Correct 'show macros'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -365,6 +365,12 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
+# Install the CLI
+#
+install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -380,6 +386,31 @@ for f in lib.* ; do
     echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 
+if [ $SHAREDIR != /usr/share ]; then
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+fi
+
+#
+# Install the Man Pages
+#
+if [ -n "$MANDIR" ]; then
+    cd manpages
+
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
+
+    for f in *.8; do
+	gzip -9c $f > $f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    done
+
+    cd ..
+
+    echo "Man Pages Installed"
+fi
+
 #
 # Symbolically link 'functions' to lib.base
 #

Shorewall-core/lib.base

@@ -20,412 +20,22 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library contains the code common to all Shorewall components except the
+# This library is a compatibility wrapper around lib.core.
-# generated scripts.
 #
 
-SHOREWALL_LIBVERSION=40509
+if [ -z "$PRODUCT" ]; then
-
-[ -n "${g_program:=shorewall}" ]
-
-if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} != /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_sharedir="$SHAREDIR"/$g_program
+    g_basedir=${SHAREDIR}/shorewall
-    g_confdir="$CONFDIR"/$g_program
+
-    g_readrc=1
+    if [ -z "$SHOREWALL_LIBVERSION" ]; then
+	. ${g_basedir}/lib.core
+    fi
+
+    set_default_product
+
+    setup_product_environment
 fi
-
-g_basedir=${SHAREDIR}/shorewall
-
-case $g_program in
-    shorewall)
-	g_product="Shorewall"
-	g_family=4
-	g_tool=iptables
-	g_lite=
-	;;
-    shorewall6)
-	g_product="Shorewall6"
-	g_family=6
-	g_tool=ip6tables
-	g_lite=
-	;;
-    shorewall-lite)
-	g_product="Shorewall Lite"
-	g_family=4
-	g_tool=iptables
-	g_lite=Yes
-	;;
-    shorewall6-lite)
-	g_product="Shorewall6 Lite"
-	g_family=6
-	g_tool=ip6tables
-	g_lite=Yes
-	;;
-esac
-
-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/$g_program
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
-fi
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}

Shorewall-core/lib.cli

@@ -25,22 +25,18 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50004
+SHOREWALL_CAPVERSION=50100
 
-[ -n "${g_program:=shorewall}" ]
+if [ -z "$g_basedir" ]; then
-
-if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} <> /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_sharedir="$SHAREDIR"/$g_program
+    g_basedir=${SHAREDIR}/shorewall
-    g_confdir="$CONFDIR"/$g_program
-    g_readrc=1
 fi
 
-. ${SHAREDIR}/shorewall/lib.base
+. ${g_basedir}/lib.core
 
 #
 # Issue an error message and die
@@ -395,13 +391,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
 
-	    $g_ring_bell
+	    printf '\a'
 
 	    packet_log 40
 
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		printf 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -949,7 +945,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)
 
-	    if [ $base != %CURRENTTIME ]; then
+	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1011,13 +1007,6 @@ show_raw() {
     $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 
-show_rawpost() {
-    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t rawpost -L $g_ipt_options | $output_filter
-}
-
 show_mangle() {
     echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
     echo
@@ -1161,6 +1150,43 @@ show_macros() {
     done
 }
 
+show_a_macro() {
+    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+    cat ${directory}/macro.$1
+}
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
+show_ipsec() {
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+}
+
+show_ipsec_command() {
+    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
+    show_ipsec
+}
+
 #
 # Show Command Executor
 #
@@ -1181,10 +1207,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 10 ]; then
+	    if [ ${#macro} -gt 5 ]; then
-		echo "   $macro  ${foo#\#}"
+		printf "  $macro\t${foo#\#}\n"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		printf "  $macro\t\t${foo#\#}\n"
 	    fi
 	fi
     }
@@ -1231,7 +1257,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t
 
 			    case $2 in
-				mangle|nat|filter|raw|rawpost)
+				mangle|nat|filter|raw)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1285,10 +1311,6 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
-	rawpost)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_rawpost $g_pager
-	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1356,14 +1378,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$g_program"
+		echo "Default VARDIR is /var/lib/$PRODUCT"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1426,8 +1448,12 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
+	ipsec)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_ipsec_command $g_pager
+	    ;;
 	*)
-	    case "$g_program" in
+	    case "$PRODUCT" in
 		*-lite)
 		    ;;
 	    	*)
@@ -1441,8 +1467,7 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    eval show_a_macro $2 $g_pager
-				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -1674,11 +1699,6 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
     fi
 
-    if qt $g_tool -t rawpost -L -n; then
-	heading "Rawpost Table"
-	$g_tool -t rawpost -L $g_ipt_options
-    fi
-
     local count
     local max
 
@@ -1729,12 +1749,7 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    if qt mywhich setkey; then
+    show_ipsec
-	heading "PFKEY SPD"
-	setkey -DP
-	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
-    fi
 
     heading "/proc"
     show_proc /proc/version
@@ -1805,6 +1820,7 @@ dump_command() {
 restore_command() {
     local finished
     finished=0
+    local result
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1869,8 +1885,11 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."
 
 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+	result=$?
 
 	[ -n "$g_nolock" ] || mutex_off
+
+	exit $result
     else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -1930,15 +1949,6 @@ read_yesno_with_timeout() {
     fi
 }
 
-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2739,7 +2749,6 @@ determine_capabilities() {
     CONNMARK_MATCH=
     XCONNMARK_MATCH=
     RAW_TABLE=
-    RAWPOST_TABLE=
     IPP2P_MATCH=
     OLD_IPP2P_MATCH=
     LENGTH_MATCH=
@@ -2795,6 +2804,8 @@ determine_capabilities() {
     IFACE_MATCH=
     TCPMSS_TARGET=
     WAIT_OPTION=
+    CPU_FANOUT=
+    NETMAP_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2829,8 +2840,10 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -2990,7 +3003,6 @@ determine_capabilities() {
     fi
 
     qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
-    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
 
     if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3092,7 +3104,12 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
     fi
-    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+
+    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
+	NFQUEUE_TARGET=Yes
+	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
+    fi
+
     qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
 
     #
@@ -3211,7 +3228,6 @@ report_capabilities_unsorted() {
     report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
     [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
     report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
     report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
     [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
     report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3290,6 +3306,8 @@ report_capabilities_unsorted() {
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
     report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
+    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
+    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3339,7 +3357,6 @@ report_capabilities_unsorted1() {
     report_capability1 CONNMARK_MATCH
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
-    report_capability1 RAWPOST_TABLE
     report_capability1 IPP2P_MATCH
     report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
@@ -3395,6 +3412,8 @@ report_capabilities_unsorted1() {
     report_capability1 IFACE_MATCH
     report_capability1 TCPMSS_TARGET
     report_capability1 WAIT_OPTION
+    report_capability1 CPU_FANOUT
+    report_capability1 NETMAP_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3866,7 +3885,7 @@ get_config() {
 
     ensure_config_path
 
-    config=$(find_file ${g_program}.conf)
+    config=$(find_file ${PRODUCT}.conf)
 
     if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -3992,6 +4011,7 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    if [ -z "$g_nopager" ]; then
 	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
 	if [ -n "$PAGER" -a -t 1 ]; then
@@ -4010,6 +4030,7 @@ get_config() {
 
 	    g_pager="| $g_pager"
 	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -4285,8 +4306,9 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
     fi
 
+    echo "   [ show | list | ls ] ipsec"
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
     ecko "   [ show | list | ls ] macro <macro>"
     ecko "   [ show | list | ls ] macros"
     echo "   [ show | list | ls ] nfacct"
@@ -4315,7 +4337,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4357,13 +4379,16 @@ shorewall_cli() {
     g_loopback=
     g_compiled=
     g_pager=
+    g_nopager=
     g_blacklistipset=
     g_disconnect=
 
     VERBOSE=
     VERBOSITY=1
-
+    #
-    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
+    # Set the default product based on the Shorewall packages installed
+    #
+    set_default_product
 
     finished=0
 
@@ -4453,6 +4478,34 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
+			p*)
+			    g_nopager=Yes
+			    option=${option#p}
+			    ;;
+			6*)
+			    if [ "$PRODUCT" = shorewall ]; then
+				PRODUCT=shorewall6
+			    elif [ "$PRODUCT" = shorewall-lite ]; then
+				PRODUCT=shorewall6-lite
+			    fi
+			    option=${option#6}
+			    ;;
+			4*)
+			    if [ "$PRODUCT" = shorewall6 ]; then
+				PRODUCT=shorewall
+			    elif [ "$PRODUCT" = shorewall6-lite ]; then
+				PRODUCT=shorewall-lite
+			    fi
+			    option=${option#4}
+			    ;;
+			l*)
+			    if [ "$PRODUCT" = shorewall ]; then
+				PRODUCT=shorewall-lite
+			    elif [ "$PRODUCT" = shorewall6 ]; then
+				PRODUCT=shorewall6-lite
+			    fi
+			    option=${option#l}
+			    ;;
 			-)
 			    finished=1
 			    option=
@@ -4474,12 +4527,16 @@ shorewall_cli() {
 	usage 1
     fi
 
+    setup_product_environment 1
+
+   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
+
     PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
     MUTEX_TIMEOUT=
 
     [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
 
-    [ -n "${VARDIR:=/var/lib/$g_program}" ]
+    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
 
     g_firewall=${VARDIR}/firewall
 
@@ -4494,26 +4551,6 @@ shorewall_cli() {
 
     banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
 
-    case $(echo -e) in
-	-e*)
-	    g_ring_bell="echo \a"
-	    g_echo_e="echo"
-	    ;;
-	*)
-	    g_ring_bell="echo -e \a"
-	    g_echo_e="echo -e"
-	    ;;
-    esac
-
-    case $(echo -n "Testing") in
-	-n*)
-	    g_echo_n=
-	    ;;
-	*)
-	    g_echo_n=-n
-	    ;;
-    esac
-
     COMMAND=$1
 
     case "$COMMAND" in

Shorewall-core/lib.core

@@ -0,0 +1,440 @@
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+#
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
+#
+
+SHOREWALL_LIBVERSION=50100
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
+    g_basedir=${SHAREDIR}/shorewall
+
+    g_sharedir="$SHAREDIR"/$PRODUCT
+    g_confdir="$CONFDIR"/$PRODUCT
+
+    case $PRODUCT in
+	shorewall)
+	    g_product="Shorewall"
+	    g_family=4
+	    g_tool=iptables
+	    g_lite=
+	    ;;
+	shorewall6)
+	    g_product="Shorewall6"
+	    g_family=6
+	    g_tool=ip6tables
+	    g_lite=
+	    ;;
+	shorewall-lite)
+	    g_product="Shorewall Lite"
+	    g_family=4
+	    g_tool=iptables
+	    g_lite=Yes
+	    ;;
+	shorewall6-lite)
+	    g_product="Shorewall6 Lite"
+	    g_family=6
+	    g_tool=ip6tables
+	    g_lite=Yes
+	    ;;
+	*)
+	    fatal_error "Unknown PRODUCT ($PRODUCT)"
+	    ;;
+    esac
+
+    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
+    #
+    # We need to do this again, now that we have the correct product
+    #
+    [ -n "$1" ] && . ${g_basedir}/shorewallrc
+
+    if [ -z "${VARLIB}" ]; then
+	VARLIB=${VARDIR}
+	VARDIR=${VARLIB}/${PRODUCT}
+    elif [ -z "${VARDIR}" ]; then
+	VARDIR="${VARLIB}/${PRODUCT}"
+    fi
+}
+
+set_default_product() {
+    case $(basename $0) in
+	shorewall6)
+	    PRODUCT=shorewall6
+	    ;;
+	shorewall4)
+	    PRODUCT=shorewall
+	    ;;
+	shorewall-lite)
+	    PRODUCT=shorewall-lite
+	    ;;
+	shorewall6-lite)
+	    PRODUCT=shorewall6-lite
+	    ;;
+	*)
+	    if [ -f ${g_basedir}/version ]; then
+		PRODUCT=shorewall
+	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+		PRODUCT=shorewall-lite
+	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+		PRODUCT=shorewall6-lite
+	    else
+		fatal_error "No Shorewall firewall product is installed"
+	    fi
+	    ;;
+    esac
+}
+
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    l=$(( $last + 1 ))
+
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}

