Correct typo (syntax error!)

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -949,7 +949,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)
 
-	    if [ $base != %CURRENTTIME ]; then
+	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1161,6 +1161,11 @@ show_macros() {
     done
 }
 
+show_a_macro() {
+    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+    cat ${directory}/macro.$1
+}
+
 #
 # Show Command Executor
 #
@@ -1441,8 +1446,7 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    eval show_a_macro $2 $g_pager
-				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -3992,24 +3996,26 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
-    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    if [ -z "$g_nopager" ]; then
+	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
-    if [ -n "$PAGER" -a -t 1 ]; then
+	if [ -n "$PAGER" -a -t 1 ]; then
-	case $PAGER in
+	    case $PAGER in
-	    /*)
+		/*)
-		g_pager="$PAGER"
+		    g_pager="$PAGER"
-		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
+		    ;;
-	    *)
+		*)
-		g_pager=$(mywhich $PAGER 2> /dev/null)
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
+		    ;;
-	esac
+	    esac
 
-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	g_pager="| $g_pager"
+	    g_pager="| $g_pager"
-     fi
+	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -4357,6 +4363,7 @@ shorewall_cli() {
     g_loopback=
     g_compiled=
     g_pager=
+    g_nopager=
     g_blacklistipset=
     g_disconnect=
 
@@ -4453,6 +4460,11 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
+			p*)
+			    g_nopager=Yes
+			    option=${option#p}
+			    ;;
+
 			-)
 			    finished=1
 			    option=

Shorewall/Perl/Shorewall/Config.pm

@@ -133,6 +133,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_line
 				       split_line1
 				       split_line2
+				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -174,6 +175,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;
 
 our $currentline;            # Current config file line image
+our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -2442,6 +2445,25 @@ sub split_line2( $$;$$$ ) {
     @line;
 }
 
+#
+# Same as above, only it splits the raw current line
+#
+sub split_rawline2( $$;$$$ ) {
+    my $savecurrentline = $currentline;
+
+    $currentline = $rawcurrentline;
+    #
+    # Delete trailing comment
+    #
+    $currentline =~ s/\s*#.*//;
+
+    my @result = &split_line2( @_ );
+
+    $currentline = $savecurrentline;
+
+    @result;
+}
+
 sub split_line1( $$;$$ ) {
     &split_line2( @_, undef );
 }
@@ -3026,9 +3048,9 @@ sub process_compiler_directive( $$$$ ) {
 
     if ( $directive_callback ) {
         $directive_callback->( $keyword, $line ) 
-    } else {
-        $omitting;
     }
+
+    $omitting;
 }
 
 #
@@ -3736,6 +3758,7 @@ sub read_a_line($) {
 
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
+		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }
 
@@ -3790,6 +3813,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
+	    # Save Raw Image
+	    #
+	    $rawcurrentline = $currentline;
+	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3818,7 +3845,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -472,7 +472,7 @@ sub validate_portpair1( $$ ) {
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
     $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
 
     my @ports = split /-/, $portpair, 2;
@@ -483,9 +483,10 @@ sub validate_portpair1( $$ ) {
 
     if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
     } else {
 	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
     }
 
     fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless

Shorewall/Perl/Shorewall/Misc.pm

@@ -216,6 +216,7 @@ sub convert_blacklist() {
     my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition;
     my $orig_target = $target;
+    my $warnings    = 0;
     my @rules;
 
     if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry "Converting $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
+		split_rawline2( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+				{ networks => 0, proto => 1, port => 2, options => 3 },
+				{},
+				4,
+		);
 
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}
 
+	directive_callback(0);
+
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -394,7 +407,8 @@ sub convert_routestopped() {
     if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
-	my $seq  = 0;
+	my $seq      = 0;
+	my $warnings = 0;
 	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
+		split_rawline2( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+				{},
+				6,
+				0,
+		);
 
 	    my $interfaceref;
 
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 
 	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}
 
+	directive_callback(0);
+
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;

