More snat documentation changes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -266,10 +266,13 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
+				       interface_address
 				       get_interface_address
+				       used_address_variable
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
+				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -5777,7 +5780,7 @@ sub have_ipset_rules() {
 
 sub get_interface_address( $ );
 
-sub get_interface_gateway ( $;$ );
+sub get_interface_gateway ( $;$$ );
 
 sub record_runtime_address( $$;$ ) {
     my ( $addrtype, $interface, $protect ) = @_;
@@ -5821,12 +5824,18 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
+
+		    if ( $variable =~ /^\$/ ) {
 			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+			incr_cmd_level $chainref;
+		    } else {
+			return 0;
+		    }
 		}
 
-		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6801,6 +6810,10 @@ sub get_interface_address ( $ ) {
     "\$$variable";
 }
 
+sub used_address_variable( $ ) {
+    defined $interfaceaddr{$_[0]}
+}
+
 #
 # Returns the name of the shell variable holding the broadcast addresses of the passed interface
 #
@@ -6858,14 +6871,21 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$ ) {
+sub get_interface_gateway ( $;$$ ) {
-    my ( $logical, $protect ) = @_;
+    my ( $logical, $protect, $provider ) = @_;
 
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
+    my $gateway  = get_interface_option( $interface, 'gateway' );
 
     $global_variables |= ALL_COMMANDS;
 
+    if ( $gateway ) {
+	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
+	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
+	return $gateway if $gateway ne 'detect';
+    }
+
     if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
     } else {
@@ -6873,6 +6893,8 @@ sub get_interface_gateway ( $;$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
+    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
+
     $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -804,33 +804,8 @@ sub compiler {
     # Validate the TC files so that the providers will know what interfaces have TC
     #
     my $tcinterfaces = process_tc;
-    #
+
-    # Generate a function to bring up each provider
-    #
     process_providers( $tcinterfaces );
-    #
-    # [Re-]establish Routing
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }
 
     $have_arptables = process_arprules if $family == F_IPV4;
 
@@ -841,11 +816,7 @@ sub compiler {
     #
     process_tos;
     #
-    # ECN
+    # Setup Masquerade/SNAT
-    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    #
-    # Setup Masquerading/SNAT
     #
     setup_snat( $update );
     #
@@ -889,6 +860,37 @@ sub compiler {
     #
     setup_accounting if $config{ACCOUNTING};
 
+    enable_script;
+    #
+    # Generate a function to bring up each provider
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }
+    #
+    # ECN
+    #
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+
+    disable_script;
+
     if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix

Shorewall/Perl/Shorewall/Misc.pm

@@ -2740,6 +2740,9 @@ EOF
     pop_indent;
 
     emit '
+    rm -f ${VARDIR}/*.address
+    rm -f ${VARDIR}/*.gateway
+
     run_stopped_exit';
 
     my @ipsets = all_ipsets;

Shorewall/Perl/Shorewall/Nat.pm

@@ -76,7 +76,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
     #
     $pre_nat = 1 if $interfacelist =~ s/^\+//;
 
-    $savelist = $interfacelist;
     #
     # Check for INLINE
     #
@@ -86,6 +85,8 @@ sub process_one_masq1( $$$$$$$$$$$$ )
     } else {
 	$inlinematches = get_inline_matches(0);
     }
+
+    $savelist = $interfacelist;
     #
     # Handle early matches
     #
@@ -225,7 +226,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = 'RETURN';
+		    $target = $snat ? 'CONTINUE' : 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
@@ -397,9 +398,8 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 
     if ( $snat ) {
 	$target =~ s/ .*//;
-	$target = 'CONTINUE' if $target eq 'RETURN';
 	$target .= '+' if $pre_nat;
-	$target .= '(' . $addresses . ')' if $addresses ne '-';
+	$target .= '(' . $addresses . ')' if $addresses ne '-' && $addresses ne 'NONAT';
 
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#

Shorewall/Perl/Shorewall/Providers.pm

@@ -472,12 +472,14 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway $interface;
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
+	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
+	set_interface_option( $interface, 'gateway', 'none' );
     } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -491,12 +493,15 @@ sub process_a_provider( $ ) {
 	}
 
 	$gatewaycase = 'specified';
+	set_interface_option( $interface, 'gateway', $gateway );
     } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
+	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
     }
 
+
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
@@ -725,9 +730,9 @@ sub emit_started_message( $$$$$ ) {
     my ( $spaces, $level, $pseudo, $name, $number ) = @_;
 
     if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
     } else {
-	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
     }
 }
 