Shorewall-core/shorewall

@@ -32,11 +32,8 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc
 
-g_program=$PRODUCT
+g_basedir=${SHAREDIR}/shorewall
-g_sharedir="$SHAREDIR"/shorewall
-g_confdir="$CONFDIR"/shorewall
-g_readrc=1
 
-. $g_sharedir/lib.cli
+. ${g_basedir}/lib.cli
 
 shorewall_cli $@

Shorewall-core/uninstall.sh

@@ -81,7 +81,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall-init/ifupdown.debian.sh

@@ -31,8 +31,10 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
     fi
 }

Shorewall-init/ifupdown.fedora.sh

@@ -33,9 +33,11 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ ! -x "$STATEDIR/firewall" ]; then
+    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
     fi
 }

Shorewall-init/ifupdown.suse.sh

@@ -31,8 +31,10 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
     fi
 }

Shorewall-init/init.debian.sh

@@ -73,8 +73,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
 	return 0
     fi
@@ -102,7 +104,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
@@ -123,7 +125,7 @@ shorewall_start () {
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 
-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "
 
       if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -140,7 +142,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.fedora.sh

@@ -44,8 +44,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
 	return 0
     fi
@@ -62,7 +64,7 @@ start () {
 	return 6 #Not configured
     fi
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -97,7 +99,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir

Shorewall-init/init.openwrt.sh

@@ -75,8 +75,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
 	return 0
     fi
@@ -87,7 +89,7 @@ start () {
     local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -112,7 +114,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.sh

@@ -81,7 +81,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.suse.sh

@@ -79,8 +79,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
 	return 0
     fi
@@ -91,7 +93,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -112,7 +114,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/install.sh

@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
     #
     if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+	file=~/.shorewallrc
      else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
     fi

Shorewall-init/shorewall-init

@@ -33,8 +33,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
 	return 0
     fi
@@ -62,7 +64,7 @@ shorewall_start () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -90,7 +92,7 @@ shorewall_stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/uninstall.sh

@@ -126,7 +126,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall-lite/init.debian.sh

@@ -13,7 +13,7 @@
 
 . /lib/lsb/init-functions
 
-SRWL=/sbin/shorewall-lite
+SRWL='/sbin/shorewall -l'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
+      printf "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall-lite/init.fedora.sh

@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
 
-prog="shorewall-lite"
+prog="shorewall -l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall-lite/init.openwrt.sh

@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"
 
 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
 }
 
 boot() {
@@ -78,17 +78,17 @@ boot() {
 }
 
 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
 }
 
 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
 }
 
 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
 }
 
 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
 }

Shorewall-lite/install.sh

@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"
 
-if [ -f shorewall-lite ]; then
+if [ -f shorewall-lite.service ]; then
     PRODUCT=shorewall-lite
     Product="Shorewall Lite"
 else
@@ -331,7 +331,6 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
 
-    make_directory ${DESTDIR}${SBINDIR} 755
     make_directory ${DESTDIR}${INITDIR} 755
 
 else
@@ -362,9 +361,9 @@ else
 fi
 
 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for ${SHAREDIR}/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
     first_install=""
 else
     first_install="Yes"
@@ -372,17 +371,15 @@ fi
 
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
-install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 
-echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
-
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -433,15 +430,6 @@ elif [ $HOST = gentoo ]; then
     # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
     perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #
@@ -498,7 +486,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
     cd manpages
 
-    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
@@ -506,6 +494,8 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
+    mkdir -p ${DESTDIR}${MANDIR}/man8/
+
     for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -540,6 +530,11 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 
+#
+#  Creatae the symbolic link for the CLI
+#
+ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
+
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -555,7 +550,6 @@ fi
 
 if [ ${SHAREDIR} != /usr/share ]; then
     eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

Shorewall-lite/shorecap

@@ -45,19 +45,20 @@
 #    require Shorewall to be installed.
 
 
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_sharedir="$SHAREDIR"/shorewall-lite
+g_basedir=${SHAREDIR}/shorewall
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
 
 . ${SHAREDIR}/shorewall/lib.cli
-. /usr/share/shorewall-lite/configpath
+
+setup_product_environment
+
+. ${SHAREDIR}/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 

Shorewall-lite/shorewall-lite

@@ -1,42 +0,0 @@
-#!/bin/sh
-#
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
-#         Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
-#
-################################################################################################
-PRODUCT=shorewall-lite
-
-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
-
-shorewall_cli $@

Shorewall-lite/uninstall.sh

@@ -125,7 +125,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall/Perl/Shorewall/Chains.pm

@@ -120,7 +120,6 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
-		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
-				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -268,7 +266,6 @@ our %EXPORT_TAGS = (
 				       mark_firewall6_not_started
 				       interface_address
 				       get_interface_address
-				       used_address_variable
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
@@ -419,7 +416,6 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
-our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -760,13 +756,11 @@ sub initialize( $$$ ) {
     ( $family, my $hard, $export ) = @_;
 
     %chain_table = ( raw    =>  {},
-		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
 
     $raw_table     = $chain_table{raw};
-    $rawpost_table = $chain_table{rawpost};
     $nat_table     = $chain_table{nat};
     $mangle_table  = $chain_table{mangle};
     $filter_table  = $chain_table{filter};
@@ -811,7 +805,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
-		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1197,9 +1190,16 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 
 #
@@ -1219,6 +1219,7 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
+	    $toref->{simple} = 0;
 	}
     }
 
@@ -2720,24 +2721,6 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
-
-	if ( $config{CHAIN_SCRIPTS} ) {
-	    unless ( $chain eq 'accounting' ) {
-		my $file = find_file $chain;
-
-		if ( -f $file ) {
-		    progress_message "Running $file...";
-
-		    my ( $level, $tag ) = ( '', '' );
-
-		    unless ( my $return = eval `cat $file` ) {
-			fatal_error "Couldn't parse $file: $@" if $@;
-			fatal_error "Couldn't do $file: $!"    unless defined $return;
-			fatal_error "Couldn't run $file"       unless $return;
-		    }
-		}
-	    }
-	}
     }
 
     $chainref;
@@ -2776,14 +2759,6 @@ sub ensure_raw_chain($) {
     $chainref;
 }
 
-sub ensure_rawpost_chain($) {
-    my $chain = $_[0];
-
-    my $chainref = ensure_chain 'rawpost', $chain;
-    $chainref->{referenced} = 1;
-    $chainref;
-}
-
 #
 # Add a builtin chain
 #
@@ -2982,8 +2957,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3046,8 +3019,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3351,7 +3322,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
 
@@ -3601,7 +3572,7 @@ sub optimize_level4( $$ ) {
     if ( my $chains  = @chains ) {
 	$passes++;
 
-	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -4270,7 +4241,6 @@ sub valid_tables() {
     my @table_list;
 
     push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
-    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
     push @table_list, 'filter'; #MUST BE LAST!!!
@@ -5778,12 +5748,12 @@ sub have_ipset_rules() {
     $ipset_rules;
 }
 
-sub get_interface_address( $ );
+sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
-sub record_runtime_address( $$;$ ) {
+sub record_runtime_address( $$;$$ ) {
-    my ( $addrtype, $interface, $protect ) = @_;
+    my ( $addrtype, $interface, $protect, $provider ) = @_;
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5797,9 +5767,9 @@ sub record_runtime_address( $$;$ ) {
     my $addr;
 
     if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface );
+	$addr = get_interface_address( $interface, $provider );
     } else {
-	$addr = get_interface_gateway( $interface, $protect );
+	$addr = get_interface_gateway( $interface, $protect, $provider );
     }
 
     $addr . ' ';
@@ -6796,8 +6766,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $ ) {
+sub get_interface_address ( $;$ ) {
-    my ( $logical ) = $_[0];
+    my ( $logical, $provider ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
@@ -6807,11 +6777,9 @@ sub get_interface_address ( $ ) {
 
     $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
 
-    "\$$variable";
+    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
-}
 
-sub used_address_variable( $ ) {
+    "\$$variable";
-    defined $interfaceaddr{$_[0]}
 }
 
 #
@@ -7622,7 +7590,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$$;$ )
+sub expand_rule1( $$$$$$$$$$$$;$ )
 {
     my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7639,8 +7607,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
        ) = @_;
 
-    return if $chainref->{complete};
-
     my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
        ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
     my  $chain = $actparams{chain} || $chainref->{name};
@@ -7875,6 +7841,78 @@ sub expand_rule( $$$$$$$$$$$$;$ )
     $diface;
 }
 
+sub expand_rule( $$$$$$$$$$$$;$$$ )
+{
+    my ($chainref ,    # Chain
+	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
+	$prerule,      # Matches that go at the front of the rule
+	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
+	$source,       # SOURCE
+	$dest,         # DEST
+	$origdest,     # ORIGINAL DEST
+	$target,       # Target ('-j' part of the rule - may be empty)
+	$loglevel ,    # Log level (and tag)
+	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
+	$exceptionrule,# Caller's matches used in exclusion case
+	$usergenerated,# Rule came from the IP[6]TABLES target
+	$logname,      # Name of chain to name in log messages
+	$device,       # TC Device Name
+	$classid,      # TC Class Id
+       ) = @_;
+
+    return if $chainref->{complete};
+
+    my ( @source, @dest );
+
+    $source = '' unless defined $source;
+    $dest   = '' unless defined $dest;
+
+    if ( $source =~ /\(.+\)/ ) {
+	@source = split_list3( $source, 'SOURCE' );
+    } else {
+	@source = ( $source );
+    }
+
+    if ( $dest =~ /\(.+\)/ ) {
+	@dest = split_list3( $dest, 'DEST' );
+    } else {
+	@dest = ( $dest );
+    }
+
+    for $source ( @source ) {
+	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
+	    $source = join( ':', $1, $2 );
+	} elsif ( $source =~ /^\((.+)\)$/ ) {
+	    $source = $1;
+	}
+
+	for $dest ( @dest ) {
+	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
+		$dest = join( ':', $1, $2 );
+	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
+		$dest = $1;
+	    }
+
+	    if ( ( my $result = expand_rule1( $chainref ,
+					      $restriction ,
+					      $prerule ,
+					      $rule ,
+					      $source ,
+					      $dest ,
+					      $origdest ,
+					      $target ,
+					      $loglevel ,
+					      $disposition ,
+					      $exceptionrule ,
+					      $usergenerated ,
+					      $logname ,
+		   ) ) && $device ) {
+		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
+	    }
+	}
+    }
+}
+
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -8883,7 +8921,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
 
 	    $chains{$table} = {} unless $chains{$table};
 
@@ -8912,7 +8950,7 @@ sub create_chainlist_reload($) {
 
 	enter_cat_mode;
 
-	for $table ( qw(raw rawpost nat mangle filter) ) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 
 	    next unless $tableref;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -701,7 +701,7 @@ sub compiler {
     #
     # Allow user to load Perl modules
     #
-    run_user_exit1 'compile';
+    run_user_exit 'compile';
     #
     # Create a temp file to hold the script
     #

Shorewall/Perl/Shorewall/Config.pm

@@ -130,9 +130,11 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
+				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
+				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -153,8 +155,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
-				       run_user_exit1
-				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -174,6 +174,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -388,7 +389,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
-		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -411,6 +411,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                  TCPMSS_TARGET   => 'TCPMSS Target',
                  WAIT_OPTION     => 'iptables --wait option',
+                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
+                 NETMAP_TARGET   => 'NETMAP Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;
 
 our $currentline;            # Current config file line image
+our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -640,6 +643,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
+		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -745,7 +749,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50004 ,
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -887,7 +891,6 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
-	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -977,7 +980,6 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
-	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1033,6 +1035,8 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
+	       CPU_FANOUT => undef,
+	       NETMAP_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1997,6 +2001,21 @@ sub find_writable_file($) {
     "$config_path[0]$filename";
 }
 
+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2055,7 +2074,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
     my ($list, $type ) = @_;
 
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
 
     my @list1 = split /:/, $list;
     my @list2;
@@ -2092,6 +2111,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2257,21 +2277,6 @@ sub split_columns( $ ) {
     @list2;
 }
 
-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();
 
