Handle another issue with ADD_SNAT_ALIASES=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -268,7 +268,6 @@ our %EXPORT_TAGS = (
 				       mark_firewall6_not_started
 				       interface_address
 				       get_interface_address
-				       used_address_variable
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
@@ -5778,12 +5777,12 @@ sub have_ipset_rules() {
     $ipset_rules;
 }
 
-sub get_interface_address( $ );
+sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
-sub record_runtime_address( $$;$ ) {
+sub record_runtime_address( $$;$$ ) {
-    my ( $addrtype, $interface, $protect ) = @_;
+    my ( $addrtype, $interface, $protect, $provider ) = @_;
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5797,9 +5796,9 @@ sub record_runtime_address( $$;$ ) {
     my $addr;
 
     if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface );
+	$addr = get_interface_address( $interface, $provider );
     } else {
-	$addr = get_interface_gateway( $interface, $protect );
+	$addr = get_interface_gateway( $interface, $protect, $provider );
     }
 
     $addr . ' ';
@@ -6796,8 +6795,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $ ) {
+sub get_interface_address ( $;$ ) {
-    my ( $logical ) = $_[0];
+    my ( $logical, $provider ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
@@ -6807,11 +6806,9 @@ sub get_interface_address ( $ ) {
 
     $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
 
-    "\$$variable";
+    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
-}
 
-sub used_address_variable( $ ) {
+    "\$$variable";
-    defined $interfaceaddr{$_[0]}
 }
 
 #

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -472,7 +472,7 @@ sub validate_portpair1( $$ ) {
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
     $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
 
     my @ports = split /-/, $portpair, 2;
@@ -483,9 +483,10 @@ sub validate_portpair1( $$ ) {
 
     if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
     } else {
 	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
     }
 
     fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless

Shorewall/Perl/Shorewall/Nat.pm

@@ -76,7 +76,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
     #
     $pre_nat = 1 if $interfacelist =~ s/^\+//;
 
-    $savelist = $interfacelist;
     #
     # Check for INLINE
     #
@@ -86,6 +85,8 @@ sub process_one_masq1( $$$$$$$$$$$$ )
     } else {
 	$inlinematches = get_inline_matches(0);
     }
+
+    $savelist = $interfacelist;
     #
     # Handle early matches
     #
@@ -231,7 +232,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';
 
-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
 
 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -279,14 +280,20 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
+
-				$addrlist .= "--to-source $addr ";
+				if ( supplied $rest ) {
+				    validate_portpair1( $proto, $rest );
+				    $addrlist .= "--to-source $addr ";
+				} else {
+				    $addrlist .= "--to-source $ipaddr";
+				}
+
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -398,7 +405,11 @@ sub process_one_masq1( $$$$$$$$$$$$ )
     if ( $snat ) {
 	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
-	$target .= '(' . $addresses . ')' if $addresses ne '-' && $addresses ne 'NONAT';
+
+	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
+	    $addresses =~ s/^://;
+	    $target .= '(' . $addresses . ')';
+	}
 
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#

Shorewall/Perl/Shorewall/Providers.pm

@@ -799,7 +799,7 @@ sub add_a_provider( $$ ) {
 	}
 
 	if ( $gateway ) {
-	    $address = get_interface_address $interface unless $address;
+	    $address = get_interface_address( $interface, 1 ) unless $address;
 
 	    emit( qq([ -z "$address" ] && return\n) );
 
@@ -925,7 +925,7 @@ CEOF
     }
 
     if ( $gateway ) {
-	$address = get_interface_address $interface unless $address;
+	$address = get_interface_address( $interface, 1 ) unless $address;
 
 	if ( $hostroute ) {
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
@@ -1038,7 +1038,7 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
-	if ( used_address_variable( $interface ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    emit( '',
 		  'if [ -n "$g_forcereload" ]; then',
 		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
@@ -1059,7 +1059,7 @@ CEOF
 
 	emit "fi\n";
 
-	if ( used_address_variable( $interface ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 
 	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
@@ -1095,7 +1095,7 @@ CEOF
 	}
 
 
-	if ( used_address_variable( $interface ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
 	}
@@ -1242,7 +1242,7 @@ sub add_an_rtrule1( $$$$$ ) {
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
     } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -2189,7 +2189,7 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 
-		if ( used_address_variable( $interface ) ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    my $variable = interface_address( $interface );
 
 		    emit( '',
@@ -2242,7 +2242,7 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );
 
-		if ( used_address_variable( $interface ) ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",

