Allow WHITELIST in IPv6

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -98,6 +98,7 @@ our %EXPORT_TAGS = (
 				       ACTION
 				       MACRO
 				       LOGRULE
+				       NFLOG
 				       NFQ
 				       CHAIN
 				       SET
@@ -357,6 +358,7 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
 	       HELPER   => 8192,           #CT:helper
+	       NFLOG    => 16384,          #NFLOG or ULOG
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -2483,8 +2485,10 @@ sub initialize_chain_table($) {
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
@@ -2530,10 +2534,13 @@ sub initialize_chain_table($) {
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
+		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );
 
@@ -3059,6 +3066,8 @@ sub optimize_level8( $$$ ) {
 
     progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
 
+    %renamed = ();
+
     for my $chainref ( @chains ) {
 	my $digest = '';
 
@@ -3435,7 +3444,7 @@ sub valid_tables() {
     push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    push @table_list, 'filter'; #MUST BE LAST!!!
 
     @table_list;
 }
@@ -7363,7 +7372,7 @@ sub create_stop_load( $ ) {
 
     emit '';
 
-    emit(  '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',

Shorewall/Perl/Shorewall/Config.pm

@@ -3496,7 +3496,7 @@ sub GeoIP_Match() {
 }
 
 sub Checksum_Target() {
-    have_capability 'MANGLE_ENABLED' && qt1( "iptables -m mangle -A $sillyname -j CHECKSUM --checksum-fill" );
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" );
 }
 
 our %detect_capability =

Shorewall/Perl/Shorewall/Misc.pm

@@ -702,13 +702,11 @@ sub process_stoppedrules() {
 	    }
 
 	    if ( $source eq $fw ) {
-		$chainref = $tableref->{OUTPUT};
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$source = '';
 		$restriction = OUTPUT_RESTRICT;
-	    } 
-
-	    if ( $source =~ s/^($fw):// ) {
-		$chainref = $filter_table->{OUTPUT};
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$restriction = OUTPUT_RESTRICT;
 	    }
 
@@ -717,9 +715,7 @@ sub process_stoppedrules() {
 		$chainref = $filter_table->{INPUT};
 		$dest = '';
 		$restriction = INPUT_RESTRICT;
-	    }
-
-	    if ( $dest =~ s/^($fw):// ) {
+	    } elsif ( $dest =~ s/^($fw):// ) {
 		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
 		$chainref = $filter_table->{INPUT};
 		$restriction = INPUT_RESTRICT;

Shorewall/Perl/Shorewall/Providers.pm

@@ -118,6 +118,7 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
     my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
@@ -149,10 +150,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}/$mask", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}/$mask", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -1073,6 +1073,7 @@ sub merge_levels ($$) {
     my $tag   = $supparts[2];
 
     if ( @supparts == 3 ) {
+	return $subordinate           if $target =~ /^(?:NFLOG|ULOG)\b/;
 	return "$target:none!:$tag"   if $level eq 'none!';
 	return "$target:$level:$tag"  if $level =~ /!$/;
 	return $subordinate           if $subparts >= 2;
@@ -1080,6 +1081,7 @@ sub merge_levels ($$) {
     }
 
     if ( @supparts == 2 ) {
+	return $subordinate           if $target =~ /^(?:NFLOG|ULOG)\b/;
 	return "$target:none!"        if $level eq 'none!';
 	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
     }
@@ -1714,16 +1716,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
     }
 
-    unless ( $actiontype ) {
-	if ( $action =~ /^NFLOG\(?/ ) {
-	    $basictarget = 'LOG';
-	    $actiontype  = $targets{LOG};
-	    fatal_error "Invalid NFLOG action($action:$loglevel)" if $loglevel;
-	    $loglevel    = supplied $param ? "NFLOG($param)" : 'NFLOG';
-	    $param       = '';
-	}
-    }
-
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
     if ( $actiontype == MACRO ) {
@@ -1768,6 +1760,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	fatal_error "$action rules require a set name parameter" unless $param;
     } elsif ( $actiontype & ACTION ) {
 	split_list $param, 'Action parameter';
+    } elsif ( $actiontype & NFLOG ) {
+	fatal_error "$basictarget does not allow a log level" if $loglevel;
+	validate_level( $action );
+	$loglevel = $action;
+	$action   = 'LOG';
     } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
     }
@@ -1823,7 +1820,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
     #
     my $log_action = $action;
 
-    unless ( $actiontype & ( ACTION | MACRO | NFQ | CHAIN ) ) {
+    unless ( $actiontype & ( ACTION | MACRO | NFLOG | NFQ | CHAIN ) ) {
 	my $bt = $basictarget;
 
 	$bt =~ s/[-+!]$//;

Shorewall/Perl/Shorewall/Tc.pm

@@ -2016,7 +2016,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }

Shorewall/lib.cli-std

@@ -1315,7 +1315,7 @@ try_command() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
 
 	if [ "$command" = "restart" ]; then

docs/MultiISP.xml

@@ -117,7 +117,7 @@
           ISP.</para>
         </footnote> as in the following diagram.</para>
 
-      <graphic align="center" fileref="images/TwoISPs.png" valign="middle"/>
+      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
 
       <itemizedlist>
         <listitem>
@@ -528,6 +528,14 @@
                   <para>Prior to Shorewall 4.4.24, the option is ignored with
                   a warning message if USE_DEFAULT_RT=Yes in
                   <filename>shorewall.conf</filename>.</para>
+
+                  <warning>
+                    <para>If you set this option on an interface, you must
+                    disable route filtering on the interface. Include
+                    'routefilter=0,logmartions=0' in the OPTIONS column of
+                    <ulink
+                    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
+                  </warning>
                 </listitem>
               </varlistentry>
             </variablelist>
@@ -2212,7 +2220,7 @@ exit 0
       on ursa that I will describe here</emphasis>.</para>
 
       <para>Below is a diagram of our network:<graphic align="center"
-      fileref="images/Network2008a.png"/></para>
+      fileref="images/Network2008a.png" /></para>
 
       <para>The local wired network in my office is connected to both gateways
       and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
@@ -2367,7 +2375,7 @@ wlan0                   192.168.0.0/24</programlisting><note>
 
     <para>The network is pictured in the following diagram:</para>
 
-    <graphic fileref="images/Network2012a.png"/>
+    <graphic fileref="images/Network2012a.png" />
 
     <section>
       <title>IPv4 Configuration</title>