para>The columns in the file are as follows.</para>

manpages/shorewall-providers.xml

@@ -87,8 +87,13 @@
           being zero). Otherwise, the value must be between 1 and 255. Each
           provider must be assigned a unique mark value. This column may be
           omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
-          the OPTIONS column.</para>
+          particular provider.</para>
+
+          <para>Note: If you are using a Shorewall version earlier that 4.5.0,
+          you must specify a MARK value if you specify the
+          <option>track</option> option or if you have set TRACK_PROVIDERS=Yes
+          in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -268,6 +273,16 @@
                 <filename>shorewall.conf</filename>.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>local</term>
+
+              <listitem>
+                <para>Indicates that this is a local zone associated with with
+                the 'lo' interface. Used in conjunction with TPROXY in <ulink
+                url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

manpages/shorewall-tcinterfaces.xml

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-tcinterfaces</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>tcinterfaces</refname>
+
+    <refpurpose>Shorewall file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/tcinterfaces</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file lists the interfaces that are subject to simple traffic
+    shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
+    <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis></term>
+
+        <listitem>
+          <para>The logical name of an interface. If you run both IPv4 and
+          IPv6 Shorewall firewalls, a given interface should only be listed in
+          one of the two configurations.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">TYPE</emphasis> - [<emphasis
+        role="bold">external</emphasis>|<emphasis
+        role="bold">internal</emphasis>]</term>
+
+        <listitem>
+          <para>Optional. If given specifies whether the interface is
+          <emphasis role="bold">external</emphasis> (facing toward the
+          Internet) or <emphasis role="bold">internal</emphasis> (facing
+          toward a local network) and enables SFQ flow classification.</para>
+
+          <note>
+            <para>Simple traffic shaping is only useful on interfaces where
+            queuing occurs. As a consequence, internal interfaces seldom
+            benefit from simple traffic shaping. VPN interfaces are an
+            exception because the encapsulated packets are later transferred
+            over a slower external link.</para>
+          </note>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IN-BANDWIDTH - [<replaceable>rate</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. If specified, enables ingress policing on the
+          interface. If incoming traffic exceeds the given
+          <replaceable>rate</replaceable>, received packets are dropped
+          randomly. With some DSL and Cable links, large queues can build up
+          in the ISP's gateway router. While this insures maximum throughput,
+          it kills interactive response time. By setting IN-BANDWIDTH, you can
+          eliminate these queues.</para>
+
+          <para>To pick an appropriate setting, we recommend that you start by
+          setting it significantly below your measured download bandwidth (20%
+          or so). While downloading, measure the ping response time from the
+          firewall to the upstream router as you gradually increase the
+          setting.The optimal setting is at the point beyond which the ping
+          time increases sharply as you increase the setting.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/tcinterfaces.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcpri(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-tcpri.xml

@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-tcpri</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>tcpri</refname>
+
+    <refpurpose>Shorewall file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/tcpri</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to specify the priority of traffic for simple
+    traffic shaping (TC_ENABLED=Simple in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
+    each packet is determined by the <emphasis role="bold">last</emphasis>
+    entry that the packet matches. If a packet doesn't match any entry in this
+    file, then its priority will be determined by its TOS field. The default
+    mapping is as follows but can be changed by setting the TC_PRIOMAP option
+    in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
+------------------------------------------------------------
+0x0     0     Normal Service           0 Best Effort     2
+0x2     1     Minimize Monetary Cost   1 Filler          3
+0x4     2     Maximize Reliability     0 Best Effort     2
+0x6     3     mmc+mr                   0 Best Effort     2
+0x8     4     Maximize Throughput      2 Bulk            3
+0xa     5     mmc+mt                   2 Bulk            3
+0xc     6     mr+mt                    2 Bulk            3
+0xe     7     mmc+mr+mt                2 Bulk            3
+0x10    8     Minimize Delay           6 Interactive     1
+0x12    9     mmc+md                   6 Interactive     1
+0x14    10    mr+md                    6 Interactive     1
+0x16    11    mmc+mr+md                6 Interactive     1
+0x18    12    mt+md                    4 Int. Bulk       2
+0x1a    13    mmc+mt+md                4 Int. Bulk       2
+0x1c    14    mr+mt+md                 4 Int. Bulk       2
+0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">BAND</emphasis> - {<emphasis
+        role="bold">1</emphasis>|<emphasis role="bold">2</emphasis>|<emphasis
+        role="bold">3</emphasis>}</term>
+
+        <listitem>
+          <para>Classifies matching traffic as High Priority (1), Medium
+          Priority (2) or Low Priority (3). For those interfaces listed in
+          <ulink
+          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
+          Priority 2 traffic will be deferred so long and there is Priority 1
+          traffic queued and Priority 3 traffic will be deferred so long as
+          there is Priority 1 or Priority 2 traffic to send.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> -
+        <replaceable>protocol</replaceable></term>
+
+        <listitem>
+          <para>Optional. The name or number of an IPv4
+          <replaceable>protocol</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
+
+        <listitem>
+          <para>Optional. May only be given if the the PROTO is tcp (6) or udp
+          (17). A list of one or more port numbers or service names from
+          /etc/services. Port ranges of the form
+          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
+          may also be included.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ADDRESS - [<replaceable>address</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. The IP or MAC address that the traffic originated
+          from. MAC addresses must be given in Shorewall format. If this
+          column contains an address, then the PROTO, PORT(S) and INTERFACE
+          column must be empty ("-").</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>INTERFACE - [<replaceable>interface</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. The logical name of an
+          <replaceable>interface</replaceable> that traffic arrives from. If
+          given, the PROTO, PORT(S) and ADDRESS columns must be empty
+          ("-").</para>
+
+          <note>
+            <para>INTERFACE classification of packets occurs before
+            classification by PROTO/PORT(S)/ADDRESS. So it is highly
+            recommended to place entries that specify INTERFACE at the top of
+            the file so that the rule about <emphasis>last entry
+            matches</emphasis> is preserved.</para>
+          </note>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HELPER</emphasis> -
+        [<replaceable>helper</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. Names a Netfiler protocol helper module such as ftp,
+          sip, amanda, etc. A packet will match if it was accepted by the
+          named helper module. You can also append "-" and a port number to
+          the helper module name (e.g., ftp-21) to specify the port number
+          that the original connection was made on.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/tcpri</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>PRIO(8), shorewall(8), shorewall-accounting(5),
+    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
+    shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-tcrules.xml

