Remove redundent test

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -949,7 +949,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)
 
-	    if [ $base != %CURRENTTIME ]; then
+	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1161,6 +1161,11 @@ show_macros() {
     done
 }
 
+show_a_macro() {
+    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+    cat ${directory}/macro.$1
+}
+
 #
 # Show Command Executor
 #
@@ -1441,8 +1446,7 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    eval show_a_macro $2 $g_pager
-				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -1579,6 +1583,19 @@ show_status() {
 
 }
 
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+
 #
 # Dump Command Executor
 #
@@ -1729,12 +1746,10 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    if qt mywhich setkey; then
     heading "PFKEY SPD"
-	setkey -DP
+    $IP -s xfrm policy | spd_filter
     heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
-    fi
 
     heading "/proc"
     show_proc /proc/version
@@ -1805,6 +1820,7 @@ dump_command() {
 restore_command() {
     local finished
     finished=0
+    local result
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1869,8 +1885,11 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."
 
 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+	result=$?
 
 	[ -n "$g_nolock" ] || mutex_off
+
+	exit $result
     else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -3992,6 +4011,7 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    if [ -z "$g_nopager" ]; then
 	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
 	if [ -n "$PAGER" -a -t 1 ]; then
@@ -4010,6 +4030,7 @@ get_config() {
 
 	    g_pager="| $g_pager"
 	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -4357,6 +4378,7 @@ shorewall_cli() {
     g_loopback=
     g_compiled=
     g_pager=
+    g_nopager=
     g_blacklistipset=
     g_disconnect=
 
@@ -4453,6 +4475,11 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
+			p*)
+			    g_nopager=Yes
+			    option=${option#p}
+			    ;;
+
 			-)
 			    finished=1
 			    option=

Shorewall/Perl/Shorewall/Chains.pm

@@ -268,7 +268,6 @@ our %EXPORT_TAGS = (
 				       mark_firewall6_not_started
 				       interface_address
 				       get_interface_address
-				       used_address_variable
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
@@ -811,7 +810,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
-		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1197,9 +1195,16 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 
 #
@@ -1219,6 +1224,7 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
+	    $toref->{simple} = 0;
 	}
     }
 
@@ -5778,12 +5784,12 @@ sub have_ipset_rules() {
     $ipset_rules;
 }
 
-sub get_interface_address( $ );
+sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
-sub record_runtime_address( $$;$ ) {
+sub record_runtime_address( $$;$$ ) {
-    my ( $addrtype, $interface, $protect ) = @_;
+    my ( $addrtype, $interface, $protect, $provider ) = @_;
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5797,9 +5803,9 @@ sub record_runtime_address( $$;$ ) {
     my $addr;
 
     if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface );
+	$addr = get_interface_address( $interface, $provider );
     } else {
-	$addr = get_interface_gateway( $interface, $protect );
+	$addr = get_interface_gateway( $interface, $protect, $provider );
     }
 
     $addr . ' ';
@@ -6796,8 +6802,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $ ) {
+sub get_interface_address ( $;$ ) {
-    my ( $logical ) = $_[0];
+    my ( $logical, $provider ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
@@ -6807,11 +6813,9 @@ sub get_interface_address ( $ ) {
 
     $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
 
-    "\$$variable";
+    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
-}
 
-sub used_address_variable( $ ) {
+    "\$$variable";
-    defined $interfaceaddr{$_[0]}
 }
 
 #

Shorewall/Perl/Shorewall/Config.pm

@@ -133,6 +133,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_line
 				       split_line1
 				       split_line2
+				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -174,6 +175,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;
 
 our $currentline;            # Current config file line image
+our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -2442,6 +2445,25 @@ sub split_line2( $$;$$$ ) {
     @line;
 }
 
+#
+# Same as above, only it splits the raw current line
+#
+sub split_rawline2( $$;$$$ ) {
+    my $savecurrentline = $currentline;
+
+    $currentline = $rawcurrentline;
+    #
+    # Delete trailing comment
+    #
+    $currentline =~ s/\s*#.*//;
+
+    my @result = &split_line2( @_ );
+
+    $currentline = $savecurrentline;
+
+    @result;
+}
+
 sub split_line1( $$;$$ ) {
     &split_line2( @_, undef );
 }
@@ -3026,9 +3048,9 @@ sub process_compiler_directive( $$$$ ) {
 
     if ( $directive_callback ) {
         $directive_callback->( $keyword, $line ) 
-    } else {
-        $omitting;
     }
+
+    $omitting;
 }
 