@@ -1033,6 +1038,16 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
+	if ( used_address_variable( $interface ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    emit( '',
+		  'if [ -n "$g_forcereload" ]; then',
+		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
+		  '    COMMAND=reload',
+		  '    detect_configuration',
+		  '    define_firewall',
+		  'fi' );
+	}
+
 	pop_indent;
 
 	unless ( $pseudo ) {
@@ -1043,6 +1058,17 @@ CEOF
 	}
 
 	emit "fi\n";
+
+	if ( used_address_variable( $interface ) ) {
+	    my $variable = interface_address( $interface );
+
+	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	}
+
+	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    my $variable = interface_gateway( $interface );
+	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	}
     } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
     }
@@ -1067,6 +1093,17 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
+
+
+	if ( used_address_variable( $interface ) ) {
+	    my $variable = interface_address( $interface );
+	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
+	}
+
+	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    my $variable = interface_gateway( $interface );
+	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
+	}
     } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -2139,6 +2176,7 @@ sub handle_optional_interfaces( $ ) {
 		}
 
 		push_indent;
+
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
@@ -2151,6 +2189,28 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 
+		if ( used_address_variable( $interface ) ) {
+		    my $variable = interface_address( $interface );
+
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
+		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+		    my $variable = interface_gateway( $interface );
+
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
 		pop_indent;
 
 		emit( "fi\n" );
@@ -2161,6 +2221,7 @@ sub handle_optional_interfaces( $ ) {
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
+		my $variable    = interface_address( $interface );
 
 		if ( $wildcards ) {
 		    emit( "$case)" );
@@ -2181,6 +2242,15 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );
 
+		if ( used_address_variable( $interface ) ) {
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );

Shorewall/Perl/Shorewall/Rules.pm

@@ -5357,11 +5357,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     my $interfaces;
     my $normalized_action;
 
-    if ( $action =~ /^MASQUERADE(\+)?\((.+)\)$/ ) {
+    if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
 	$actiontype = $builtin_target{$action = $target};
 	$pre_nat    = $1;
-	$addresses  = $2;
+	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
     } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
@@ -5382,19 +5382,19 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	$pre_nat = ( $target =~ s/\+$// );
 
-	$actiontype = $targets{$target};
+	$actiontype = ( $targets{$target} || 0 );
 
 	fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
     }
 
     if ( $inchain = defined $chainref ) {
 	( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
+	fatal_error q('+' is not allowed within an action body) if $pre_nat;
     }
     #
     # Next, parse the DEST column
     #
     if ( $inaction ) {
-	fatal_error q('*' is not allowed within an action body) if $pre_nat;
 	$destnets = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
@@ -5755,11 +5755,10 @@ sub setup_snat( $ ) # Convert masq->snat if true
     convert_masq() if $_[0];
 
     if ( $fn = open_file( 'masq', 1, 1 ) ) {
-
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-
 	process_one_masq(0) while read_a_line( NORMAL_READ );
     } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	process_snat while read_a_line( NORMAL_READ );
     }
 }

Shorewall/Perl/Shorewall/Zones.pm

@@ -95,7 +95,6 @@ our @EXPORT = ( qw( NOTHING
                     get_interface_origin
 		    interface_has_option
 		    set_interface_option
-		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -195,7 +194,6 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
-#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>

Shorewall/Perl/prog.footer

@@ -128,6 +128,7 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
+g_forcereload=
 
 initialize
 

Shorewall/manpages/shorewall.conf.xml

@@ -1087,10 +1087,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
           set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          pair of semicolons (";;"). If alternate input is also specified in
+          Beginning with 5.0.0, you may simply preface your text with a pair
-          the rule, it should appear before the semicolons and may be
+          of semicolons (";;"). If alternate input is also specified in the
-          separated from normal column input by a single semicolon.</para>
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -920,13 +920,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
         <listitem>
           <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5),
           a semicolon separates column-oriented specifications on the left
           from <ulink url="/configuration_file_basics.htm#Pairs">alternative
           specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
           specified, the specifications on the right are interpreted as if
           INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="shorewall6-masq.html">shorewall6-masq(5)</ulink> and
+          <ulink url="shorewall-masq.html">shorewall6-masq(5)</ulink> and
           <ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
           which also support INLINE. If not specified or if specified as the
           empty value, the value 'No' is assumed for backward
@@ -934,10 +934,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
           set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          pair of semicolons (";;"). If alternate input is also specified in
+          Beginning with 5.0.0, you may simply preface your text with a pair
-          the rule, it should appear before the semicolons and may be
+          of semicolons (";;"). If alternate input is also specified in the
-          separated from normal column input by a single semicolon.</para>
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
         </listitem>
       </varlistentry>
 

docs/configuration_file_basics.xml

@@ -1655,11 +1655,17 @@ SSH(ACCEPT)    net:$MYIP      $FW
     <title>Address Variables</title>
 