 #
@@ -2442,6 +2447,25 @@ sub split_line2( $$;$$$ ) {
     @line;
 }
 
+#
+# Same as above, only it splits the raw current line
+#
+sub split_rawline2( $$;$$$ ) {
+    my $savecurrentline = $currentline;
+
+    $currentline = $rawcurrentline;
+    #
+    # Delete trailing comment
+    #
+    $currentline =~ s/\s*#.*//;
+
+    my @result = &split_line2( @_ );
+
+    $currentline = $savecurrentline;
+
+    @result;
+}
+
 sub split_line1( $$;$$ ) {
     &split_line2( @_, undef );
 }
@@ -3026,9 +3050,9 @@ sub process_compiler_directive( $$$$ ) {
 
     if ( $directive_callback ) {
         $directive_callback->( $keyword, $line ) 
-    } else {
-        $omitting;
     }
+
+    $omitting;
 }
 
 #
@@ -3736,6 +3760,7 @@ sub read_a_line($) {
 
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
+		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }
 
@@ -3790,6 +3815,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
+	    # Save Raw Image
+	    #
+	    $rawcurrentline = $currentline;
+	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3818,7 +3847,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
@@ -4290,6 +4319,22 @@ sub Masquerade_Tgt() {
     $result;
 }
 
+sub Netmap_Target() {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    my $result = '';
+    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
+
+    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
+	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
+	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
+
+    }
+
+    $result;
+}
+
 sub Udpliteredirect() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4488,10 +4533,6 @@ sub Raw_Table() {
     qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 
-sub Rawpost_Table() {
-    qt1( "$iptables $iptablesw -t rawpost -L -n" );
-}
-
 sub Old_IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
@@ -4819,6 +4860,10 @@ sub Tcpmss_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 
+sub Cpu_Fanout() {
+    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -4835,6 +4880,7 @@ our %detect_capability =
       CONNMARK => \&Connmark,
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
+      CPU_FANOUT => \&Cpu_Fanout,
       CT_TARGET => \&Ct_Target,
       DSCP_MATCH => \&Dscp_Match,
       DSCP_TARGET => \&Dscp_Target,
@@ -4878,6 +4924,7 @@ our %detect_capability =
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
+      NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
       NFACCT_MATCH => \&NFAcct_Match,
       NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4893,7 +4940,6 @@ our %detect_capability =
       POLICY_MATCH => \&Policy_Match,
       PPTP_HELPER => \&PPTP_Helper,
       RAW_TABLE => \&Raw_Table,
-      RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
@@ -5021,7 +5067,6 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5062,6 +5107,8 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
+	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
+	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5235,6 +5282,8 @@ sub update_config_file( $ ) {
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
     update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',       '' );
 
     my $fn;
 
@@ -6183,7 +6232,6 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
 
     if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6700,32 +6748,7 @@ sub append_file( $;$$ ) {
     $result;
 }
 
-#
-# Run a Perl extension script
-#
 sub run_user_exit( $ ) {
-    my $chainref = $_[0];
-    my $file = find_file $chainref->{name};
-
-    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
-	progress_message2 "Running $file...";
-
-	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
-
-	unless (my $return = eval $command ) {
-	    fatal_error "Couldn't parse $file: $@" if $@;
-
-	    unless ( defined $return ) {
-		fatal_error "Couldn't do $file: $!" if $!;
-		fatal_error "Couldn't do $file";
-	    }
-
-	    fatal_error "$file returned a false value";
-	}
-    }
-}
-
-sub run_user_exit1( $ ) {
     my $file = find_file $_[0];
 
     if ( -f $file ) {
@@ -6757,37 +6780,6 @@ sub run_user_exit1( $ ) {
     }
 }
 
-sub run_user_exit2( $$ ) {
-    my ($file, $chainref) = ( find_file $_[0], $_[1] );
-
-    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
-	progress_message2 "Running $file...";
-	#
-	# File may be empty -- in which case eval would fail
-	#
-	push_open $file;
-
-	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-	    close_file;
-	    pop_open;
-
-	    unless (my $return = eval `cat $file` ) {
-		fatal_error "Couldn't parse $file: $@" if $@;
-
-		unless ( defined $return ) {
-		    fatal_error "Couldn't do $file: $!" if $!;
-		    fatal_error "Couldn't do $file";
-		}
-
-		fatal_error "$file returned a false value";
-	    }
-	}
-
-	pop_open;
-
-    }
-}
-
 #
 # Generate the aux config file for Shorewall Lite
 #
@@ -6814,7 +6806,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -472,7 +472,7 @@ sub validate_portpair1( $$ ) {
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
     $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
 
     my @ports = split /-/, $portpair, 2;
@@ -483,9 +483,10 @@ sub validate_portpair1( $$ ) {
 
     if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
     } else {
 	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
     }
 
     fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless

Shorewall/Perl/Shorewall/Misc.pm

@@ -216,6 +216,7 @@ sub convert_blacklist() {
     my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition;
     my $orig_target = $target;
+    my $warnings    = 0;
     my @rules;
 
     if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry "Converting $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
+		split_rawline2( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+				{ networks => 0, proto => 1, port => 2, options => 3 },
+				{},
+				4,
+		);
 
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}
 
+	directive_callback(0);
+
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -395,6 +408,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
 	my $seq      = 0;
+	my $warnings = 0;
 	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
+		split_rawline2( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+				{},
+				6,
+				0,
+		);
 
 	    my $interfaceref;
 
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 
 	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}
 
+	directive_callback(0);
+
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -1004,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
     }
 	    
-    run_user_exit1 'initdone';
+    run_user_exit 'initdone';
 
     if ( $upgrade ) {
 	convert_blacklist;
@@ -1430,8 +1454,6 @@ sub setup_mac_lists( $ ) {
 		}
 	    }
 
-	    run_user_exit2( 'maclog', $chainref );
-
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1657,12 +1679,6 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 
-	if ( have_capability 'RAWPOST_TABLE' ) {
-	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
-	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
-	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
-	}
-
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
     }
     #

Shorewall/Perl/Shorewall/Nat.pm

@@ -60,12 +60,12 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $pre_nat;
-    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
     my $destnets = '';
     my $baserule = '';
     my $inlinematches = '';
@@ -226,13 +226,13 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = $snat ? 'CONTINUE' : 'RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';
 
-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
 
 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -249,7 +249,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			    #
 			    $target = 'SNAT ';
 
-			    unless ( $snat ) {
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -276,18 +275,23 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 
 				$addrlist .= '--to-source ' . $addr;
 			    }
-			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
+
+				if ( supplied $rest ) {
+				    validate_portpair1( $proto, $rest );
 				    $addrlist .= "--to-source $addr ";
+				} else {
+				    $addrlist .= "--to-source $ipaddr";
+				}
+
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -356,7 +360,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	unless ( $snat ) {
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
 		     $prerule ,
@@ -394,12 +397,94 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	    }
 	}
     }
+
+    progress_message "   Masq record \"$currentline\" $done";
+
+}
+
+sub convert_one_masq1( $$$$$$$$$$$$ )
+{
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+
+    my $pre_nat;
+    my $destnets = '';
+    my $savelist;
+    #
+    # Leading '+'
+    #
+    $pre_nat = ( $interfacelist =~ s/^\+// );
+    #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+    }
+
+    $savelist = $interfacelist;
+    #
+    # Parse the remaining part of the INTERFACE column
+    #
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
+	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
+    }
+    #
+    # If there is no source or destination then allow all addresses
+    #
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
+
+    my $target;
+    #
+    # Parse the ADDRESSES column
+    #
+    if ( $addresses ne '-' ) {
+	my $saveaddresses = $addresses;
+	if ( $addresses ne 'random' ) {
+	    $addresses =~ s/:persistent$//;
+	    $addresses =~ s/:random$//;
+
+	    if ( $addresses eq 'detect' ) {
+		$target = 'SNAT';
+	    } elsif ( $addresses eq 'NONAT' ) {
+		$target = 'CONTINUE';
+	    } elsif ( $addresses ) {
+		if ( $addresses =~ /^:/ ) {
+		    $target = 'MASQUERADE';
+		} else {
+		    $target = 'SNAT';
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+    } else {
+	$target = 'MASQUERADE';
     }
 
     if ( $snat ) {
-	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
-	$target .= '(' . $addresses . ')' if $addresses ne '-' && $addresses ne 'NONAT';
+
+	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
+	    $addresses =~ s/^://;
+	    $target .= '(' . $addresses . ')';
+	}
 
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#
@@ -414,7 +499,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	print $snat "$line\n";
     }
 
-    progress_message "   Masq record \"$currentline\" $done";
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
 
 }
 
@@ -422,6 +507,25 @@ sub process_one_masq( $ )
 {
     my ( $snat ) = @_;
 
+    if ( $snat ) {
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+	    #
+	    # Line was not blank or all comment
+	    #
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+		split_rawline2( 'masq file',
+				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+				{},    #Nopad
+				undef, #Columns
+				1 );   #Allow inline matches
+
+	    if ( $interfacelist ne '-' ) { 
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+		}
+	    }
+	}
+    } else {
 	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'masq file',
 			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
@@ -432,7 +536,8 @@ sub process_one_masq( $ )
 	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
 
 	for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	}
     }
 }
 
@@ -487,7 +592,19 @@ sub convert_masq() {
 
 	my $have_masq_rules;
 
-	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    process_one_masq( $snat) if $snat;
+		} else {
+		    print $snat "$_[1]\n"; 0;
+		}
+	    }
+	    );
 
 	first_entry(
 	    sub {
@@ -500,7 +617,18 @@ sub convert_masq() {
 	    }
 	    );
 
-	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
+	while ( read_a_line( NORMAL_READ ) ) {
+	    #
+	    # Process the file normally
+	    #
+	    process_one_masq(0);
+	    #
+	    # Now Convert it
+	    #
+	    process_one_masq($snat);
+
+	    $have_masq_rules++;
+	}
 
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -662,7 +790,6 @@ sub setup_netmap() {
 
 		my @rule = do_iproto( $proto, $dport, $sport );
 
-		unless ( $type =~ /:/ ) {
 		my @rulein;
 		my @ruleout;
 
@@ -677,7 +804,7 @@ sub setup_netmap() {
 		    $interface = $interfaceref->{name};
 		}
 
-		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
 
 		if ( $type eq 'DNAT' ) {
 		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
@@ -693,57 +820,9 @@ sub setup_netmap() {
 				       $net1 ,
 				       @ruleout ,
 				       imatch_dest_net( $net3 ) );
-		    } else {
-			fatal_error "Invalid type ($type)";
-		    }
-		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
-		    my ( $target , $chain ) = ( $1, $2 );
-		    my $table = 'raw';
-		    my @match;
-
-		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
-
-		    $net2 = validate_net $net2, 0;
-
-		    unless ( $interfaceref->{root} ) {
-			@match = imatch_dest_dev(  $interface );
-			$interface = $interfaceref->{name};
-		    }
-
-		    if ( $chain eq 'P' ) {
-			$chain = prerouting_chain $interface;
-			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
-		    } elsif ( $chain eq 'O' ) {
-			$chain = output_chain $interface;
-		    } else {
-			$chain = postrouting_chain $interface;
-			$table = 'rawpost';
-		    }
-
-		    my $chainref = ensure_chain( $table, $chain );
-
-
-		    if ( $target eq 'DNAT' ) {
-			dest_iexclusion( $chainref ,
-					 j => 'RAWDNAT' ,
-					 "--to-dest $net2" ,
-					 $net1 ,
-					 imatch_source_net( $net3 ) ,
-					 @rule ,
-					 @match
-				       );
-		    } else {
-			source_iexclusion( $chainref ,
-					   j  => 'RAWSNAT' ,
-					   "--to-source $net2" ,
-					   $net1 ,
-					   imatch_dest_net( $net3 ) ,
-					   @rule ,
-					   @match );
-		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid TYPE ($type)";
+		    fatal_error "Invalid type ($type)";
 		}
 
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";

Shorewall/Perl/Shorewall/Providers.pm

@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
     } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
+	       '                fe80:*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
     }
 
     emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
     } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
+		'                        fe80:*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $id \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
     }
 
     emit (  '                    ;;',
@@ -799,7 +813,7 @@ sub add_a_provider( $$ ) {
 	}
 
 	if ( $gateway ) {
-	    $address = get_interface_address $interface unless $address;
+	    $address = get_interface_address( $interface, 1 ) unless $address;
 
 	    emit( qq([ -z "$address" ] && return\n) );
 