 #
@@ -3736,6 +3758,7 @@ sub read_a_line($) {
 
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
+		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }
 
@@ -3790,6 +3813,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
+	    # Save Raw Image
+	    #
+	    $rawcurrentline = $currentline;
+	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3818,7 +3845,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -472,7 +472,7 @@ sub validate_portpair1( $$ ) {
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
     $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
 
     my @ports = split /-/, $portpair, 2;
@@ -483,9 +483,10 @@ sub validate_portpair1( $$ ) {
 
     if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
     } else {
 	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
     }
 
     fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless

Shorewall/Perl/Shorewall/Misc.pm

@@ -216,6 +216,7 @@ sub convert_blacklist() {
     my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition;
     my $orig_target = $target;
+    my $warnings    = 0;
     my @rules;
 
     if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry "Converting $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
+		split_rawline2( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+				{ networks => 0, proto => 1, port => 2, options => 3 },
+				{},
+				4,
+		);
 
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}
 
+	directive_callback(0);
+
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -395,6 +408,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
 	my $seq      = 0;
+	my $warnings = 0;
 	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
+		split_rawline2( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+				{},
+				6,
+				0,
+		);
 
 	    my $interfaceref;
 
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 
 	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}
 
+	directive_callback(0);
+
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;

Shorewall/Perl/Shorewall/Nat.pm

@@ -60,12 +60,12 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $pre_nat;
-    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
     my $destnets = '';
     my $baserule = '';
     my $inlinematches = '';
@@ -226,13 +226,13 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = $snat ? 'CONTINUE' : 'RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';
 
-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
 
 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -249,7 +249,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			    #
 			    $target = 'SNAT ';
 
-			    unless ( $snat ) {
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -276,18 +275,23 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 
 				$addrlist .= '--to-source ' . $addr;
 			    }
-			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
+
+				if ( supplied $rest ) {
+				    validate_portpair1( $proto, $rest );
 				    $addrlist .= "--to-source $addr ";
+				} else {
+				    $addrlist .= "--to-source $ipaddr";
+				}
+
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -356,7 +360,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	unless ( $snat ) {
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
 		     $prerule ,
@@ -394,12 +397,94 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	    }
 	}
     }
+
+    progress_message "   Masq record \"$currentline\" $done";
+
+}
+
+sub convert_one_masq1( $$$$$$$$$$$$ )
+{
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+
+    my $pre_nat;
+    my $destnets = '';
+    my $savelist;
+    #
+    # Leading '+'
+    #
+    $pre_nat = ( $interfacelist =~ s/^\+// );
+    #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+    }
+
+    $savelist = $interfacelist;
+    #
+    # Parse the remaining part of the INTERFACE column
+    #
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
+	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
+    }
+    #
+    # If there is no source or destination then allow all addresses
+    #
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
+
+    my $target;
+    #
+    # Parse the ADDRESSES column
+    #
+    if ( $addresses ne '-' ) {
+	my $saveaddresses = $addresses;
+	if ( $addresses ne 'random' ) {
+	    $addresses =~ s/:persistent$//;
+	    $addresses =~ s/:random$//;
+
+	    if ( $addresses eq 'detect' ) {
+		$target = 'SNAT';
+	    } elsif ( $addresses eq 'NONAT' ) {
+		$target = 'CONTINUE';
+	    } elsif ( $addresses ) {
+		if ( $addresses =~ /^:/ ) {
+		    $target = 'MASQUERADE';
+		} else {
+		    $target = 'SNAT';
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+    } else {
+	$target = 'MASQUERADE';
     }
 
     if ( $snat ) {
-	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
-	$target .= '(' . $addresses . ')' if $addresses ne '-' && $addresses ne 'NONAT';
+
+	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
+	    $addresses =~ s/^://;
+	    $target .= '(' . $addresses . ')';
+	}
 
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#
@@ -414,7 +499,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	print $snat "$line\n";
     }
 
-    progress_message "   Masq record \"$currentline\" $done";
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
 
 }
 
@@ -422,6 +507,25 @@ sub process_one_masq( $ )
 {
     my ( $snat ) = @_;
 