Shorewall/Perl/Shorewall/Rules.pm

@@ -5363,6 +5363,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
+	$add_snat_aliases = '';
     } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5377,6 +5378,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
     } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
+	$add_snat_aliases = '';
     } else {
 	( $target , $params ) = get_target_param1( $action );
 
@@ -5389,12 +5391,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
     if ( $inchain = defined $chainref ) {
 	( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
+	fatal_error q('+' is not allowed within an action body) if $pre_nat;
     }
     #
     # Next, parse the DEST column
     #
     if ( $inaction ) {
-	fatal_error q('*' is not allowed within an action body) if $pre_nat;
 	$destnets = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
@@ -5455,6 +5457,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
  
 	my $rule = '';
 	my $saveaddresses = $addresses;
+	my $savetarget    = $target;
+	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
 
 	$interface =~ s/:.*//;   #interface name may include 'alias'
@@ -5505,10 +5509,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    $detectaddress = 1;
 		}
 	    } else {
+		fatal_error "SNAT rules must spacify a new source address and/or new source ports" unless supplied $addresses;
+
 		my $addrlist = '';
 		my @addrs = split_list $addresses, 'address';
 
-		fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		fatal_error "Only one SNAT address may be specified" if @addrs > 1;
 
 		for my $addr ( @addrs ) {
 		    if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -5551,20 +5557,27 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			}
 		    } elsif ( $family == F_IPV4 ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    my ($ipaddr, $rest) = split ':', $addr;
+			    my ($ipaddr, $rest) = split ':', $addr, 2;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
 			    }
-			    validate_portpair1( $proto, $rest ) if supplied $rest;
+
-			    $addrlist .= " --to-source $addr";
+			    if ( supplied $rest ) {
+				validate_portpair1( $proto, $rest );
+				$addrlist .= " --to-source $addr";
+			    } else {
+				$addrlist .= " --to-source $ipaddr";
+			    }
+
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
 			    my $ports = $addr;
 			    $ports =~ s/^://;
+			    fatal_error "Missing Address or Port[-range] ($addr)" unless supplied $ports && $ports ne '-';
 			    validate_portpair1( $proto, $ports );
-			    $addrlist .= " --to-ports $ports";
+			    $addrlist .= " --to-source :$ports";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    } else {
@@ -5614,6 +5627,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
+		$exceptionrule = do_proto( $proto, '', '' );
 	    }
 	}
 	#
@@ -5699,7 +5713,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $add_snat_aliases ) {
+	    if ( $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5722,6 +5736,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	}
 
 	$addresses = $saveaddresses;
+	$target    = $savetarget;
+	$baserule  = $savebaserule;
     }
 
     progress_message "   Snat record \"$currentline\" $done"
@@ -5755,11 +5771,10 @@ sub setup_snat( $ ) # Convert masq->snat if true
     convert_masq() if $_[0];
 
     if ( $fn = open_file( 'masq', 1, 1 ) ) {
-
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-
 	process_one_masq(0) while read_a_line( NORMAL_READ );
     } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	process_snat while read_a_line( NORMAL_READ );
     }
 }

Shorewall/Samples/three-interfaces/snat

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
-MASQUERADE	10.0.0.0/8,\
+MASQUERADE		10.0.0.0/8,\
-		169.254.0.0/16,\
+			169.254.0.0/16,\
-		172.16.0.0/12,\
+			172.16.0.0/12,\
-		192.168.0.0/16	eth0
+			192.168.0.0/16		eth0

Shorewall/Samples/two-interfaces/snat

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
-MASQUERADE	10.0.0.0/8,\
+MASQUERADE		10.0.0.0/8,\
-		169.254.0.0/16,\
+			169.254.0.0/16,\
-		172.16.0.0/12,\
+			172.16.0.0/12,\
-		192.168.0.0/16	eth0
+		1	92.168.0.0/16		eth0

Shorewall/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall SNAT/Masquerade File
+# Shorewall -- /etc/shorewall/snat
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/install.sh

@@ -703,7 +703,7 @@ run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/con
 run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
     echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
 fi
 

Shorewall/manpages/shorewall-masq.xml

@@ -164,7 +164,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall/manpages/shorewall-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>

Shorewall/manpages/shorewall.conf.xml

@@ -1087,10 +1087,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
           set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          pair of semicolons (";;"). If alternate input is also specified in
+          Beginning with 5.0.0, you may simply preface your text with a pair
-          the rule, it should appear before the semicolons and may be
+          of semicolons (";;"). If alternate input is also specified in the
-          separated from normal column input by a single semicolon.</para>
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
         </listitem>
       </varlistentry>
 