@@ -925,7 +939,7 @@ CEOF
     }
 
     if ( $gateway ) {
-	$address = get_interface_address $interface unless $address;
+	$address = get_interface_address( $interface, 1 ) unless $address;
 
 	if ( $hostroute ) {
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
@@ -1038,7 +1052,7 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
-	if ( used_address_variable( $interface ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    emit( '',
 		  'if [ -n "$g_forcereload" ]; then',
 		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
@@ -1059,7 +1073,7 @@ CEOF
 
 	emit "fi\n";
 
-	if ( used_address_variable( $interface ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 
 	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
@@ -1095,7 +1109,7 @@ CEOF
 	}
 
 
-	if ( used_address_variable( $interface ) ) {
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
 	}
@@ -1242,7 +1256,7 @@ sub add_an_rtrule1( $$$$$ ) {
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
     } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1496,7 +1510,18 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
+
+	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	} else {
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    '    else',
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    '    fi',
+		    '' );
+	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1549,7 +1574,13 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
+
+	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	} else {
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
+	}
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -2189,7 +2220,7 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 
-		if ( used_address_variable( $interface ) ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    my $variable = interface_address( $interface );
 
 		    emit( '',
@@ -2242,7 +2273,7 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );
 
-		if ( used_address_variable( $interface ) ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",

Shorewall/Perl/Shorewall/Raw.pm

@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
 
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;

Shorewall/Perl/Shorewall/Rules.pm

@@ -574,7 +574,7 @@ sub process_default_action( $$$$ ) {
 #
 sub handle_nfqueue( $$ ) {
     my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass );
+    my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
     require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
@@ -600,6 +600,7 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 
 	    if ( supplied $queue2 ) {
+		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );
 
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -621,7 +622,8 @@ sub handle_nfqueue( $$ ) {
     }
 
     if ( supplied $queue2 ) {
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
+	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
     } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
     }
@@ -638,7 +640,8 @@ sub process_a_policy1($$$$$$$) {
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+
+    $intrazone  ||= $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
@@ -763,26 +766,29 @@ sub process_a_policy() {
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
-    my $intrazone;
+    my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+    if ( $clientlist = ( $clients =~ /,/ ) ) {
-	$clients =~ s/\+$//;
+	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $servers =~ /.*,.*\+$/ ) {
+    if ( $serverlist = ( $servers =~ /,/ ) ) {
-	$servers =~ s/\+$//;
+	$intrazone ||= ( $servers =~ s/\+$// );
-	$intrazone = 1;
     }	
 
     fatal_error 'SOURCE must be specified' if $clients eq '-';
     fatal_error 'DEST must be specified'   if $servers eq '-';
     fatal_error 'POLICY must be specified' if $policy  eq '-';
 
+    if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
 	    for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
+    } else {
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+    }
 }
 
 #
@@ -1027,7 +1033,6 @@ sub complete_policy_chains() {
 	    }
 
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
-		run_user_exit $chainref;
 		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
@@ -1038,7 +1043,6 @@ sub complete_policy_chains() {
 	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 
 	    if ( $chainref->{referenced} ) {
-		run_user_exit $chainref;
 		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
@@ -1057,8 +1061,6 @@ sub complete_policy_chains() {
 sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
-    run_user_exit $stdchainref;
-
     my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
@@ -1316,8 +1318,18 @@ sub normalize_action( $$$ ) {
     # Note: SNAT actions store the current interface's name in the tag
     #
     $tag   = ''     unless defined $tag;
-    $param = ''     unless defined $param;
+
+    if ( defined( $param ) ) {
+	#
+	# Normalize the parameters by removing trailing omitted
+	# parameters
+	#
+	1 while $param =~ s/,-$//;
+
 	$param = '' if $param eq '-';
+    } else {
+	$param = '';
+    }
 
     join( ':', $action, $level, $tag, $caller, $param );
 }
@@ -1419,27 +1431,6 @@ sub createlogactionchain( $$$$$$ ) {
 
     $chainref->{action} = $normalized;
 
-    if ( $config{CHAIN_SCRIPTS} ) {
-	unless ( $targets{$action} & BUILTIN ) {
-
-	    set_optflags( $chainref, DONT_OPTIMIZE );
-
-	    my $file = find_file $chain;
-
-	    if ( -f $file ) {
-		progress_message "Running $file...";
-
-		my @params = split /,/, $param;
-
-		unless ( my $return = eval `cat $file` ) {
-		    fatal_error "Couldn't parse $file: $@" if $@;
-		    fatal_error "Couldn't do $file: $!"    unless defined $return;
-		    fatal_error "Couldn't run $file";
-		}
-	    }
-	}
-    }
-
     $chainref;
 }
 
@@ -1455,27 +1446,6 @@ sub createsimpleactionchain( $$ ) {
 
     $chainref->{action} = $normalized;
 
-    if ( $config{CHAIN_SCRIPTS} ) {
-	unless ( $targets{$action} & BUILTIN ) {
-
-	    set_optflags( $chainref, DONT_OPTIMIZE );
-
-	    my $file = find_file $action;
-
-	    if ( -f $file ) {
-		progress_message "Running $file...";
-
-		my ( $level, $tag ) = ( '', '' );
-
-		unless ( my $return = eval `cat $file` ) {
-		    fatal_error "Couldn't parse $file: $@" if $@;
-		    fatal_error "Couldn't do $file: $!"    unless defined $return;
-		    fatal_error "Couldn't run $file";
-		}
-	    }
-	}
-    }
-
     $chainref;
 }
 
@@ -1873,7 +1843,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 
@@ -1980,10 +1950,10 @@ sub process_action(\$\$$) {
 		}
 	    }
 	} elsif ( $type & MANGLE_TABLE ) {
-	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
 
 	    if ( $family == F_IPV4 ) {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
 		    split_line2( 'mangle file',
 				 { mark => 0,
 				   action => 0,
@@ -2002,13 +1972,14 @@ sub process_action(\$\$$) {
 				   scp => 13,
 				   state => 14,
 				   time => 15,
+				   switch => 16,
 				 },
 				 {},
-				 16,
+				 17,
 				 1 );
 		$headers = '-';
 	    } else {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
 		    split_line2( 'action file',
 				 { mark => 0,
 				   action => 0,
@@ -2028,9 +1999,10 @@ sub process_action(\$\$$) {
 				   dscp => 14,
 				   state => 15,
 				   time => 16,
+				   switch => 17,
 				 },
 				 {},
-				 17,
+				 18,
 				 1 );
 	    }
 
@@ -2059,7 +2031,8 @@ sub process_action(\$\$$) {
 				      $probability ,
 				      $dscp ,
 				      $state,
-				      $time );
+				      $time,
+				      $conditional );
 		set_inline_matches( $matches );
 	    }
 	} else {
@@ -2113,6 +2086,12 @@ sub process_action(\$\$$) {
 
     pop_open;
 
+    unless ( @{$chainref->{rules}} ) {
+	my $file = find_file( $action );
+
+	fatal_error "File action.${action} is empty and file $action exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes" if -f $file;
+    }
+
     #
     # Pop the action parameters
     #
@@ -2748,6 +2727,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
     $usergenerated = $actiontype & IPTABLES;
+    #
+    # For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
+    #
 
     if ( $actiontype == MACRO ) {
 	#
@@ -2911,7 +2893,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2924,7 +2906,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -3777,22 +3759,8 @@ sub build_zone_list( $$$\$\$ ) {
 #
 # Process a Record in the rules file
 #
-sub process_raw_rule ( ) {
+sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
-	= split_line2( 'rules file',
-		       \%rulecolumns,
-		       $rule_commands,
-		       undef, #Columns
-		       1 );   #Allow inline matches
-
-
-    fatal_error 'ACTION must be specified' if $target eq '-';
-    #
-    # Section Names are optional so once we get to an actual rule, we need to be sure that
-    # we close off any missing sections.
-    #
-    next_section if $section != $next_section;
-
     if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
@@ -3858,6 +3826,48 @@ sub process_raw_rule ( ) {
     progress_message qq(   Rule "$thisline" $done);
 }
 
+sub process_raw_rule ( ) {
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
+	= split_line2( 'rules file',
+		       \%rulecolumns,
+		       $rule_commands,
+		       undef, #Columns
+		       1 );   #Allow inline matches
+
+
+    fatal_error 'ACTION must be specified' if $target eq '-';
+    #
+    # Section Names are optional so once we get to an actual rule, we need to be sure that
+    # we close off any missing sections.
+    #
+    next_section if $section != $next_section;
+
+    my ( @source, @dest );
+
+    if ( $source =~ /:\(.+\)/ ) {
+	@source = split_list3( $source, 'SOURCE' );
+    } else {
+	@source = ( $source );
+    }
+
+    if ( $dest =~ /:\(.+\)/ ) {
+	@dest = split_list3( $dest, 'DEST' );
+    } else {
+	@dest = ( $dest );
+    }
+
+    for $source ( @source ) {
+	$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
+
+	for $dest ( @dest ) {
+	    $dest = join( ':', $1, $2 ) if $dest =~  /^(.+?):\((.+)\)$/;
+
+	    process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
+	}
+    }
+}
+
+
 sub intrazone_allowed( $$ ) {
     my ( $zone, $zoneref ) = @_;
 
@@ -3962,8 +3972,8 @@ sub process_rules() {
     $section = $next_section = DEFAULTACTION_SECTION;
 }
 
-sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
 
     my $oldparms   = push_action_params( $inline,
 					 $chainref,
@@ -3982,9 +3992,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
     my $save_comment = push_comment;
 
     while ( read_a_line( NORMAL_READ ) ) {
-	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime );
+	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
 	if ( $family == F_IPV4 ) {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4003,13 +4013,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 			       scp => 13,
 			       state => 14,
 			       time => 15,
+			       switch => 16,
 			     },
 			     {},
-			     16,
+			     17,
 			     1 );
 	    $headers = $mheaders = '-';
 	} else {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4029,9 +4040,10 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 			       dscp => 14,
 			       state => 15,
 			       time => 16,
+			       switch => 17,
 			     },
 			     {},
-			     17,
+			     18,
 			     1 );
 	}
 
@@ -4064,7 +4076,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 				  merge_macro_column( $mprobability ,   $probability ),
 				  merge_macro_column( $mdscp ,          $dscp ),
 				  merge_macro_column( $mstate,          $state ),
-				  merge_macro_column( $mtime,           $time ) );
+				  merge_macro_column( $mtime,           $time ),
+				  merge_macro_column( $mconditional,    $conditional ),
+		);
 	}
 
 	progress_message "   Rule \"$currentline\" $done";
@@ -4091,8 +4105,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 # appended to that chain. The chain with be the action's chain unless the action
 # is inlined, in which case it will be the chain which invoked the action.
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_;
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
 
     my %designators = (
 	P => PREROUTING,
@@ -4202,6 +4216,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
+			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
 			     $source ,
@@ -4495,7 +4510,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4511,7 +4526,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4797,7 +4812,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 				   $probability ,
 				   $dscp ,
 				   $state,
-				   $time );
+				   $time,
+				   $condition );
 	    $done = 1;
 	}
     };
@@ -4934,7 +4950,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	$restriction |= $chainref->{restriction};
 