+    if ( $snat ) {
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+	    #
+	    # Line was not blank or all comment
+	    #
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+		split_rawline2( 'masq file',
+				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+				{},    #Nopad
+				undef, #Columns
+				1 );   #Allow inline matches
+
+	    if ( $interfacelist ne '-' ) { 
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+		}
+	    }
+	}
+    } else {
 	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'masq file',
 			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
@@ -432,7 +536,8 @@ sub process_one_masq( $ )
 	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
 
 	for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	}
     }
 }
 
@@ -487,7 +592,19 @@ sub convert_masq() {
 
 	my $have_masq_rules;
 
-	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    process_one_masq( $snat) if $snat;
+		} else {
+		    print $snat "$_[1]\n"; 0;
+		}
+	    }
+	    );
 
 	first_entry(
 	    sub {
@@ -500,7 +617,18 @@ sub convert_masq() {
 	    }
 	    );
 
-	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
+	while ( read_a_line( NORMAL_READ ) ) {
+	    #
+	    # Process the file normally
+	    #
+	    process_one_masq(0);
+	    #
+	    # Now Convert it
+	    #
+	    process_one_masq($snat);
+
+	    $have_masq_rules++;
+	}
 
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";

Shorewall/Perl/Shorewall/Providers.pm

@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
     } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
+	       '                fe80:*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
     }
 
     emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
     } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
+		'                        fe80:*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $id \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
     }
 
     emit (  '                    ;;',
@@ -799,7 +813,7 @@ sub add_a_provider( $$ ) {
 	}
 
 	if ( $gateway ) {
-	    $address = get_interface_address $interface unless $address;
+	    $address = get_interface_address( $interface, 1 ) unless $address;
 
 	    emit( qq([ -z "$address" ] && return\n) );
 
@@ -925,7 +939,7 @@ CEOF
     }
 
     if ( $gateway ) {
-	$address = get_interface_address $interface unless $address;
+	$address = get_interface_address( $interface, 1 ) unless $address;
 
 	if ( $hostroute ) {
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
@@ -1038,7 +1052,7 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
-	if ( used_address_variable( $interface ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    emit( '',
 		  'if [ -n "$g_forcereload" ]; then',
 		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
@@ -1059,7 +1073,7 @@ CEOF
 
 	emit "fi\n";
 
-	if ( used_address_variable( $interface ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 
 	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
@@ -1095,7 +1109,7 @@ CEOF
 	}
 
 
-	if ( used_address_variable( $interface ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
 	}
@@ -1242,7 +1256,7 @@ sub add_an_rtrule1( $$$$$ ) {
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
     } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1496,7 +1510,18 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
+
+	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	} else {
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    '    else',
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    '    fi',
+		    '' );
+	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1549,7 +1574,13 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
+
+	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	} else {
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
+	}
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -2189,7 +2220,7 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 
-		if ( used_address_variable( $interface ) ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    my $variable = interface_address( $interface );
 
 		    emit( '',
@@ -2242,7 +2273,7 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );
 
-		if ( used_address_variable( $interface ) ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",

Shorewall/Perl/Shorewall/Rules.pm

@@ -638,7 +638,8 @@ sub process_a_policy1($$$$$$$) {
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+
+    $intrazone  ||= $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
@@ -763,26 +764,29 @@ sub process_a_policy() {
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
-    my $intrazone;
+    my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+    if ( $clientlist = ( $clients =~ /,/ ) ) {
-	$clients =~ s/\+$//;
+	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $servers =~ /.*,.*\+$/ ) {
+    if ( $serverlist = ( $servers =~ /,/ ) ) {
-	$servers =~ s/\+$//;
+	$intrazone ||= ( $servers =~ s/\+$// );
-	$intrazone = 1;
     }	
 
     fatal_error 'SOURCE must be specified' if $clients eq '-';
     fatal_error 'DEST must be specified'   if $servers eq '-';
     fatal_error 'POLICY must be specified' if $policy  eq '-';
 
+    if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
 	    for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
+    } else {
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+    }
 }
 
 #
@@ -5139,7 +5143,7 @@ sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
 			    { mark => 0,
 			      action => 0,
 			      source => 1,
@@ -5162,7 +5166,7 @@ sub process_tc_rule( ) {
 	$headers = '-';
     } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
 			    { mark => 0,
 			      action => 0,
 			      source => 1,
@@ -5363,6 +5367,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
+	$add_snat_aliases = '';
     } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5377,6 +5382,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
     } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
+	$add_snat_aliases = '';
     } else {
 	( $target , $params ) = get_target_param1( $action );
 