Shorewall6/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall6 SNAT/Masquerade File
+# Shorewall6 -- /etc/shorewall6/snat
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See http://shorewall.net/manpages6/shorewall6-snat.html for more information
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall6/manpages/shorewall6-masq.xml

@@ -125,7 +125,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall6/manpages/shorewall6-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>

Shorewall6/manpages/shorewall6.conf.xml

@@ -920,13 +920,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
         <listitem>
           <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5),
           a semicolon separates column-oriented specifications on the left
           from <ulink url="/configuration_file_basics.htm#Pairs">alternative
           specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
           specified, the specifications on the right are interpreted as if
           INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="shorewall6-masq.html">shorewall6-masq(5)</ulink> and
+          <ulink url="shorewall-masq.html">shorewall6-masq(5)</ulink> and
           <ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
           which also support INLINE. If not specified or if specified as the
           empty value, the value 'No' is assumed for backward
@@ -934,10 +934,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
           set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          pair of semicolons (";;"). If alternate input is also specified in
+          Beginning with 5.0.0, you may simply preface your text with a pair
-          the rule, it should appear before the semicolons and may be
+          of semicolons (";;"). If alternate input is also specified in the
-          separated from normal column input by a single semicolon.</para>
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
         </listitem>
       </varlistentry>
 

docs/Anatomy.xml

@@ -106,8 +106,17 @@
     url="Install.htm#idp8774904608">configure scripts included with Shorewall
     Core</ulink>.</para>
 
+    <important>
+      <para>Since Shorewall 4.5.2, each of these directories is now
+      relocatable using the <ulink url="Install.htm#idp8774904608">configure
+      scripts included with Shorewall Core</ulink>. These scripts set shell
+      variables in the shorewallrc file which is normally installed in
+      /usr/share/shorewall/. The name of the variable is included in
+      parentheses in the section headings below.</para>
+    </important>
+
     <section id="sbin">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall</filename> shell program is used to
       interact with Shorewall. See <ulink
@@ -115,7 +124,7 @@
     </section>
 
     <section id="share-shorewall">
-      <title>/usr/share/shorewall</title>
+      <title>/usr/share/shorewall (${SHAREDIR}/shorewall)</title>
 
       <para>The bulk of Shorewall is installed here.</para>
 
@@ -220,22 +229,28 @@
     </section>
 
     <section id="shorewall">
-      <title>/etc/shorewall</title>
+      <title>/etc/shorewall (${CONFDIR}/shorewall)</title>
 
       <para>This is where the modifiable IPv4 configuration files are
       installed.</para>
     </section>
 
     <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
     </section>
 
     <section id="var">
-      <title>/var/lib/shorewall</title>
+      <title>/var/lib/shorewall (${VARLIB}/shorewall)</title>
 
       <para>Shorewall doesn't install any files in this directory but rather
       uses the directory for storing state information. This directory may be
@@ -332,7 +347,7 @@
     <para>Shorewall6 installs its files in a number of directories:</para>
 
     <section id="sbin6">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall6</filename> shell program is used to
       interact with Shorewall6. See <ulink
@@ -340,7 +355,7 @@
     </section>
 
     <section id="share-shorewall6">
-      <title>/usr/share/shorewall6</title>
+      <title>/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</title>
 
       <para>The bulk of Shorewall6 is installed here.</para>
 
@@ -417,14 +432,28 @@
     </section>
 
     <section id="etc-shorewall6">
-      <title>/etc/shorewall6</title>
+      <title>/etc/shorewall6 (${CONFDIR}/</title>
 
       <para>This is where the modifiable IPv6 configuration files are
       installed.</para>
     </section>
 
+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall6</filename> or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
     <section id="var-shorewall6">
-      <title>/var/lib/shorewall6</title>
+      <title>/var/lib/shorewall6 (${VARLIB}/shorewall6)</title>
 
       <para>Shorewall6 doesn't install any files in this directory but rather
       uses the directory for storing state information. This directory may be
@@ -514,7 +543,7 @@
     in the sub-sections that follow.</para>
 
     <section id="sbin-lite">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR_</title>
 
       <para>The <filename>/sbin/shorewall-lite</filename> shell program is
       used to interact with Shorewall lite. See <ulink
@@ -522,22 +551,28 @@
     </section>
 
     <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
     </section>
 
     <section id="shorewall-lite">
-      <title>/etc/shorewall-lite</title>
+      <title>/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</title>
 