Shorewall/Perl/Shorewall/Nat.pm

@@ -60,12 +60,12 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $pre_nat;
-    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
     my $destnets = '';
     my $baserule = '';
     my $inlinematches = '';
@@ -226,13 +226,13 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = $snat ? 'CONTINUE' : 'RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';
 
-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
 
 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -249,45 +249,49 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			    #
 			    $target = 'SNAT ';
 
-			    unless ( $snat ) {
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
-				if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				#
+				# User-defined address variable
+				#
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$${1}${ports} ";
+			    } else {
+				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				    #
-				    # User-defined address variable
+				    # Optional Interface -- rule is conditional
 				    #
-				    $conditional = conditional_rule( $chainref, $addr );
+				    $addr = get_interface_address $interface;
-				    $addrlist .= '--to-source ' . "\$${1}${ports} ";
 				} else {
-				    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				    #
-					#
+				    # Interface is not optional
-					# Optional Interface -- rule is conditional
+				    #
-					#
+				    $addr = record_runtime_address( $type, $interface );
-					$addr = get_interface_address $interface;
-				    } else {
-					#
-					# Interface is not optional
-					#
-					$addr = record_runtime_address( $type, $interface );
-				    }
-
-				    if ( $ports ) {
-					$addr =~ s/ $//;
-					$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
-				    }
-
-				    $addrlist .= '--to-source ' . $addr;
 				}
+
+				if ( $ports ) {
+				    $addr =~ s/ $//;
+				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
+				}
+
+				$addrlist .= '--to-source ' . $addr;
 			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
+
-				$addrlist .= "--to-source $addr ";
+				if ( supplied $rest ) {
+				    validate_portpair1( $proto, $rest );
+				    $addrlist .= "--to-source $addr ";
+				} else {
+				    $addrlist .= "--to-source $ipaddr";
+				}
+
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -356,39 +360,37 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	unless ( $snat ) {
+	expand_rule( $chainref ,
-	    expand_rule( $chainref ,
+		     POSTROUTE_RESTRICT ,
-			 POSTROUTE_RESTRICT ,
+		     $prerule ,
-			 $prerule ,
+		     $baserule . $inlinematches . $rule ,
-			 $baserule . $inlinematches . $rule ,
+		     $networks ,
-			 $networks ,
+		     $destnets ,
-			 $destnets ,
+		     $origdest ,
-			 $origdest ,
+		     $target ,
-			 $target ,
+		     '' ,
-			 '' ,
+		     '' ,
-			 '' ,
+		     $exceptionrule ,
-			 $exceptionrule ,
+		     '' )
-			 '' )
+	    unless unreachable_warning( 0, $chainref );
-		unless unreachable_warning( 0, $chainref );
 
-	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $add_snat_aliases ) {
+	if ( $add_snat_aliases ) {
-		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
+	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
-		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
+	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-		for my $address ( split_list $addresses, 'address' ) {
+	    for my $address ( split_list $addresses, 'address' ) {
-		    my ( $addrs, $port ) = split /:/, $address;
+		my ( $addrs, $port ) = split /:/, $address;
-		    next unless $addrs;
+		next unless $addrs;
-		    next if $addrs eq 'detect';
+		next if $addrs eq 'detect';
-		    for my $addr ( ip_range_explicit $addrs ) {
+		for my $addr ( ip_range_explicit $addrs ) {
-			unless ( $addresses_to_add{$addr} ) {
+		    unless ( $addresses_to_add{$addr} ) {
-			    $addresses_to_add{$addr} = 1;
+			$addresses_to_add{$addr} = 1;
-			    if ( defined $alias ) {
+			if ( defined $alias ) {
-				push @addresses_to_add, $addr, "$interface:$alias";
+			    push @addresses_to_add, $addr, "$interface:$alias";
-				$alias++;
+			    $alias++;
-			    } else {
+			} else {
-				push @addresses_to_add, $addr, $interface;
+			    push @addresses_to_add, $addr, $interface;
-			    }
 			}
 		    }
 		}
@@ -396,10 +398,93 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	}
     }
 