@@ -5455,6 +5461,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
  
 	my $rule = '';
 	my $saveaddresses = $addresses;
+	my $savetarget    = $target;
+	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
 
 	$interface =~ s/:.*//;   #interface name may include 'alias'
@@ -5505,10 +5513,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    $detectaddress = 1;
 		}
 	    } else {
+		fatal_error "SNAT rules must spacify a new source address and/or new source ports" unless supplied $addresses;
+
 		my $addrlist = '';
 		my @addrs = split_list $addresses, 'address';
 
-		fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		fatal_error "Only one SNAT address may be specified" if @addrs > 1;
 
 		for my $addr ( @addrs ) {
 		    if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -5551,20 +5561,27 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			}
 		    } elsif ( $family == F_IPV4 ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    my ($ipaddr, $rest) = split ':', $addr;
+			    my ($ipaddr, $rest) = split ':', $addr, 2;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
 			    }
-			    validate_portpair1( $proto, $rest ) if supplied $rest;
+
+			    if ( supplied $rest ) {
+				validate_portpair1( $proto, $rest );
 				$addrlist .= " --to-source $addr";
+			    } else {
+				$addrlist .= " --to-source $ipaddr";
+			    }
+
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
 			    my $ports = $addr;
 			    $ports =~ s/^://;
+			    fatal_error "Missing Address or Port[-range] ($addr)" unless supplied $ports && $ports ne '-';
 			    validate_portpair1( $proto, $ports );
-			    $addrlist .= " --to-ports $ports";
+			    $addrlist .= " --to-source :$ports";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    } else {
@@ -5614,6 +5631,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
+		$exceptionrule = do_proto( $proto, '', '' );
 	    }
 	}
 	#
@@ -5699,7 +5717,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $add_snat_aliases ) {
+	    if ( $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5722,6 +5740,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	}
 
 	$addresses = $saveaddresses;
+	$target    = $savetarget;
+	$baserule  = $savebaserule;
     }
 
     progress_message "   Snat record \"$currentline\" $done"

Shorewall/Perl/Shorewall/Tc.pm

@@ -2150,41 +2150,14 @@ sub process_secmark_rule() {
     }
 }
 
-
+sub convert_one_tos( $ ) {
-sub convert_tos($$) {
+    my ( $mangle ) = @_;
-    my ( $mangle, $fn1 ) = @_;
-
-    my $have_tos = 0;
-
-    sub unlink_tos( $ ) {
-	my $fn = shift;
-
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-
-    if ( my $fn = open_file 'tos' ) {
-	first_entry(
-		    sub {
-			my $date = compiletime;
-			progress_message2 "Converting $fn...";
-			print( $mangle
-			       "#\n" ,
-			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
-			       "#\n" );
-		    }
-		   );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-
-	    $have_tos = 1;
 
     my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
+	split_rawline2( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
+			undef,
+			7 );
 
     my $chain_designator = 'P';
 
@@ -2219,8 +2192,62 @@ sub convert_tos($$) {
     $mark   = '-' unless supplied $mark;
 
     print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+}
 
+
+sub convert_tos($$) {
+    my ( $mangle, $fn1 ) = @_;
+
+    my $have_tos = 0;
+
+    sub unlink_tos( $ ) {
+	my $fn = shift;
+
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
 	}
+    }
+
+    if ( my $fn = open_file 'tos' ) {
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+			print $mangle "$_[1]\n";
+		    } else {
+			convert_one_tos( $mangle );
+			$have_tos = 1;
+		    }
+		} else {
+		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+		}
+	    }
+	    );
+
+	first_entry(
+		    sub {
+			my $date = compiletime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    convert_one_tos( $mangle );
+	    $have_tos = 1;
+	}
+
+	directive_callback(0);
 
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -2337,7 +2364,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
+		    sub ()
+		    {
+			if ( $_[0] eq 'OMITTED' ) {
+			    #
+			    # Convert the raw rule
+			    #
+			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+				print $mangle "$_[1]\n";
+			    } else {
+				process_tc_rule;
+				$have_tcrules++;
+			    }
+			} else {
+			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+			}
+		    }
+		    );
 
 		first_entry(
 			    sub {

Shorewall/Perl/compiler.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Samples/three-interfaces/snat

@@ -10,7 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016

Shorewall/Samples/two-interfaces/snat

@@ -10,7 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
@@ -18,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-		192.168.0.0/16	eth0
+			92.168.0.0/16		eth0