-	if ( ( my $result = expand_rule( $chainref ,
+	expand_rule( $chainref ,
 		     $restriction,
 		     $prerule,
 		     do_proto( $proto, $ports, $sports) . $matches .
@@ -4949,6 +4965,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		     do_dscp( $dscp ) .
 		     state_match( $state ) .
 		     do_time( $time ) .
+		     do_condition( $condition, $chainref->{name} ) .
 		     ( $ttl ? "-t $ttl " : '' ) .
 		     $raw_matches ,
 		     $source ,
@@ -4958,13 +4975,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		     '' ,
 		     $target ,
 		     $exceptionrule ,
-					 $usergenerated ) )
+		     $usergenerated ,
-	     && $device ) {
+		     '' , # Log Name
-	    #
+		     $device ,
-	    # expand_rule() returns destination device if any
+		     $params
-	    #
+	    );
-	    fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
-	}
     }
 
     progress_message "  Mangle Rule \"$currentline\" $done";
@@ -5139,7 +5154,7 @@ sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
 			    { mark => 0,
 			      action => 0,
 			      source => 1,
@@ -5162,7 +5177,7 @@ sub process_tc_rule( ) {
 	$headers = '-';
     } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
 			    { mark => 0,
 			      action => 0,
 			      source => 1,
@@ -5192,9 +5207,9 @@ sub process_tc_rule( ) {
 
 sub process_mangle_rule( $ ) {
     my ( $chainref ) = @_;
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5213,13 +5228,14 @@ sub process_mangle_rule( $ ) {
 			   scp => 13,
 			   state => 14,
 			   time => 15,
+			   switch => 16,
 			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5239,14 +5255,15 @@ sub process_mangle_rule( $ ) {
 			   dscp => 14,
 			   state => 15,
 			   time => 16,
+			   switch => 17,
 			 },
 			 {},
-			 17,
+			 18,
 	                 1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
     }
 }
 
@@ -5363,6 +5380,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
+	$add_snat_aliases = '';
     } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5377,6 +5395,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
     } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
+	$add_snat_aliases = '';
     } else {
 	( $target , $params ) = get_target_param1( $action );
 
@@ -5455,6 +5474,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
  
 	my $rule = '';
 	my $saveaddresses = $addresses;
+	my $savetarget    = $target;
+	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
 
 	$interface =~ s/:.*//;   #interface name may include 'alias'
@@ -5505,10 +5526,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    $detectaddress = 1;
 		}
 	    } else {
+		fatal_error "SNAT rules must spacify a new source address and/or new source ports" unless supplied $addresses;
+
 		my $addrlist = '';
 		my @addrs = split_list $addresses, 'address';
 
-		fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		fatal_error "Only one SNAT address may be specified" if @addrs > 1;
 
 		for my $addr ( @addrs ) {
 		    if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -5551,20 +5574,27 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			}
 		    } elsif ( $family == F_IPV4 ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    my ($ipaddr, $rest) = split ':', $addr;
+			    my ($ipaddr, $rest) = split ':', $addr, 2;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
 			    }
-			    validate_portpair1( $proto, $rest ) if supplied $rest;
+
+			    if ( supplied $rest ) {
+				validate_portpair1( $proto, $rest );
 				$addrlist .= " --to-source $addr";
+			    } else {
+				$addrlist .= " --to-source $ipaddr";
+			    }
+
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
 			    my $ports = $addr;
 			    $ports =~ s/^://;
+			    fatal_error "Missing Address or Port[-range] ($addr)" unless supplied $ports && $ports ne '-';
 			    validate_portpair1( $proto, $ports );
-			    $addrlist .= " --to-ports $ports";
+			    $addrlist .= " --to-source :$ports";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    } else {
@@ -5614,6 +5644,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
+		$exceptionrule = do_proto( $proto, '', '' );
 	    }
 	}
 	#
@@ -5699,7 +5730,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $add_snat_aliases ) {
+	    if ( $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5722,6 +5753,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	}
 
 	$addresses = $saveaddresses;
+	$target    = $savetarget;
+	$baserule  = $savebaserule;
     }
 
     progress_message "   Snat record \"$currentline\" $done"

Shorewall/Perl/Shorewall/Tc.pm

@@ -42,7 +42,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( process_tc_rule initialize );
+our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 
 our %flow_keys = ( 'src'            => 1,
@@ -2150,41 +2150,14 @@ sub process_secmark_rule() {
     }
 }
 
-
+sub convert_one_tos( $ ) {
-sub convert_tos($$) {
+    my ( $mangle ) = @_;
-    my ( $mangle, $fn1 ) = @_;
-
-    my $have_tos = 0;
-
-    sub unlink_tos( $ ) {
-	my $fn = shift;
-
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-
-    if ( my $fn = open_file 'tos' ) {
-	first_entry(
-		    sub {
-			my $date = compiletime;
-			progress_message2 "Converting $fn...";
-			print( $mangle
-			       "#\n" ,
-			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
-			       "#\n" );
-		    }
-		   );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-
-	    $have_tos = 1;
 
     my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
+	split_rawline2( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
+			undef,
+			7 );
 
     my $chain_designator = 'P';
 
@@ -2219,8 +2192,62 @@ sub convert_tos($$) {
     $mark   = '-' unless supplied $mark;
 
     print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+}
 
+
+sub convert_tos($$) {
+    my ( $mangle, $fn1 ) = @_;
+
+    my $have_tos = 0;
+
+    sub unlink_tos( $ ) {
+	my $fn = shift;
+
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
 	}
+    }
+
+    if ( my $fn = open_file 'tos' ) {
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+			print $mangle "$_[1]\n";
+		    } else {
+			convert_one_tos( $mangle );
+			$have_tos = 1;
+		    }
+		} else {
+		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+		}
+	    }
+	    );
+
+	first_entry(
+		    sub {
+			my $date = compiletime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    convert_one_tos( $mangle );
+	    $have_tos = 1;
+	}
+
+	directive_callback(0);
 
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -2250,9 +2277,10 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );
 
+	if ( $family == F_IPV4 ) {
 	    print $mangle <<'EOF';
 #
-# Shorewall version 4 - Mangle File
+# Shorewall -- /etc/shorewall/mangle
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2262,13 +2290,31 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-####################################################################################################################################################
+##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
-#                                                       PORT(S) PORT(S)
 EOF
+	} else {
+	    print $mangle <<'EOF';
+#
+# Shorewall6 -- /etc/shorewall6/mangle
+#
+# For information about entries in this file, type "man shorewall6-mangle"
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+#
+######################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
+EOF
+
 	}
 
 	return ( $mangle, $fn1 );
+    }
 }
 
 #
@@ -2337,7 +2383,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
+		    sub ()
+		    {
+			if ( $_[0] eq 'OMITTED' ) {
+			    #
+			    # Convert the raw rule
+			    #
+			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+				print $mangle "$_[1]\n";
+			    } else {
+				process_tc_rule;
+				$have_tcrules++;
+			    }
+			} else {
+			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+			}
+		    }
+		    );
 
 		first_entry(
 			    sub {

Shorewall/Perl/compiler.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Perl/getparams

@@ -38,12 +38,11 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_program=$PRODUCT
+g_basedir=${SHAREDIR}/shorewall
-g_sharedir="$SHAREDIR/shorewall"
-g_confdir="$CONFDIR/$PRODUCT"
-g_readrc=1
 
-. $g_sharedir/lib.cli
+. $g_basedir/lib.cli
+
+setup_product_environment
 
 CONFIG_PATH="$2"
 

Shorewall/Perl/lib.runtime

@@ -526,13 +526,6 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
     done
 
-    qt1 $g_tool -t rawpost -F
-    qt1 $g_tool -t rawpost    -X
-
-    for chain in POSTROUTING; do
-	qt1 $g_tool -t rawpost -P $chain ACCEPT
-    done
-
     qt1 $g_tool -t nat    -F
     qt1 $g_tool -t nat    -X
 
@@ -582,9 +575,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
 	    '*'mangle)
 		table=mangle
 		;;

Shorewall/Perl/prog.footer

@@ -130,6 +130,8 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 
+[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
+
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/Samples/Universal/shorewall.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -47,11 +47,11 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 
 MACLIST_LOG_LEVEL=info
 
@@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -144,8 +144,6 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=No
-
 CLAMPMSS=No
 
 CLEAR_TC=Yes
@@ -293,5 +291,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/one-interface/shorewall.conf

@@ -58,11 +58,11 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 
 MACLIST_LOG_LEVEL=info
 
@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -155,8 +155,6 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=No
-
 CLAMPMSS=No
 
 CLEAR_TC=Yes
@@ -304,5 +302,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -55,11 +55,11 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 
 MACLIST_LOG_LEVEL=info
 
@@ -83,7 +83,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -152,8 +152,6 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=No
-
 CLAMPMSS=Yes
 
 CLEAR_TC=Yes
@@ -301,5 +299,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/three-interfaces/snat

@@ -10,7 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -58,11 +58,11 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 
 MACLIST_LOG_LEVEL=info
 
@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -155,8 +155,6 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=No
-
 CLAMPMSS=Yes
 
 CLEAR_TC=Yes
@@ -304,5 +302,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/two-interfaces/snat

@@ -10,7 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
@@ -18,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-		192.168.0.0/16	eth0
+			92.168.0.0/16		eth0

Shorewall/configfiles/mangle

@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-####################################################################################################################################################
+##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH

Shorewall/configfiles/shorewall.conf

@@ -47,11 +47,11 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 
 MACLIST_LOG_LEVEL=info
 
@@ -138,14 +138,12 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=Yes
-
 CLAMPMSS=No
 
 CLEAR_TC=Yes
@@ -184,7 +182,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=On
+IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=No
 
@@ -210,7 +208,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=0
+OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 

Shorewall/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall SNAT/Masquerade File
+# Shorewall -- /etc/shorewall/snat
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###################################################################################################################
+#
+###########################################################################################################################################
 #ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall firewall\": "
+      printf "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall firewall\" rules: "
+      printf "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,21 +109,21 @@ shorewall_stop () {
 
 # reload the firewall
 shorewall_reload () {
-  echo -n "Reloading \"Shorewall firewall\": "
+  printf "Reloading \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 
 reload() {
-    echo -n $"Reloading Shorewall: "
+    printf $"Reloading Shorewall: "
     $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall/install.sh

@@ -103,7 +103,7 @@ require()
 
 cd "$(dirname $0)"
 
-if [ -f shorewall ]; then
+if [ -f shorewall.service ]; then
     PRODUCT=shorewall
     Product=Shorewall
 else
@@ -175,7 +175,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else
@@ -381,9 +380,9 @@ fi
 echo "Installing $Product Version $VERSION"
 
 #
-# Check for /sbin/$PRODUCT
+# Check for /usr/share/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
     first_install=""
 else
     first_install="Yes"
@@ -394,10 +393,6 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
     exit 1
 fi
 
-install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
-echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
-
 #
 # Install the Firewall Script
 #
@@ -703,7 +698,7 @@ run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/con
 run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
     echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
 fi
 
@@ -1047,18 +1042,11 @@ fi
 
 cd ..
 
-#
-# Install the  Makefiles
-#
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-
-if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-fi
 #
 # Install the Action files
 #
+cd Actions
+
 for f in action.* ; do
     case $f in
 	*.deprecated)
@@ -1071,8 +1059,10 @@ for f in action.* ; do
 	    ;;
     esac
 done
-
+#
-cd Macros
+# Now the Macros
+#
+cd ../Macros
 
 for f in macro.* ; do
     case $f in
@@ -1104,7 +1094,10 @@ if [ $PRODUCT = shorewall6 ]; then
     # Symbolically link 'functions' to lib.base
     #
     ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    #
+    # And create a sybolic link for the CLI
+    #
+    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
 
 if [ -d Perl ]; then
@@ -1179,7 +1172,7 @@ if [ -n "$MANDIR" ]; then
 
 cd manpages
 
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
 
 for f in *.5; do
     gzip -9c $f > $f.gz
@@ -1187,6 +1180,8 @@ for f in *.5; do
     echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
+
 for f in *.8; do
     gzip -9c $f > $f.gz
     run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz

Shorewall/lib.cli-std

@@ -48,10 +48,10 @@ get_config() {
     fi
 
     if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file $g_program.conf)
+	config=$(find_file ${PRODUCT}.conf)
     else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	config="$g_shorewalldir/$g_program.conf"
+	config="$g_shorewalldir/$PRODUCT.conf"
     fi
 
     if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -318,6 +318,7 @@ get_config() {
 
     [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
+    if [ -z "$g_nopager" ]; then
 	if [ -n "$PAGER" -a -t 1 ]; then
 	    case $PAGER in
 		/*)
@@ -334,6 +335,7 @@ get_config() {
 
 	    g_pager="| $g_pager"
 	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -395,8 +397,8 @@ compiler() {
     pc=${LIBEXECDIR}/shorewall/compiler.pl
 
     if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
 	fi
     fi
     #
@@ -1227,13 +1229,13 @@ safe_commands() {
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
-	echo -n "Do you want to accept the new firewall configuration? [y/n] "
+	printf "Do you want to accept the new firewall configuration? [y/n] "
 