+    progress_message "   Masq record \"$currentline\" $done";
+
+}
+
+sub convert_one_masq1( $$$$$$$$$$$$ )
+{
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+
+    my $pre_nat;
+    my $destnets = '';
+    my $savelist;
+    #
+    # Leading '+'
+    #
+    $pre_nat = ( $interfacelist =~ s/^\+// );
+    #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+    }
+
+    $savelist = $interfacelist;
+    #
+    # Parse the remaining part of the INTERFACE column
+    #
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
+	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
+    }
+    #
+    # If there is no source or destination then allow all addresses
+    #
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
+
+    my $target;
+    #
+    # Parse the ADDRESSES column
+    #
+    if ( $addresses ne '-' ) {
+	my $saveaddresses = $addresses;
+	if ( $addresses ne 'random' ) {
+	    $addresses =~ s/:persistent$//;
+	    $addresses =~ s/:random$//;
+
+	    if ( $addresses eq 'detect' ) {
+		$target = 'SNAT';
+	    } elsif ( $addresses eq 'NONAT' ) {
+		$target = 'CONTINUE';
+	    } elsif ( $addresses ) {
+		if ( $addresses =~ /^:/ ) {
+		    $target = 'MASQUERADE';
+		} else {
+		    $target = 'SNAT';
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+    } else {
+	$target = 'MASQUERADE';
+    }
+
     if ( $snat ) {
-	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
-	$target .= '(' . $addresses . ')' if $addresses ne '-' && $addresses ne 'NONAT';
+
+	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
+	    $addresses =~ s/^://;
+	    $target .= '(' . $addresses . ')';
+	}
 
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#
@@ -414,7 +499,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	print $snat "$line\n";
     }
 
-    progress_message "   Masq record \"$currentline\" $done";
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
 
 }
 
@@ -422,17 +507,37 @@ sub process_one_masq( $ )
 {
     my ( $snat ) = @_;
 
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    if ( $snat ) {
-	split_line2( 'masq file',
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+	    #
-		     {},    #Nopad
+	    # Line was not blank or all comment
-		     undef, #Columns
+	    #
-		     1 );   #Allow inline matches
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+		split_rawline2( 'masq file',
+				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+				{},    #Nopad
+				undef, #Columns
+				1 );   #Allow inline matches
 
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+	    if ( $interfacelist ne '-' ) { 
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+		}
+	    }
+	}
+    } else {
+	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'masq file',
+			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 {},    #Nopad
+			 undef, #Columns
+			 1 );   #Allow inline matches
 
-    for my $proto ( split_list $protos, 'Protocol' ) {
+	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+
+	for my $proto ( split_list $protos, 'Protocol' ) {
+	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	}
     }
 }
 
@@ -487,7 +592,19 @@ sub convert_masq() {
 
 	my $have_masq_rules;
 
-	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    process_one_masq( $snat) if $snat;
+		} else {
+		    print $snat "$_[1]\n"; 0;
+		}
+	    }
+	    );
 
 	first_entry(
 	    sub {
@@ -500,7 +617,18 @@ sub convert_masq() {
 	    }
 	    );
 
-	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
+	while ( read_a_line( NORMAL_READ ) ) {
+	    #
+	    # Process the file normally
+	    #
+	    process_one_masq(0);
+	    #
+	    # Now Convert it
+	    #
+	    process_one_masq($snat);
+
+	    $have_masq_rules++;
+	}
 
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";

Shorewall/Perl/Shorewall/Providers.pm

@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
     } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
+	       '                fe80:*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
     }
 
     emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
     } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
+		'                        fe80:*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $id \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
     }
 
     emit (  '                    ;;',
@@ -1496,7 +1510,18 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+
+	if ( $family == F_IPV4 ) {
+	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	} else {
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    '    else',
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    '    fi',
+		    '' );
+	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1549,7 +1574,13 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+
+	if ( $family == F_IPV4 ) {
+	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	} else {
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
+	}
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',