Shorewall/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall SNAT/Masquerade File
+# Shorewall -- /etc/shorewall/snat
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###################################################################################################################
+#
+###########################################################################################################################################
 #ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/install.sh

@@ -703,7 +703,7 @@ run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/con
 run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
     echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
 fi
 

Shorewall/lib.cli-std

@@ -318,6 +318,7 @@ get_config() {
 
     [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
+    if [ -z "$g_nopager" ]; then
 	if [ -n "$PAGER" -a -t 1 ]; then
 	    case $PAGER in
 		/*)
@@ -334,6 +335,7 @@ get_config() {
 
 	    g_pager="| $g_pager"
 	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl

Shorewall/manpages/shorewall-masq.xml

@@ -164,7 +164,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall/manpages/shorewall-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>
@@ -171,7 +171,7 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
         [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall.xml

@@ -2602,8 +2602,10 @@
               </listitem>
 
               <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
               </listitem>
 
               <listitem>
@@ -2611,6 +2613,26 @@
                 tab character; there is no attempt made to otherwise align the
                 columns.</para>
               </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning: </para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
             </orderedlist>
           </important>
 

Shorewall/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
+Product=Shorewall
 
 usage() # $1 = exit status
 {

Shorewall6/Macros/macro.mDNSbi

@@ -0,0 +1,14 @@
+#
+# Shorewall6 -- /usr/share/shorewall6/macro.mDNSbi
+#
+# This macro handles bidirectional multicast DNS traffic.
+#
+###############################################################################
+#ACTION SOURCE  DEST                    PROTO   DPORT   SPORT
+
+PARAM   -       [ff02::fb]              udp     5353
+PARAM   -       -                       udp     1024:   5353
+PARAM   -       [ff02::fb]              2
+PARAM   DEST    SOURCE:[ff02::fb]       udp     5353
+PARAM   DEST    SOURCE                  udp     1024:   5353
+PARAM   DEST    SOURCE:[ff02::fb]       2

Shorewall6/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall6 SNAT/Masquerade File
+# Shorewall6 -- /etc/shorewall6/snat
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See http://shorewall.net/manpages6/shorewall6-snat.html for more information
-###################################################################################################################
+#
+###########################################################################################################################################
 #ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall6/manpages/shorewall6-actions.xml

@@ -131,6 +131,18 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>mangle</option></term>
 
@@ -143,6 +155,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>nat</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>noinline</option></term>
 

Shorewall6/manpages/shorewall6-masq.xml

@@ -125,7 +125,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall6/manpages/shorewall6-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>
@@ -170,7 +170,7 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
         [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to SNAT; one or more host or

Shorewall6/manpages/shorewall6.xml

@@ -2480,8 +2480,10 @@
               </listitem>
 
               <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
               </listitem>
 
               <listitem>
@@ -2489,6 +2491,26 @@
                 tab character; there is no attempt made to otherwise align the
                 columns.</para>
               </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning:</para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
             </orderedlist>
           </important>
 

docs/Anatomy.xml

@@ -106,8 +106,17 @@
     url="Install.htm#idp8774904608">configure scripts included with Shorewall
     Core</ulink>.</para>
 
+    <important>
+      <para>Since Shorewall 4.5.2, each of these directories is now
+      relocatable using the <ulink url="Install.htm#idp8774904608">configure
+      scripts included with Shorewall Core</ulink>. These scripts set shell
+      variables in the shorewallrc file which is normally installed in
+      /usr/share/shorewall/. The name of the variable is included in
+      parentheses in the section headings below.</para>
+    </important>
+
     <section id="sbin">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall</filename> shell program is used to
       interact with Shorewall. See <ulink
@@ -115,7 +124,7 @@
     </section>
 
     <section id="share-shorewall">
-      <title>/usr/share/shorewall</title>
+      <title>/usr/share/shorewall (${SHAREDIR}/shorewall)</title>
 
       <para>The bulk of Shorewall is installed here.</para>
 
@@ -220,22 +229,28 @@
     </section>
 
     <section id="shorewall">
-      <title>/etc/shorewall</title>
+      <title>/etc/shorewall (${CONFDIR}/shorewall)</title>
 
       <para>This is where the modifiable IPv4 configuration files are
       installed.</para>
     </section>
 
     <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
     </section>
 
     <section id="var">
-      <title>/var/lib/shorewall</title>
+      <title>/var/lib/shorewall (${VARLIB}/shorewall)</title>
 