@@ -16,7 +16,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/rules</command>
+      <command>/etc/shorewall/tcrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -43,30 +43,24 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">SAME</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>|<emphasis
-        role="bold">IPMARK</emphasis>[([(<emphasis
-        role="bold">src</emphasis>|<emphasis
-        role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
+        <emphasis>mark</emphasis></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para>Where mark is one of the following:</para>
 
           <orderedlist numeration="arabic">
             <listitem>
-              <para>A mark <emphasis>value</emphasis> which is an integer in
-              the range 1-255.</para>
+              <para><emphasis>value</emphasis>[:{<emphasis
+              role="bold">C</emphasis>|<emphasis
+              role="bold">F</emphasis>|<emphasis
+              role="bold">P</emphasis>|<emphasis
+              role="bold">T</emphasis>|<emphasis
+              role="bold">CF</emphasis>|<emphasis
+              role="bold">CP</emphasis>|<emphasis
+              role="bold">CT</emphasis>}]</para>
+
+              <para>]A mark <emphasis>value</emphasis> is an integer,
+              expressed either in decimal or in hex.</para>
 
               <para>Normally will set the mark value. If preceded by a
               vertical bar ("|"), the mark value will be logically ORed with
@@ -94,10 +88,11 @@
               role="bold">$FW</emphasis>[<emphasis
               role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
               then the rule is inserted into the OUTPUT chain. When
-              HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
-              there. Packet marking rules for traffic shaping of packets
-              originating on the firewall must be coded in the POSTROUTING
-              chain (see below).</para>
+              HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET &gt; 0 in 4.5.0 and
+              later), only provider mark values may be assigned there. Packet
+              marking rules for traffic shaping of packets originating on the
+              firewall must be coded in the POSTROUTING chain (see
+              below).</para>
 
               <para>- Otherwise, the chain is determined by the setting of
               MARK_IN_FORWARD_CHAIN in <ulink
@@ -109,7 +104,7 @@
               <para>The mark value may be optionally followed by "/" and a
               mask value (used to determine those bits of the connection mark
               to actually be set). The mark and optional mask are then
-              followed by one of:+</para>
+              followed by one of:</para>
 
               <variablelist>
                 <varlistentry>
@@ -141,34 +136,21 @@
                   <term>CT</term>
 
                   <listitem>
-                    <para>Mark the connecdtion in the POSTROUTING chain</para>
+                    <para>Mark the connection in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
 