 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1417,6 +1419,7 @@ remote_reload_command() # $* = original arguments less the command.
     sharedir=${SHAREDIR}
     local litedir
     local exitstatus
+    local program
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1493,12 +1496,17 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
+	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
     else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
+	sbindir="$SBINDIR"
+	confdir="$CONFDIR"
+	libexec="$LIBEXECDIR"
+	litedir="${VARDIR}-lite"
     fi
 
-    if [ -f $g_shorewalldir/${g_program}.conf ]; then
+    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1514,7 +1522,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
     else
-	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
+	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
     fi
 
     if [ -z "$getcaps" ]; then
@@ -1539,12 +1547,14 @@ remote_reload_command() # $* = original arguments less the command.
 
     g_export=Yes
 
-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    program=$sbindir/${PRODUCT}-lite
+    #
+    # Handle nonstandard remote VARDIR
+    #
+    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"
 
-    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
-
     g_file="$g_shorewalldir/firewall"
 
     exitstatus=0
@@ -1555,30 +1565,29 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);
 
 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
+		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
-		rcp_command $save ${confdir}/shorewall-lite/
+		rcp_command $save ${confdir}/$PRODUCT/
 		exitstatus=$?
 	    fi
 
 	    if [ $exitstatus -eq 0 ]; then
-
 		progress_message3 "Copy complete"
 
 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1586,7 +1595,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi
 
 		if [ -n "$saveit" ]; then
-		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1651,7 +1660,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
+	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
 	    ;;
     esac
 

Shorewall/manpages/shorewall-conntrack.xml

@@ -380,7 +380,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE (format 3) ‒
+        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
         {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
 
         <listitem>
@@ -394,7 +394,91 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST ‒
+        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
+        later) -
+        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>source-spec</replaceable> is one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Where interface is the logical name of an interface
+                defined in <ulink
+                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and using dash ("-") as a separator.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of an ipset preceded by a plus sign ("+").
+                    See <ulink
+                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para><replaceable>exclusion</replaceable> is described in
+                <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the incoming interace and source address match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>See <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
+                (5)</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>source-spec</replaceable>s separated by commas may be
+          specified provided that the following alternative forms are
+          used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST (Prior to Shorewall 5.1.0) ‒
         {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
 
         <listitem>
@@ -406,6 +490,89 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
+        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>dest-spec</replaceable> is one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Where interface is the logical name of an interface
+                defined in <ulink
+                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and using dash ("-") as a separator.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of an ipset preceded by a plus sign ("+").
+                    See <ulink
+                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para><replaceable>exclusion</replaceable> is described in
+                <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the outgoing interace and destination address
+                match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>See <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
+                (5)</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple source-specs
+          separated by commas may be specified provided that the following
+          alternative forms are used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>PROTO ‒
         <replaceable>protocol-name-or-number</replaceable>[,...]</term>

Shorewall/manpages/shorewall-interfaces.xml

@@ -774,7 +774,7 @@ loc     eth2            -</programlisting>
                 iptables and kernel. It provides a more efficient alternative
                 to the <option>sfilter</option> option below. It performs a
                 function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do now use
+                but works with Multi-ISP configurations that do not use
                 balanced routes.</para>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall-mangle.xml

@@ -775,98 +775,253 @@ Normal-Service       =&gt; 0x00</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        <term><emphasis role="bold">SOURCE -
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
-        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
-        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>May be:</para>
+          <para>where <replaceable>source-spec</replaceable> is one of:</para>
 
-          <orderedlist>
+          <variablelist>
-            <listitem>
+            <varlistentry>
-              <para>An interface name - matches traffic entering the firewall
+              <term><replaceable>interface</replaceable></term>
-              on the specified interface. May not be used in classify rules or
-              in rules using the :T chain qualifier.</para>
-            </listitem>
 
               <listitem>
-              <para>A comma-separated list of host or network IP addresses or
+                <para>where <replaceable>interface</replaceable> is the
-              MAC addresses. <emphasis role="bold">This form will not match
+                logical name of an interface defined in <ulink
-              traffic that originates on the firewall itself unless either
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+                Matches packets entering the firewall from the named
-              the ACTION column.</emphasis></para>
+                interface. May not be used in CLASSIFY rules or in rules using
-
-              <para>Examples:<simplelist>
-                  <member>0.0.0.0/0</member>
-                </simplelist></para>
-
-              <para><simplelist>
-                  <member>192.168.1.0/24, 172.20.4.0/24</member>
-                </simplelist></para>
-            </listitem>
-
-            <listitem>
-              <para>An interface name followed by a colon (":") followed by a
-              comma-separated list of host or network IP addresses or MAC
-              addresses. May not be used in classify rules or in rules using
                 the :T chain qualifier.</para>
               </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
 
               <listitem>
-              <para>$FW optionally followed by a colon (":") and a
+                <para>where <replaceable>address</replaceable> is:</para>
-              comma-separated list of host or network IP addresses. Matches
+
-              packets originating on the firewall. May not be used with a
+                <blockquote>
-              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+                  <para>A host or network IP address.</para>
+
+                  <para>The name of an ipset preceded by a plus sign
+                  ("+").</para>
+
+                  <para>A MAC address in Shorewall format (preceded by a tilde
+                  ("~") and using dash ("-") as a separator (e.g.,
+                  ~00-A0-C9-15-39-78).</para>
+                </blockquote>
+
+                <para>Matches traffic whose source IP address matches one of
+                the listed addresses and that does not match an address listed
+                in the <replaceable>exclusion</replaceable> (see <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+
+                <para><emphasis role="bold">This form will not match traffic
+                that originates on the firewall itself unless either
+                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
+                in the ACTION column.</emphasis></para>
               </listitem>
-          </orderedlist>
+            </varlistentry>
 
-          <para>MAC addresses must be prefixed with "~" and use "-" as a
+            <varlistentry>
-          separator.</para>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
 
-          <para>Example: ~00-A0-C9-15-39-78</para>
+              <listitem>
+                <para>This form combines the preceding two forms and matches
+                when both the incoming interface and source IP address
+                match.</para>
+              </listitem>
+            </varlistentry>
 
-          <para>You may exclude certain hosts from the set already defined
+            <varlistentry>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets arriving through the named
+                <replaceable>interface</replaceable> and whose source IP
+                address does not match any of the addresses in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$FW</term>
+
+              <listitem>
+                <para>Matches packets originating on the firewall system. May
+                not be used with a chain qualifier (:P, :F, etc.) in the
+                ACTION column.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> is as above
+                (MAC addresses are not permitted). Matches packets originating
+                on the firewall and whose source IP address matches one of the
+                listed addresses and does not match any address listed in the
+                <replaceable>exclusion</replaceable>. May not be used with a
+                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$FW:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>Matches traffic originating on the firewall, provided
+                that the source IP address does not match any address listed
+                in the <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>source_spec</replaceable>s, separated by commas, may be
+          given provided that the following alternative forms are used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+
+            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST -
+        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>where <replaceable>interface</replaceable> is the
+                logical name of an interface defined in <ulink
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                Matches packets leaving the firewall through the named
+                interface. May not be used in the PREROUTING chain (:P in the
+                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
+                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> is:</para>
+
+                <blockquote>
+                  <para>A host or network IP address.</para>
+
+                  <para>The name of an ipset preceded by a plus sign
+                  ("+").</para>
+
+                  <para>A MAC address in Shorewall format (preceded by a tilde
+                  ("~") and using dash ("-") as a separator (e.g.,
+                  ~00-A0-C9-15-39-78).</para>
+                </blockquote>
+
+                <para>Matches traffic whose destination IP address matches one
+                of the listed addresses and that does not match an address
+                listed in the <replaceable>exclusion</replaceable> (see <ulink
                 url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
               <listitem>
-          <para>May be:</para>
+                <para>This form combines the preceding two forms and matches
-
+                when both the outgoing interface and destination IP address
-          <orderedlist>
+                match. May not be used in the PREROUTING chain (:P in the mark
-            <listitem>
+                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-              <para>An interface name. May not be used in the PREROUTING chain
+                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-              (:P in the mark column or no chain qualifier and
+                (5)).</para>
-              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
-              interface name may be optionally followed by a colon (":") and
-              an IP address list.</para>
               </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
 
               <listitem>
-              <para>A comma-separated list of host or network IP addresses.
+                <para>This form matches packets leaving through the named
-              The list may include ip address ranges if your kernel and
+                <replaceable>interface</replaceable> and whose destination IP
-              iptables include iprange support.</para>
+                address does not match any of the addresses in the
+                <replaceable>exclusion</replaceable>. May not be used in the
+                PREROUTING chain (:P in the mark column or no chain qualifier
+                and MARK_IN_FORWARD_CHAIN=No in <ulink
+                url="manpages/shorewall.conf">shorewall.conf</ulink>
+                (5)).</para>
               </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$FW</term>
 
               <listitem>
-              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+                <para>Matches packets originating on the firewall system. May
-              itself or qualified by an address list. This causes marking to
+                not be used with a chain qualifier (:P, :F, etc.) in the
-              occur in the INPUT chain.</para>
+                ACTION column.</para>
               </listitem>
-          </orderedlist>
+            </varlistentry>
 
-          <para>You may exclude certain hosts from the set already defined
+            <varlistentry>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> is as above
+                (MAC addresses are not permitted). Matches packets destined
+                for the firewall and whose destination IP address matches one
+                of the listed addresses and does not match any address listed
+                in the <replaceable>exclusion</replaceable>. May not be used
+                with a chain qualifier (:P, :F, etc.) in the ACTION
+                column.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$FW:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>Matches traffic destined for the firewall, provided that
+                the destination IP address does not match any address listed
+                in the <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>dest_spec</replaceable>s, separated by commas, may be
+          given provided that the following alternative forms are used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+
+            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
         </listitem>
       </varlistentry>
 
@@ -1332,6 +1487,53 @@ Normal-Service       =&gt; 0x00</programlisting>
           </variablelist>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-masq.xml

@@ -164,7 +164,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall/manpages/shorewall-netmap.xml

@@ -41,38 +41,18 @@
       <varlistentry>
         <term><emphasis role="bold">TYPE</emphasis> - <emphasis
         role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}[:{P|O|T}</emphasis>]</term>
+        role="bold">SNAT}</emphasis></term>
 
         <listitem>
-          <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
+          <para>Must be DNAT or SNAT</para>
-          optionally followed by :P, :O or :T to perform <firstterm>stateless
-          NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
-          support</firstterm> in your kernel and iptables (see the output of
-          <command>shorewall show capabilities</command>).</para>
 
-          <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
+          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
-          NET1 has its destination address rewritten to the corresponding
+          its destination address rewritten to the corresponding address in
-          address in NET2.</para>
+          NET2.</para>
 
-          <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
+          <para>If SNAT, traffic leaving INTERFACE with a source address in
-          address in NET1 has it's source address rewritten to the
+          NET1 has it's source address rewritten to the corresponding address
-          corresponding address in NET2.</para>
+          in NET2.</para>
-
-          <para>If DNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE and addressed to NET1 has its destination address
-          rewritten to the corresponding address in NET2.</para>
-
-          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
-
-          <para>If SNAT:P, traffic entering via INTERFACE with a destination
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If SNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE with a source address in NET1 has it's source address
-          rewritten to the corresponding address in NET2.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-rules.xml

@@ -629,7 +629,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
 
               <listitem>
                 <para>Queues the packet to a user-space application using the
@@ -648,12 +648,19 @@
                 systems: start multiple instances of the userspace program on
                 queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                 the same connection are put into the same nfqueue.</para>
+
+                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
+                followed by the letter 'c' to indicate that the CPU ID will be
+                used as an index to map packets to the queues. The idea is
+                that you can improve performance if there's a queue per CPU.
+                Requires the NFQUEUE CPU Fanout capability in your kernel and
+                iptables.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
@@ -900,108 +907,199 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> -
+        <term><emphasis role="bold">SOURCE -
-        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
-        role="bold">all</emphasis>|<emphasis
-        role="bold">any</emphasis>}[<emphasis
-        role="bold">+</emphasis>][<emphasis
-        role="bold">-</emphasis>]}<emphasis
-        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
-        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
 