       <para>Shorewall doesn't install any files in this directory but rather
       uses the directory for storing state information. This directory may be
@@ -332,7 +347,7 @@
     <para>Shorewall6 installs its files in a number of directories:</para>
 
     <section id="sbin6">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall6</filename> shell program is used to
       interact with Shorewall6. See <ulink
@@ -340,7 +355,7 @@
     </section>
 
     <section id="share-shorewall6">
-      <title>/usr/share/shorewall6</title>
+      <title>/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</title>
 
       <para>The bulk of Shorewall6 is installed here.</para>
 
@@ -417,14 +432,28 @@
     </section>
 
     <section id="etc-shorewall6">
-      <title>/etc/shorewall6</title>
+      <title>/etc/shorewall6 (${CONFDIR}/</title>
 
       <para>This is where the modifiable IPv6 configuration files are
       installed.</para>
     </section>
 
+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall6</filename> or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
     <section id="var-shorewall6">
-      <title>/var/lib/shorewall6</title>
+      <title>/var/lib/shorewall6 (${VARLIB}/shorewall6)</title>
 
       <para>Shorewall6 doesn't install any files in this directory but rather
       uses the directory for storing state information. This directory may be
@@ -514,7 +543,7 @@
     in the sub-sections that follow.</para>
 
     <section id="sbin-lite">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR_</title>
 
       <para>The <filename>/sbin/shorewall-lite</filename> shell program is
       used to interact with Shorewall lite. See <ulink
@@ -522,22 +551,28 @@
     </section>
 
     <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
     </section>
 
     <section id="shorewall-lite">
-      <title>/etc/shorewall-lite</title>
+      <title>/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</title>
 
       <para>This is where the modifiable configuration files are
       installed.</para>
     </section>
 
     <section id="share-lite">
-      <title>/usr/share/shorewall-lite</title>
+      <title>/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</title>
 
       <para>The bulk of Shorewall-lite is installed here.</para>
 
@@ -586,7 +621,7 @@
     </section>
 
     <section id="var-lite">
-      <title>/var/lib/shorewall-lite</title>
+      <title>/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</title>
 
       <para>Shorewall-lite doesn't install any files in this directory but
       rather uses the directory for storing state information. This directory
@@ -719,15 +754,29 @@
       <filename>rc.firewall</filename>.</para>
     </section>
 
+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall</filename>6-lite or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
     <section id="etc-shorewall6-lite">
-      <title>/etc/shorewall6-lite</title>
+      <title>/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite)</title>
 
       <para>This is where the modifiable configuration files are
       installed.</para>
     </section>
 
     <section id="share-lite6">
-      <title>/usr/share/shorewall6-lite</title>
+      <title>/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite)</title>
 
       <para>The bulk of Shorewall-lite is installed here.</para>
 
@@ -776,7 +825,7 @@
     </section>
 
     <section id="var-lite6">
-      <title>/var/lib/shorewall6-lite</title>
+      <title>/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite)</title>
 
       <para>Shorewall6-lite doesn't install any files in this directory but
       rather uses the directory for storing state information. This directory

docs/PacketMarking.xml

@@ -44,7 +44,7 @@
   </caution>
 
   <important>
-    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
     4.6.0. /etc/shorwall/tcrules is still supported but its use is
     deprecated.</para>
   </important>

docs/QOSExample.xml

@@ -76,7 +76,11 @@
     <para>The shell variables set in the OpenWRT script are set in the
     Shorewall params file:</para>
 
-    <programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
+    <programlisting># local network
+
+MYNET=192.168.0.0/24
+
+DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
 UPLOAD=7000 # set xx% of real upload speed
 
 # multiports = up to 15 ports

docs/bridge-Shorewall-perl.xml

@@ -102,12 +102,9 @@
       <listitem>
         <para>Your kernel must contain Netfilter physdev match support
         (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
-        Physdev match is standard in the 2.6 kernel series but must be patched
+        Physdev match is standard in the 2.6 and later kernel series but must
-        into the 2.4 kernels (see <ulink
+        be patched into the 2.4 kernels (see <ulink
-        url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and
+        url="http://bridge.sf.net">http://bridge.sf.net</ulink>).</para>
-        Bering uCLibc users must find and install ipt_physdev.o for their
-        distribution and add <quote>ipt_physdev</quote> to
-        /etc/modules.</para>
       </listitem>
 
       <listitem>