Shorewall/Perl/Shorewall/Rules.pm

@@ -5139,50 +5139,50 @@ sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
-			 { mark => 0,
+			    { mark => 0,
-			   action => 0,
+			      action => 0,
-			   source => 1,
+			      source => 1,
-			   dest => 2,
+			      dest => 2,
-			   proto => 3,
+			      proto => 3,
-			   dport => 4,
+			      dport => 4,
-			   sport => 5,
+			      sport => 5,
-			   user => 6,
+			      user => 6,
-			   test => 7,
+			      test => 7,
-			   length => 8,
+			      length => 8,
-			   tos => 9,
+			      tos => 9,
-			   connbytes => 10,
+			      connbytes => 10,
-			   helper => 11,
+			      helper => 11,
-			   probability => 12 , 
+			      probability => 12 , 
-			   scp => 13,
+			      scp => 13,
-			   state => 14 },
+			      state => 14 },
-			 {},
+			    {},
-			 15,
+			    15,
-	                 1 );
+			    1 );
 	$headers = '-';
     } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
-			 { mark => 0,
+			    { mark => 0,
-			   action => 0,
+			      action => 0,
-			   source => 1,
+			      source => 1,
-			   dest => 2,
+			      dest => 2,
-			   proto => 3,
+			      proto => 3,
-			   dport => 4,
+			      dport => 4,
-			   sport => 5,
+			      sport => 5,
-			   user => 6,
+			      user => 6,
-			   test => 7,
+			      test => 7,
-			   length => 8,
+			      length => 8,
-			   tos => 9,
+			      tos => 9,
-			   connbytes => 10,
+			      connbytes => 10,
-			   helper => 11,
+			      helper => 11,
-			   headers => 12,
+			      headers => 12,
-			   probability => 13,
+			      probability => 13,
-			   dscp => 14,
+			      dscp => 14,
-			   state => 15 },
+			      state => 15 },
-			 {},
+			    {},
-			 16,
+			    16,
-	                 1 );
+			    1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
@@ -5363,6 +5363,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
+	$add_snat_aliases = '';
     } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5377,6 +5378,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$pre_nat    = $1;
     } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
+	$add_snat_aliases = '';
     } else {
 	( $target , $params ) = get_target_param1( $action );
 
@@ -5455,6 +5457,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
  
 	my $rule = '';
 	my $saveaddresses = $addresses;
+	my $savetarget    = $target;
+	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
 
 	$interface =~ s/:.*//;   #interface name may include 'alias'
@@ -5505,10 +5509,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    $detectaddress = 1;
 		}
 	    } else {
+		fatal_error "SNAT rules must spacify a new source address and/or new source ports" unless supplied $addresses;
+
 		my $addrlist = '';
 		my @addrs = split_list $addresses, 'address';
 
-		fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		fatal_error "Only one SNAT address may be specified" if @addrs > 1;
 
 		for my $addr ( @addrs ) {
 		    if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -5551,20 +5557,27 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			}
 		    } elsif ( $family == F_IPV4 ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    my ($ipaddr, $rest) = split ':', $addr;
+			    my ($ipaddr, $rest) = split ':', $addr, 2;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
 			    }
-			    validate_portpair1( $proto, $rest ) if supplied $rest;
+
-			    $addrlist .= " --to-source $addr";
+			    if ( supplied $rest ) {
+				validate_portpair1( $proto, $rest );
+				$addrlist .= " --to-source $addr";
+			    } else {
+				$addrlist .= " --to-source $ipaddr";
+			    }
+
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
 			    my $ports = $addr;
 			    $ports =~ s/^://;
+			    fatal_error "Missing Address or Port[-range] ($addr)" unless supplied $ports && $ports ne '-';
 			    validate_portpair1( $proto, $ports );
-			    $addrlist .= " --to-ports $ports";
+			    $addrlist .= " --to-source :$ports";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    } else {
@@ -5614,6 +5627,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
+		$exceptionrule = do_proto( $proto, '', '' );
 	    }
 	}
 	#
@@ -5699,7 +5713,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $add_snat_aliases ) {
+	    if ( $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5722,6 +5736,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	}
 