-              <para><emphasis role="bold">Special considerations for If
-              HIGH_ROUTE_MARKS=Yes in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
-
-              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
-              in the range 0x0100-0xFF00 with the low-order byte being zero.
-              Such values may only be used in the PREROUTING chain (value
-              followed by <emphasis role="bold">:P</emphasis> or you have set
-              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
-              followed the value with <option>:F</option>) or the OUTPUT chain
-              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
-              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
-              permitted. Shorewall prohibits non-zero mark values less that
-              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
-              versions allow such values in the OUTPUT chain, it is strongly
-              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
-              POSTROUTING chain to apply traffic shaping
-              marks/classification.</para>
+              <para>When marking in the prerouting chain, the
+              <emphasis>value</emphasis> must fall within the proper range for
+              provider marks. See PROVIDER_OFFSET and PROVIDER_BITS in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
             </listitem>
 
             <listitem>
-              <para>A classification Id (classid) of the form
+              <para><emphasis>major</emphasis>:<emphasis>minor</emphasis></para>
+
+              <para>A classification Id (classid) takes the form
               <emphasis>major</emphasis>:<emphasis>minor</emphasis> where
               <emphasis>major</emphasis> and <emphasis>minor</emphasis> are
               integers. Corresponds to the 'class' specification in these
@@ -201,50 +183,62 @@
 
             <listitem>
               <para><emphasis
-              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
-              restore the packet's mark from the connection's mark using the
-              supplied mask if any. Your kernel and iptables must include
+              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
+              role="bold">T</emphasis></emphasis>}]</para>
+
+              <para>Restore the packet's mark from the connection's mark using
+              the supplied mask if any. Your kernel and iptables must include
               CONNMARK support.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              or <emphasis role="bold">:T</emphasis>.</para>
             </listitem>
 
             <listitem>
               <para><emphasis
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
-              the packet's mark to the connection's mark using the supplied
-              mask if any. Your kernel and iptables must include CONNMARK
-              support.</para>
+              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
+              role="bold">P</emphasis>|<emphasis
+              role="bold">F</emphasis>|<emphasis
+              role="bold">T</emphasis>}]</para>
+
+              <para>Save the packet's mark to the connection's mark using the
+              supplied mask if any. Your kernel and iptables must include
+              CONNMARK support.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              or <emphasis role="bold">:T</emphasis>.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">CONTINUE</emphasis> Don't process
-              any more marking rules ‒in the table.</para>
+              <para><emphasis role="bold">CONTINUE[:{<emphasis
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
+              role="bold">T</emphasis></emphasis>}]</emphasis></para>
+
+              <para>Don't process any more marking rules in the table.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis>. Currently, CONTINUE may not be used
-              with <emphasis>exclusion</emphasis> (see the SOURCE and DEST
-              columns below); that restriction will be removed when
+              role="bold">:P</emphasis>,<emphasis role="bold"> :F</emphasis>,
+              or <emphasis role="bold">:T</emphasis>. Currently, CONTINUE may
+              not be used with <emphasis>exclusion</emphasis> (see the SOURCE
+              and DEST columns below); that restriction will be removed when
               iptables/Netfilter provides the necessary support.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">SAME</emphasis> Some websites run
-              applications that require multiple connections from a client
-              browser. Where multiple 'balanced' providers are configured,
-              this can lead to problems when some of the connections are
-              routed through one provider and some through another. The SAME
-              target allows you to work around that problem. SAME may be used
-              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
-              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              <para><emphasis role="bold">SAME</emphasis></para>
+
+              <para>Some websites run applications that require multiple
+              connections from a client browser. Where multiple 'balanced'
+              providers are configured, this can lead to problems when some of
+              the connections are routed through one provider and some through
+              another. The SAME target allows you to work around that problem.
+              SAME may be used in the PREROUTING and OUTPUT chains. When used
+              in PREROUTING, it causes matching connections from an individual
+              local system to all use the same provider. For example:
+              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
 #CLASSIFY                                                PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
               If a host in 192.168.1.0/24 attempts a connection on TCP port 80
@@ -266,118 +260,48 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
-              the line will be attached as a comment to the Netfilter rule(s)
-              generated by the following entries. The comment will appear
-              delimited by "/* ... */" in the output of <command>shorewall
-              show mangle</command></para>
+              <para><emphasis role="bold">COMMENT</emphasis></para>
+
+              <para>The rest of the line will be attached as a comment to the
+              Netfilter rule(s) generated by the following entries. The
+              comment will appear delimited by "/* ... */" in the output of
+              <command>shorewall show mangle</command></para>
 
               <para>To stop the comment from being attached to further rules,
               simply include COMMENT on a line by itself.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">IPMARK</emphasis> ‒ Assigns a mark
-              to each matching packet based on the either the source or
-              destination IP address. By default, it assigns a mark value
-              equal to the low-order 8 bits of the source address. Default
-              values are:</para>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<emphasis>mark</emphasis>[/<emphasis>mask</emphasis>][,[<emphasis>port</emphasis>][,[<emphasis>address</emphasis>]]])</para>
 