         <listitem>
-          <para>Source hosts to which the rule applies. May be a
+          <para>Source hosts to which the rule applies.</para>
-          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
-          <emphasis role="bold">$FW</emphasis> to indicate the firewall
-          itself, <emphasis role="bold">all</emphasis>, <emphasis
-          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
-          <emphasis role="bold">all+-</emphasis> or <emphasis
-          role="bold">none</emphasis>.</para>
 
-          <para>Beginning with Shorewall 4.4.13, you may use a
+          <para><replaceable>source-spec</replaceable> is one of the
-          <replaceable>zone-list </replaceable>which consists of a
+          following:</para>
-          comma-separated list of zones declared in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
-          This <replaceable>zone-list</replaceable> may be optionally followed
-          by "+" to indicate that the rule is to apply to intra-zone traffic
-          as well as inter-zone traffic.</para>
 
-          <para>When <emphasis role="bold">none</emphasis> is used either in
+          <variablelist>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+            <varlistentry>
-          role="bold">DEST</emphasis> column, the rule is ignored.</para>
+              <term><emphasis
+              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
 
-          <para><emphasis role="bold">all</emphasis> means "All Zones",
+              <listitem>
-          including the firewall itself. <emphasis role="bold">all-</emphasis>
+                <para>The name of a zone defined in <ulink
-          means "All Zones, except the firewall itself". When <emphasis
+                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+                only the zone name is specified, the packet source may be any
-          used either in the <emphasis role="bold">SOURCE</emphasis> or
+                host in that zone.</para>
-          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
-          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
-          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
-          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
-          <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
 
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+                <para>zone may also be one of the following:</para>
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
-          <emphasis role="bold">any</emphasis>[<emphasis
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
-          specified, clients may be further restricted to a list of networks
-          and/or hosts by appending ":" and a comma-separated list of network
-          and/or host addresses. Hosts may be specified by IP or MAC address;
-          mac addresses must begin with "~" and must use "-" as a
-          separator.</para>
 
-          <para>The above restriction on <emphasis
+                <variablelist>
-          role="bold">all</emphasis>[<emphasis
+                  <varlistentry>
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
+                    <term>all[+][-]</term>
-          <emphasis role="bold">any</emphasis>[<emphasis
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
-          removed in Shorewall-4.4.13.</para>
 
-          <para><emphasis role="bold">any</emphasis> is equivalent to
+                    <listitem>
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
+                      <para><emphasis role="bold">all</emphasis>, without the
-          When there are nested zones, <emphasis role="bold">any</emphasis>
+                      "-" means "All Zones, including the firewall zone". If
-          only refers to top-level zones (those with no parent zones). Note
+                      the "-" is included, the firewall zone is omitted.
-          that <emphasis role="bold">any</emphasis> excludes all vserver
+                      Normally all omits intra-zone traffic, but intra-zone
-          zones, since those zones are nested within the firewall zone.
+                      traffic can be included specifying "+".</para>
-          Beginning with Shorewall 4.4.13, exclusion is supported with
+                    </listitem>
-          <emphasis role="bold">any</emphasis> -- see see <ulink
+                  </varlistentry>
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
 
-          <para>Hosts may also be specified as an IP address range using the
+                  <varlistentry>
-          syntax
+                    <term>any[+][-]</term>
-          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
-          This requires that your kernel and iptables contain iprange match
-          support. If your kernel and iptables have ipset match support then
-          you may give the name of an ipset prefaced by "+". The ipset name
-          may be optionally followed by a number from 1 to 6 enclosed in
-          square brackets ([]) to indicate the number of levels of source
-          bindings to be matched.</para>
 
-          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+                    <listitem>
-          firewall interface can be specified by an ampersand ('&amp;')
+                      <para><emphasis role="bold">any</emphasis> is equivalent
-          followed by the logical name of the interface as found in the
+                      to <emphasis role="bold">all</emphasis> when there are
-          INTERFACE column of <ulink
+                      no nested zones. When there are nested zones, <emphasis
+                      role="bold">any</emphasis> only refers to top-level
+                      zones (those with no parent zones). Note that <emphasis
+                      role="bold">any</emphasis> excludes all vserver zones,
+                      since those zones are nested within the firewall
+                      zone.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>none</term>
+
+                    <listitem>
+                      <para>When <emphasis role="bold">none</emphasis> is used
+                      either in the <emphasis role="bold">SOURCE</emphasis> or
+                      <emphasis role="bold">DEST</emphasis> column, the rule
+                      is ignored.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>Similar to with <emphasis role="bold">all</emphasis> and
+                <emphasis role="bold">any</emphasis>, intra-zone traffic is
+                normally excluded when multiple zones are listed. Intra-zone
+                traffic may be included by following the list with a plus sign
+                ("+").</para>
+
+                <para><emphasis role="bold">all</emphasis> and <emphasis
+                role="bold">any</emphasis> may be followed by an exclamation
+                point ("!") and a comma-separated list of zone names to be
+                omitted.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>When this form is used,
+                <replaceable>interface</replaceable> must be the name of an
+                interface associated with the named
+                <replaceable>zone</replaceable> in either <ulink
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+                or <ulink
+                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
+                packets from hosts in the <replaceable>zone</replaceable> that
+                arrive through the named interface will match the rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
+
+              <listitem>
+                <para>where address can be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address. A network address may
+                    be followed by exclusion (see <ulink
+                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>An address range, specified using the syntax
+                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>+<replaceable>ipset</replaceable> where
+                    <replaceable>ipset</replaceable> is the name of an ipset
+                    and must be preceded by a plus sign ("+").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and with the hex byte values separated by
+                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>^<replaceable>country-code</replaceable> where
+                    country-code is a two-character ISO-3661 country code
+                    preceded by a caret ("^").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>^<replaceable>country-code-list</replaceable> where
+                    <replaceable>country-code-list</replaceable> is a
+                    comma-separated list of up to 15 ISO-3661 country codes
+                    enclosed in square brackets ("[...]").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The primary IP address of a firewall interface can
+                    be specified by an ampersand ('&amp;') followed by the
+                    logical name of the interface as found in the INTERFACE
+                    column of <ulink
                     url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
                     (5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
 
-          <para>Beginning with Shorewall 4.5.4, A
+            <varlistentry>
-          <replaceable>countrycode-list</replaceable> may be specified. A
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-          countrycode-list is a comma-separated list of up to 15 two-character
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
-          preceded by a caret ('^'). When a single country code is given, the
-          square brackets may be omitted. A list of country codes supported by
-          Shorewall may be found at <ulink
-          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
-          Specifying a <replaceable>countrycode-list</replaceable> requires
-          <firstterm>GeoIP Match</firstterm> support in your iptables and
-          Kernel.</para>
 
-          <para>You may exclude certain hosts from the set already defined
+              <listitem>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                <para>This form combines the preceding two and requires that
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                both the incoming interface and source address match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches if the host IP address does not match
+                any of the entries in the exclusion (see <ulink
+                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets from the named
+                <replaceable>zone</replaceable> entering through the specified
+                <replaceable>interface</replaceable> where the source address
+                does not match any entry in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>source-spec</replaceable>s may be listed, provided that
+          extended forms of the source-spec are used:</para>
+
+          <blockquote>
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
+
+            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
+
+            <para>zone:(interface:address[,...])</para>
+
+            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
 
           <para>Examples:</para>
 
@@ -1070,8 +1168,8 @@
               <term>$FW:&amp;eth0</term>
 
               <listitem>
-                <para>The primary IP address of eth0 in the firewall zone
+                <para>The primary IP address of eth0 in the firewall
-                (Shorewall 4.4.17 and later).</para>
+                zone.</para>
               </listitem>
             </varlistentry>
 
@@ -1092,92 +1190,259 @@
                 zone.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>net:^CN</term>
+
+              <listitem>
+                <para>China.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
+
+              <listitem>
+                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
+                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
+                in the dmz zone when the packet arrives through eth2 plus all
+                of the net zone.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> -
+        <term><emphasis role="bold">DEST -
-        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
-        role="bold">all</emphasis>|<emphasis
-        role="bold">any</emphasis>}[<emphasis
-        role="bold">+</emphasis>][<emphasis
-        role="bold">-</emphasis>]}<emphasis
-        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
-        role="bold">random</emphasis>]]</term>
 
         <listitem>
-          <para>Location of Server. May be a zone declared in <ulink
+          <para>Destination hosts to which the rule applies.</para>
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
-          $<emphasis role="bold">FW</emphasis> to indicate the firewall
-          itself, <emphasis role="bold">all</emphasis>. <emphasis
-          role="bold">all+</emphasis> or <emphasis
-          role="bold">none</emphasis>.</para>
 
-          <para>Beginning with Shorewall 4.4.13, you may use a
+          <para><replaceable>dest-spec</replaceable> is one of the
-          <replaceable>zone-list </replaceable>which consists of a
+          following:</para>
-          comma-separated list of zones declared in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
-          This <replaceable>zone-list</replaceable> may be optionally followed
-          by "+" to indicate that the rule is to apply to intra-zone traffic
-          as well as inter-zone traffic.</para>
 
-          <para>Beginning with Shorewall 4.5.4, A
+          <variablelist>
-          <replaceable>countrycode-list</replaceable> may be specified. A
+            <varlistentry>
-          countrycode-list is a comma-separated list of up to 15 two-character
+              <term><emphasis
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
+              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
-          preceded by a caret ('^'). When a single country code is given, the
-          square brackets may be omitted. A list of country codes supported by
-          Shorewall may be found at <ulink
-          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
-          Specifying a <replaceable>countrycode-list</replaceable> requires
-          <firstterm>GeoIP Match</firstterm> support in your iptables and
-          Kernel.</para>
 
-          <para>When <emphasis role="bold">none</emphasis> is used either in
+              <listitem>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+                <para>The name of a zone defined in <ulink
-          role="bold">DEST</emphasis> column, the rule is ignored.</para>
+                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
+                only the zone name is specified, the packet destination may be
+                any host in that zone.</para>
 
-          <para><emphasis role="bold">all</emphasis> means "All Zones",
+                <para>zone may also be one of the following:</para>
-          including the firewall itself. <emphasis role="bold">all-</emphasis>
-          means "All Zones, except the firewall itself". When <emphasis
-          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
-          used either in the <emphasis role="bold">SOURCE</emphasis> or
-          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
-          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
-          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
-          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
-          <ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
 
-          <para><emphasis role="bold">any</emphasis> is equivalent to
+                <variablelist>
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
+                  <varlistentry>
-          When there are nested zones, <emphasis role="bold">any</emphasis>
+                    <term>all[+][-]</term>
-          only refers to top-level zones (those with no parent zones). Note
-          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
 
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+                    <listitem>
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+                      <para><emphasis role="bold">all</emphasis>, without the
-          <emphasis role="bold">any</emphasis>[<emphasis
+                      "-" means "All Zones, including the firewall zone". If
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+                      the "-" is included, the firewall zone is omitted.
-          specified, clients may be further restricted to a list of networks
+                      Normally all omits intra-zone traffic, but intra-zone
-          and/or hosts by appending ":" and a comma-separated list of network
+                      traffic can be included specifying "+".</para>
-          and/or host addresses. Hosts may be specified by IP or MAC address;
+                    </listitem>
-          mac addresses must begin with "~" and must use "-" as a
+                  </varlistentry>
-          separator.</para>
 
-          <para>When <emphasis role="bold">all</emphasis> is used either in
+                  <varlistentry>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+                    <term>any[+][-]</term>
-          role="bold">DEST</emphasis> column intra-zone traffic is not
-          affected. When <emphasis role="bold">all+</emphasis> is used,
-          intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
-          exclusion is supported -- see see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
 