     <caution>
-      <para>If you use address variables that refer to an optional interface,
+      <para>Prior to Shorewall 5.0.14, if you use address variables that refer
-      the <command>enable</command> command will not change/insert the rules
+      to an optional interface, the <command>enable</command> command will not
-      that use the variable. Therefore, to be completely safe, if you use such
+      change/insert the rules that use the variable. Therefore, to be
-      address variables then you must follow an <command>enable</command>
+      completely safe, if you use such address variables then you must follow
-      command with a <command>reload</command> command.</para>
+      a successful <command>enable</command> command with a
+      <command>reload</command> command.</para>
+
+      <para>Beginning with Shorewall 5.0.14, if a Shorewall-defined address
+      variable's value has changed since the Netfilter ruleset was
+      instantiated, then a successful <command>enable</command> command will
+      automatically reload the ruleset.</para>
     </caution>
 
     <para>Given that shell variables are expanded at compile time, there is no
@@ -1891,9 +1897,8 @@ SSH(ACCEPT)    net:$MYIP      $FW
       </varlistentry>
     </variablelist>
 
-    <para>If there is no gateway out of the named interface, the nil IP
+    <para>If there is no gateway out of the named interface, rules containing
-    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+    the intefaces's run-time gateway variable are omitted.</para>
-    rule will match no packets (or all packets if used with exclusion).</para>
   </section>
 
   <section id="ActionVariables">

docs/shorewall_logging.xml

@@ -13,14 +13,20 @@
 
         <surname>Eastep</surname>
       </author>
+
+      <author>
+        <surname>Bill Shirley</surname>
+      </author>
     </authorgroup>
 
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001 - 2015</year>
+      <year>2001 - 2016</year>
 
       <holder>Thomas M. Eastep</holder>
+
+      <holder>Bill Shirley</holder>
     </copyright>
 
     <legalnotice>
@@ -463,9 +469,32 @@ sync=1</programlisting>
       <para>By setting the LOGTAGONLY option to Yes in <ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
       url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
-      disposition ('DROP' in the above example) will be omitted. See the
+      disposition ('DROP' in the above example) will be omitted. Consider the
-      shorewall[6].conf man page for further information about how
+      following rule:</para>
-      LOGTAGONLY=Yes can be used.</para>
+
+      <programlisting>#ACTION                                    SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+      <para>This rule generates the following warning at compile time:</para>
+
+      <simplelist>
+        <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p
+        " /etc/shorewall/rules (line 212)</member>
+      </simplelist>
+
+      <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
+      ".</para>
+
+      <para>Now consider this similar rule:</para>
+
+      <programlisting>#ACTION                                              SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+      <para>With LOGTAGONLY=Yes, no warning is generated and the prefix
+      becomes "Shorewall:IPv6:tunneling:"</para>
+
+      <para>See the shorewall[6].conf man page for further information about
+      how LOGTAGONLY=Yes can be used.</para>
     </section>
 