       <para>This is where the modifiable configuration files are
       installed.</para>
     </section>
 
     <section id="share-lite">
-      <title>/usr/share/shorewall-lite</title>
+      <title>/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</title>
 
       <para>The bulk of Shorewall-lite is installed here.</para>
 
@@ -586,7 +621,7 @@
     </section>
 
     <section id="var-lite">
-      <title>/var/lib/shorewall-lite</title>
+      <title>/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</title>
 
       <para>Shorewall-lite doesn't install any files in this directory but
       rather uses the directory for storing state information. This directory
@@ -719,15 +754,29 @@
       <filename>rc.firewall</filename>.</para>
     </section>
 
+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall</filename>6-lite or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
     <section id="etc-shorewall6-lite">
-      <title>/etc/shorewall6-lite</title>
+      <title>/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite)</title>
 
       <para>This is where the modifiable configuration files are
       installed.</para>
     </section>
 
     <section id="share-lite6">
-      <title>/usr/share/shorewall6-lite</title>
+      <title>/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite)</title>
 
       <para>The bulk of Shorewall-lite is installed here.</para>
 
@@ -776,7 +825,7 @@
     </section>
 
     <section id="var-lite6">
-      <title>/var/lib/shorewall6-lite</title>
+      <title>/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite)</title>
 
       <para>Shorewall6-lite doesn't install any files in this directory but
       rather uses the directory for storing state information. This directory

docs/bridge-Shorewall-perl.xml

@@ -102,12 +102,9 @@
       <listitem>
         <para>Your kernel must contain Netfilter physdev match support
         (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
-        Physdev match is standard in the 2.6 kernel series but must be patched
+        Physdev match is standard in the 2.6 and later kernel series but must
-        into the 2.4 kernels (see <ulink
+        be patched into the 2.4 kernels (see <ulink
-        url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and
+        url="http://bridge.sf.net">http://bridge.sf.net</ulink>).</para>
-        Bering uCLibc users must find and install ipt_physdev.o for their
-        distribution and add <quote>ipt_physdev</quote> to
-        /etc/modules.</para>
       </listitem>
 
       <listitem>

docs/shorewall_setup_guide.xml

@@ -1373,8 +1373,9 @@ Destination    Gateway     Genmask         Flags MSS Window irtt Iface
 
           <member>SNAT is configured in Shorewall using the <filename><ulink
           url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
-          file (/etc/shorewall/snat when running Shorewall 5.0.14 or
+          file (<ulink
-          later):</member>
+          url="manpages/shorewall-snat.html">/etc/shorewall/snat</ulink> when
+          running Shorewall 5.0.14 or later):</member>
         </simplelist>
 
         <programlisting>#INTERFACE     SOURCE               ADDRESS

docs/three-interface.xml

@@ -194,6 +194,17 @@
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
+~#</programlisting>
+
+        <para>When running Shorewall 5.0.14 or later:</para>
+
+        <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
       </listitem>
 
@@ -667,14 +678,18 @@ root@lists:~# </programlisting>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
-    <para>If your external IP is static, you can enter it in the third column
+    <para>If your external <acronym>IP</acronym> is static then, if you are
-    in the <filename
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
+    third column in the <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
-    column empty. Entering your static IP in column 3 makes processing
+    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
-    outgoing packets a little more efficient. When running Shorewall 5.0.14 or
+    column 3 (SNAT) makes the processing of outgoing packets a little more
-    later, the rule in /etc/shorewall/snat must be change from a MASQUERADE
+    efficient.</para>
-    rule to an SNAT rule.</para>
+
+    <para>When running Shorewall 5.0.14 or later, the rule in
+    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
+    rule.</para>
 
     <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
 <emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>

docs/two-interface.xml

@@ -172,6 +172,17 @@
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
+~#</programlisting>
+
+            <para>When running Shorewall 5.0.14 or later:</para>
+
+            <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
           </listitem>
 
@@ -618,13 +629,16 @@ root@lists:~# </programlisting>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
-    <para>If your external <acronym>IP</acronym> is static, you can enter it
+    <para>If your external <acronym>IP</acronym> is static then, if you are
-    in the third column in the <filename
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
+    third column in the <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
     column empty (Masquerade). Entering your static <acronym>IP</acronym> in
     column 3 (SNAT) makes the processing of outgoing packets a little more
-    efficient. When running Shorewall 5.0.14 or later, the rule in
+    efficient.</para>
+
+    <para>When running Shorewall 5.0.14 or later, the rule in
     /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
     rule.</para>