-          <para>The <replaceable>zone</replaceable> should be omitted in
+                    <listitem>
-          DNAT-, REDIRECT- and NONAT rules.</para>
+                      <para><emphasis role="bold">any</emphasis> is equivalent
+                      to <emphasis role="bold">all</emphasis> when there are
+                      no nested zones. When there are nested zones, <emphasis
+                      role="bold">any</emphasis> only refers to top-level
+                      zones (those with no parent zones). Note that <emphasis
+                      role="bold">any</emphasis> excludes all vserver zones,
+                      since those zones are nested within the firewall
+                      zone.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>none</term>
+
+                    <listitem>
+                      <para>When <emphasis role="bold">none</emphasis> is used
+                      either in the <emphasis role="bold">SOURCE</emphasis> or
+                      <emphasis role="bold">DEST</emphasis> column, the rule
+                      is ignored.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>Similar to with <emphasis role="bold">all</emphasis> and
+                <emphasis role="bold">any</emphasis>, intra-zone traffic is
+                normally excluded when multiple zones are listed. Intra-zone
+                traffic may be included by following the list with a plus sign
+                ("+").</para>
+
+                <para><emphasis role="bold">all</emphasis> and <emphasis
+                role="bold">any</emphasis> may be followed by an exclamation
+                point ("!") and a comma-separated list of zone names to be
+                omitted.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>When this form is used,
+                <replaceable>interface</replaceable> must be the name of an
+                interface associated with the named
+                <replaceable>zone</replaceable> in either <ulink
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+                or <ulink
+                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
+                packets to hosts in the <replaceable>zone</replaceable> that
+                are sent through the named interface will match the
+                rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
+
+              <listitem>
+                <para>where address can be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address. A network address may
+                    be followed by exclusion (see <ulink
+                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>An address range, specified using the syntax
+                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>+<replaceable>ipset</replaceable> where
+                    <replaceable>ipset</replaceable> is the name of an ipset
+                    and must be preceded by a plus sign ("+").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>^<replaceable>country-code</replaceable> where
+                    country-code is a two-character ISO-3661 country code
+                    preceded by a caret ("^").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>^<replaceable>country-code-list</replaceable> where
+                    <replaceable>country-code-list</replaceable> is a
+                    comma-separated list of up to 15 ISO-3661 country codes
+                    enclosed in square brackets ("[...]").</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The primary IP address of a firewall interface can
+                    be specified by an ampersand ('&amp;') followed by the
+                    logical name of the interface as found in the INTERFACE
+                    column of <ulink
+                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+                    (5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the outgoing interface and destinationaddress
+                match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches if the host IP address does not match
+                any of the entries in the exclusion (see <ulink
+                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets to the named
+                <replaceable>zone</replaceable> leaving through the specified
+                <replaceable>interface</replaceable> where the destination
+                address does not match any entry in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
+
+              <listitem>
+                <para>This form applies when the ACTION is DNAT[-] or
+                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
+                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
+                rules.</para>
+
+                <para><replaceable role="bold">server-IP</replaceable> is not
+                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
+                provided that <replaceable>port-or-port-range</replaceable> is
+                included.</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The IP address of the server to which the packet is
+                    to be sent.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A range of IP address with the low and high address
+                    separated by a dash (:"-"). Connections are distributed
+                    among the IP addresses in the range.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>If <replaceable>server-IP </replaceable>is omitted in a
+                DNAT[-] rule, only the destination port number is modified by
+                the rule.</para>
+
+                <para>port-or-port-range may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>An integer port number in the range 1 -
+                    65535.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of a service from
+                    <filename>/etc/services</filename>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A port range with the low and high integer port
+                    numbers separated by a dash ("-"). Connections are
+                    distributed among the ports in the range.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>If <emphasis role="bold">random</emphasis> is specified,
+                port mapping will be randomized.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
 
           <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
           then either:<orderedlist numeration="loweralpha">
@@ -1194,82 +1459,134 @@
                 <para>the SOURCE <replaceable>zone</replaceable> must be an
                 ipv4 zone that is associated with only the same bridge.</para>
               </listitem>
-            </orderedlist></para>
+            </orderedlist>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>dest-spec</replaceable>s may be listed, provided that
+          extended forms of the source-spec are used:</para>
 
-          <para>Except when <emphasis
+          <blockquote>
-          role="bold">{all|any}</emphasis>[<emphasis
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
-          role="bold">+]|[-</emphasis>] is specified, the server may be
-          further restricted to a particular network, host or interface by
-          appending ":" and the network, host or interface. See <emphasis
-          role="bold">SOURCE</emphasis> above.</para>
 
-          <para>You may exclude certain hosts from the set already defined
+            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
 
-          <para>Restriction: MAC addresses are not allowed (this is a
+            <para>zone:(interface:address[,...])</para>
-          Netfilter restriction).</para>
 
-          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-          you may specify a range of IP addresses using the syntax
-          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
-          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
-          role="bold">DNAT</emphasis> or <emphasis
-          role="bold">DNAT-</emphasis>, the connections will be assigned to
-          addresses in the range in a round-robin fashion.</para>
 
-          <para>If your kernel and iptables have ipset match support then you
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          may give the name of an ipset prefaced by "+". The ipset name may be
+          </blockquote>
-          optionally followed by a number from 1 to 6 enclosed in square
-          brackets ([]) to indicate the number of levels of destination
-          bindings to be matched. Only one of the <emphasis
-          role="bold">SOURCE</emphasis> and <emphasis
-          role="bold">DEST</emphasis> columns may specify an ipset
-          name.</para>
 
-          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          firewall interface can be specified by an ampersand ('&amp;')
+          permitted in DNAT[-] and REDIRECT[-] rules.</para>
-          followed by the logical name of the interface as found in the
-          INTERFACE column of <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-          (5).</para>
 
-          <para>The <replaceable>port</replaceable> that the server is
+          <para>Examples:</para>
-          listening on may be included and separated from the server's IP
-          address by ":". If omitted, the firewall will not modify the
-          destination port. A destination port may only be included if the
-          <emphasis role="bold">ACTION</emphasis> is <emphasis
-          role="bold">DNAT</emphasis> or <emphasis
-          role="bold">REDIRECT</emphasis>.</para>
 
           <variablelist>
             <varlistentry>
-              <term>Example:</term>
+              <term>dmz:192.168.2.2</term>
 
               <listitem>
-                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+                <para>Host 192.168.2.2 in the DMZ</para>
-                specifies a local server at IP address 192.168.1.3 and
+              </listitem>
-                listening on port 3128.</para>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:155.186.235.0/24</term>
+
+              <listitem>
+                <para>Subnet 155.186.235.0/24 on the Internet</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:192.168.1.1,192.168.1.2</term>
+
+              <listitem>
+                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
+                zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:192.0.2.11-192.0.2.17</term>
+
+              <listitem>
+                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:!192.0.2.11-192.0.2.17</term>
+
+              <listitem>
+                <para>All hosts in the net zone except for
+                192.0.2.11-192.0.2.17.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:155.186.235.0/24!155.186.235.16/28</term>
+
+              <listitem>
+                <para>Subnet 155.186.235.0/24 on the Internet except for
+                155.186.235.16/28</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$FW:&amp;eth0</term>
+
+              <listitem>
+                <para>The primary IP address of eth0 in the firewall
+                zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc,dmz</term>
+
+              <listitem>
+                <para>Both the <emphasis role="bold">loc</emphasis> and
+                <emphasis role="bold">dmz</emphasis> zones.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>all!dmz</term>
+
+              <listitem>
+                <para>All but the <emphasis role="bold">dmz</emphasis>
+                zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:^CN</term>
+
+              <listitem>
+                <para>China.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>dmz:192.168.10.4:25</term>
+
+              <listitem>
+                <para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
+                rule).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
+
+              <listitem>
+                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
+                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
+                in the dmz zone when the packet arrives through eth2 plus all
+                of the net zone.</para>
               </listitem>
             </varlistentry>
           </variablelist>
-
-          <para>The <emphasis>port</emphasis> may be specified as a service
-          name. You may specify a port range in the form
-          <emphasis>lowport-highport</emphasis> to cause connections to be
-          assigned to ports in the range in round-robin fashion. When a port
-          range is specified, <emphasis>lowport</emphasis> and
-          <emphasis>highport</emphasis> must be given as integers; service
-          names are not permitted. Additionally, the port range may be
-          optionally followed by <emphasis role="bold">:random</emphasis>
-          which causes assignment to ports in the list to be random.</para>
-
-          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
-          role="bold">REDIRECT</emphasis> or <emphasis
-          role="bold">REDIRECT-</emphasis>, this column needs only to contain
-          the port number on the firewall that the request should be
-          redirected to. That is equivalent to specifying
-          <option>$FW</option>::<replaceable>port</replaceable>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>
@@ -171,7 +171,7 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
         [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall.conf.xml

@@ -533,22 +533,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
-          PERL....END PERL in configuration files, the only way to execute a
-          chain-specific script was to create a script file with the same name
-          as the chain and place it in a directory on the CONFIG_PATH. That
-          facility has the drawback that the compiler will attempt to run a
-          non-script file just because it has the same name as a chain. To
-          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
-          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -2151,36 +2135,27 @@ LOG:info:,bar                        net                    fw</programlisting>
           <command>load</command> and <command>reload</command> commands.
           Beginning with release 3.9.5, you may define an alternative means
           for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:<simplelist>
+          options were added to shorewall.conf:</para>
+
+          <simplelist>
             <member>RSH_COMMAND</member>
 
             <member>RCP_COMMAND</member>
-            </simplelist>The default values for these are as
+          </simplelist>
-          follows:<simplelist>
-              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>
 
-              <member>RCP_COMMAND: scp ${files}
+          <para>The default values for these are as follows:</para>
-              ${root}@${system}:${destination}</member>
-            </simplelist>Shell variables that will be set when the commands
-          are invoked are as follows:<simplelist>
-              <member><replaceable>root</replaceable> - root user. Normally
-              <option>root</option> but may be overridden using the '-r'
-              option.</member>
 
-              <member><replaceable>system</replaceable> - The name/IP address
+          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-              of the remote firewall system.</member>
+RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
 
-              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+          <para>Shell variables that will be set when the commands are invoked
-              the command to be executed on the firewall system.</member>
+          are as follows:</para>
 
-              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-              space-separated list of files to be copied to the remote
+<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-              firewall system.</member>
+<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-
+<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-              <member><replaceable>destination</replaceable> - The directory
+<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
-              on the remote system that the files are to be copied
-              into.</member>
-            </simplelist></para>
         </listitem>
       </varlistentry>
 
@@ -2595,9 +2570,19 @@ INLINE          -       -       -       ;; -j REJECT
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
           stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For RedHat and OpenSuSE, this
+          your distribution's initscripts. For OpenSuSE, this should be set to
-          should be set to /var/lock/subsys/shorewall. For Debian, the value
+          /var/lock/subsys/shorewall (var/lock/subsys/shorewall-lite if
-          is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall (/run/lock/shorewall-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 

Shorewall/modules.essential

@@ -25,6 +25,8 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
+loadmodule nf_nat
+loadmodule nf_nat_ipv4
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp

Shorewall/modules.xtables

@@ -31,6 +31,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
+loadmodule xt_nat
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev

Shorewall/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
+Product=Shorewall
 
 usage() # $1 = exit status
 {
@@ -127,7 +128,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall6-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall6-lite show vardir)
-SHAREDIR=/usr/share/shorewall6-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall6-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall6-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall6-lite/init.debian.sh

@@ -13,7 +13,7 @@
 
 . /lib/lsb/init-functions
 
-SRWL=/sbin/shorewall6-lite
+SRWL='/sbin/shorewall6-lite -6'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 Lite firewall\": "
+  printf "Starting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 Lite firewall\": "
+      printf "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 Lite firewall\": "
+  printf "Restarting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 Lite firewall\": "
+  printf "Refreshing \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6-lite/init.fedora.sh

@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
 
-prog="shorewall6-lite"
+prog="shorewall -6l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6-lite/init.openwrt.sh

@@ -79,17 +79,17 @@ boot() {
 }
 
 restart() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RESTARTOPTIONS
 }
 
 reload() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RELOADOPTION
 }
 
 stop() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $STOPOPTIONS
 }
 
 status() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
 }

Shorewall6-lite/init.sh

@@ -76,13 +76,13 @@ command="$1"
 
 case "$command" in
     start)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
 	;;
     *)
 	usage

Shorewall6-lite/init.suse.sh

@@ -73,13 +73,13 @@ command="$1"
 
 case "$command" in
     start)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
 	;;
     *)
 	usage