     <section>
@@ -479,4 +508,72 @@ sync=1</programlisting>
       linkend="LogTags">above</link>.</para>
     </section>
   </section>
+
+  <section>
+    <title>Some Additional Thoughts on Logging (by Bill Shirley)</title>
+
+    <para>As a side note to the LOGTAGONLY example above, i recommend blocking
+    all tunneling because it bypasses the firewall rules:</para>
+
+    <programlisting>#ACTION                                              SOURCE          DEST           PROTO      DPORT
+?COMMENT tunneling
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41                   # who's using IPv6 tunneling
+REJECT(icmp-port-unreachable)                        loc             net            tcp,udp    teredo
+REJECT(icmp-port-unreachable)                        loc             net            tcp,udp    isakmp,ipsec-nat-t</programlisting>
+
+    <para>Here is an example of logging traffic only once:</para>
+
+    <para><filename>/etc/shorewall/init:</filename></para>
+
+    <programlisting>ipset -exist create IPv4 hash:ip timeout 86400
+ipset -exist create IPv4-port hash:ip,port timeout 14400</programlisting>
+
+    <para><filename>/etc/shorewall/rules</filename> (at the top):</para>
+
+    <programlisting>#ACTION             SOURCE                         DEST           PROTO
+?SECTION NEW
+# ------------------
+?COMMENT drop previously flagged
+DROP                net:+IPv4[src]                 fw
+DROP                net:+IPv4-port[src,dst]        fw</programlisting>
+
+    <para>After all the rules have been checked, at the bottom of
+    <filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting># =============================================================================
+# =============================== H@ck0rz =====================================
+# =============================================================================
+?COMMENT dont whack myself
+REJECT:notice           inet:$ME_NET           fw
+
+?COMMENT not public
+ADD(+IPv4-port:src,dst) net                     fw      tcp,udp  domain
+ADD(+IPv4-port:src,dst) net                     fw      tcp      ldap,ldaps
+ADD(+IPv4-port:src,dst) net                     fw      tcp,udp  ipp
+
+?COMMENT H@ck0rz
+ADD(+IPv4:src)          net                     fw      tcp      ssh
+ADD(+IPv4:src)          net                     fw      tcp      ftp,ftps,sftp,telnet,telnets,exec,login,shell,sunrpc
+ADD(+IPv4:src)          net                     fw      tcp,udp  ms-sql-s,ms-sql-m
+
+?COMMENT drop if added
+DROP:info:BAN,IPv4      net:+IPv4[src]          fw
+DROP:info:BAN,IPv4-port net:+IPv4-port[src,dst] fw</programlisting>
+
+    <para>One final note: I wanted less firewall messages in /var/log/messages
+    so I added to rsyslog.conf:</para>
+
+    <programlisting>#### RULES #### &lt;-- find this
+if $msg contains 'Shorewall' then {
+  action(type="omfile" file="/var/log/shorewall.log")
+#  if ($syslogfacility == 0 and $syslogseverity &gt;= 4) then stop    # warning
+#  if ($syslogfacility == 0 and $syslogseverity &gt;= 5) then stop    # notice
+  if ($syslogfacility == 0 and $syslogseverity &gt;= 6) then stop  # info
+}</programlisting>
+
+    <para> I log at 'notice' log level if I want the message in
+    <filename>/var/log/messages</filename> and everything goes to
+    <filename>/var/log/shorewall.log</filename>. Don't forget to add
+    /var/log/shorewall.log to logrotate. </para>
+  </section>
 </article>

docs/shorewall_setup_guide.xml

@@ -1373,8 +1373,9 @@ Destination    Gateway     Genmask         Flags MSS Window irtt Iface
 
           <member>SNAT is configured in Shorewall using the <filename><ulink
           url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
-          file (/etc/shorewall/snat when running Shorewall 5.0.14 or
+          file (<ulink
-          later):</member>
+          url="manpages/shorewall-snat.html">/etc/shorewall/snat</ulink> when
+          running Shorewall 5.0.14 or later):</member>
         </simplelist>
 
         <programlisting>#INTERFACE     SOURCE               ADDRESS

docs/three-interface.xml

@@ -194,6 +194,17 @@
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
+~#</programlisting>
+
+        <para>When running Shorewall 5.0.14 or later:</para>
+
+        <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
       </listitem>
 
@@ -667,14 +678,18 @@ root@lists:~# </programlisting>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
-    <para>If your external IP is static, you can enter it in the third column
+    <para>If your external <acronym>IP</acronym> is static then, if you are
-    in the <filename
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
+    third column in the <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
-    column empty. Entering your static IP in column 3 makes processing
+    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
-    outgoing packets a little more efficient. When running Shorewall 5.0.14 or
+    column 3 (SNAT) makes the processing of outgoing packets a little more
-    later, the rule in /etc/shorewall/snat must be change from a MASQUERADE
+    efficient.</para>
-    rule to an SNAT rule.</para>
+
+    <para>When running Shorewall 5.0.14 or later, the rule in
+    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
+    rule.</para>
 
     <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
 <emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>

docs/two-interface.xml

@@ -172,6 +172,17 @@
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
+~#</programlisting>
+
+            <para>When running Shorewall 5.0.14 or later:</para>
+
+            <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
           </listitem>
 
@@ -618,13 +629,16 @@ root@lists:~# </programlisting>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
-    <para>If your external <acronym>IP</acronym> is static, you can enter it
+    <para>If your external <acronym>IP</acronym> is static then, if you are
-    in the third column in the <filename
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
+    third column in the <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
     column empty (Masquerade). Entering your static <acronym>IP</acronym> in
     column 3 (SNAT) makes the processing of outgoing packets a little more
-    efficient. When running Shorewall 5.0.14 or later, the rule in
+    efficient.</para>
+
+    <para>When running Shorewall 5.0.14 or later, the rule in
     /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
     rule.</para>