-              <simplelist>
-                <member>src</member>
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
 
-                <member><emphasis>mask1</emphasis> = 0xFF</member>
+              <para>There are three parameters to TPROXY - only the first
+              (<emphasis>mark</emphasis>) is required:</para>
 
-                <member><emphasis>mask2</emphasis> = 0x00</member>
+              <itemizedlist>
+                <listitem>
+                  <para><emphasis>mark</emphasis> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+                </listitem>
 
-                <member><emphasis>shift</emphasis> = 0</member>
-              </simplelist>
+                <listitem>
+                  <para><emphasis>port</emphasis> - the port on which the
+                  proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
 
-              <para>'src' and 'dst' specify whether the mark is to be based on
-              the source or destination address respectively. The selected
-              address is first shifted to the right by
-              <emphasis>shift</emphasis> bits. The result is then LANDed with
-              <emphasis>mask1</emphasis> then LORed with
-              <emphasis>ma<emphasis>s</emphasis>k2</emphasis>.</para>
-
-              <para>In a sense, the IPMARK target is more like an IPCLASSIFY
-              target in that the mark value is later interpreted as a class
-              ID. A packet mark is 32 bits wide; so is a class ID. The
-              &lt;major&gt; class occupies the high-order 16 bits and the
-              &lt;minor&gt; class occupies the low-order 16 bits. So the class
-              ID 1:4ff (remember that class IDs are always in hex) is
-              equivalent to a mark value of 0x104ff. Remember that Shorewall
-              uses the interface number as the &lt;major&gt; number where the
-              first interface in tcdevices has &lt;major&gt; number 1, the
-              second has &lt;major&gt; number 2, and so on.</para>
-
-              <para>The IPMARK target assigns a mark to each matching packet
-              based on the either the source or destination IP address. By
-              default, it assigns a mark value equal to the low-order 8 bits
-              of the source address. The syntax is as follows:</para>
-
-              <blockquote>
-                <para><option>IPMARK</option>[([{<option>src</option>|<option>dst</option>}][,[<replaceable>mask1</replaceable>][,[<replaceable>mask2</replaceable>][,[<replaceable>shift</replaceable>]]]])]</para>
-              </blockquote>
-
-              <para>Default values are:</para>
-
-              <simplelist>
-                <member><option>src</option></member>
-
-                <member><replaceable>mask1</replaceable> = 0xFF</member>
-
-                <member><replaceable>mask2</replaceable> = 0x00</member>
-
-                <member><replaceable>shift</replaceable> = 0</member>
-              </simplelist>
-
-              <para><option>src</option> and <option>dst</option> specify
-              whether the mark is to be based on the source or destination
-              address respectively. The selected address is first shifted
-              right by <replaceable>shift</replaceable>, then LANDed with
-              <replaceable>mask1</replaceable> and then LORed with
-              <replaceable>mask2</replaceable>. The
-              <replaceable>shift</replaceable> argument is intended to be used
-              primarily with IPv6 addresses.</para>
-
-              <para>Example:</para>
-
-              <blockquote>
-                <para>IPMARK(src,0xff,0x10100)</para>
-
-                <simplelist>
-                  <member>Suppose that the source IP address is 192.168.4.3 =
-                  0xc0a80403; then</member>
-
-                  <member>0xc0a80403 &gt;&gt; 0 = 0xc0a80403</member>
-
-                  <member>0xc0a80403 LAND 0xFF = 0x03</member>
-
-                  <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
-                  1:103</member>
-                </simplelist>
-              </blockquote>
-
-              <para>It is important to realize that, while class IDs are
-              composed of a <replaceable>major</replaceable> and a
-              <replaceable>minor</replaceable> value, the set of values must
-              be unique. That is, the same numeric value cannot be used as
-              both a <replaceable>major</replaceable> and a
-              <replaceable>minor</replaceable> number for the same interface
-              unless class nesting occurs (which is not currently possible
-              with Shorewall). You should keep this in mind when deciding how
-              to map IP addresses to class IDs.</para>
-
-              <para>For example, suppose that your internal network is
-              192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
-              Your first notion might be to use IPMARK(src,0xFF,0x10000) so as
-              to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
-              class ID since the <replaceable>major</replaceable> and
-              <replaceable>minor</replaceable> classes are equal. So you might
-              chose instent to use IPMARK(src,0xFF,0x10100) as in the example
-              above so that all of your <replaceable>minor</replaceable>
-              classes will have a value &gt; 256.</para>
+                <listitem>
+                  <para><emphasis>address</emphasis> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
             </listitem>
           </orderedlist>
         </listitem>