 	$addresses = $saveaddresses;
+	$target    = $savetarget;
+	$baserule  = $savebaserule;
     }
 
     progress_message "   Snat record \"$currentline\" $done"

Shorewall/Perl/Shorewall/Tc.pm

@@ -2150,6 +2150,50 @@ sub process_secmark_rule() {
     }
 }
 
+sub convert_one_tos( $ ) {
+    my ( $mangle ) = @_;
+
+    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+	split_rawline2( 'tos file entry',
+			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
+			undef,
+			7 );
+
+    my $chain_designator = 'P';
+
+    decode_tos($tos, 1);
+
+    my ( $srczone , $source , $remainder );
+
+    if ( $family == F_IPV4 ) {
+	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+	fatal_error 'Invalid SOURCE' if defined $remainder;
+    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+	$srczone = $1;
+	$source  = $2;
+    } else {
+	$srczone = $src;
+    }
+
+    if ( $srczone eq firewall_zone ) {
+	$chain_designator = 'O';
+	$src         = $source || '-';
+    } else {
+	$src =~ s/^all:?//;
+    }
+
+    $dst =~ s/^all:?//;
+
+    $src    = '-' unless supplied $src;
+    $dst    = '-' unless supplied $dst;
+    $proto  = '-' unless supplied $proto;
+    $ports  = '-' unless supplied $ports;
+    $sports = '-' unless supplied $sports;
+    $mark   = '-' unless supplied $mark;
+
+    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+}
+
 
 sub convert_tos($$) {
     my ( $mangle, $fn1 ) = @_;
@@ -2167,6 +2211,25 @@ sub convert_tos($$) {
     }
 
     if ( my $fn = open_file 'tos' ) {
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+			print $mangle "$_[1]\n";
+		    } else {
+			convert_one_tos( $mangle );
+			$have_tos = 1;
+		    }
+		} else {
+		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+		}
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -2180,48 +2243,12 @@ sub convert_tos($$) {
 
 	while ( read_a_line( NORMAL_READ ) ) {
 
+	    convert_one_tos( $mangle );
 	    $have_tos = 1;
-
-	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
-
-	    my $chain_designator = 'P';
-
-	    decode_tos($tos, 1);
-
-	    my ( $srczone , $source , $remainder );
-
-	    if ( $family == F_IPV4 ) {
-		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-		$srczone = $1;
-		$source  = $2;
-	    } else {
-		$srczone = $src;
-	    }
-
-	    if ( $srczone eq firewall_zone ) {
-		$chain_designator = 'O';
-		$src         = $source || '-';
-	    } else {
-		$src =~ s/^all:?//;
-	    }
-
-	    $dst =~ s/^all:?//;
-
-	    $src    = '-' unless supplied $src;
-	    $dst    = '-' unless supplied $dst;
-	    $proto  = '-' unless supplied $proto;
-	    $ports  = '-' unless supplied $ports;
-	    $sports = '-' unless supplied $sports;
-	    $mark   = '-' unless supplied $mark;
-
-	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-
 	}
 
+	directive_callback(0);
+
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
@@ -2337,7 +2364,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
+		    sub ()
+		    {
+			if ( $_[0] eq 'OMITTED' ) {
+			    #
+			    # Convert the raw rule
+			    #
+			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+				print $mangle "$_[1]\n";
+			    } else {
+				process_tc_rule;
+				$have_tcrules++;
+			    }
+			} else {
+			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+			}
+		    }
+		    );
 
 		first_entry(
 			    sub {

Shorewall/Perl/compiler.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Samples/three-interfaces/snat

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
-MASQUERADE	10.0.0.0/8,\
+MASQUERADE		10.0.0.0/8,\
-		169.254.0.0/16,\
+			169.254.0.0/16,\
-		172.16.0.0/12,\
+			172.16.0.0/12,\
-		192.168.0.0/16	eth0
+			192.168.0.0/16		eth0

Shorewall/Samples/two-interfaces/snat

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
-MASQUERADE	10.0.0.0/8,\
+MASQUERADE		10.0.0.0/8,\
-		169.254.0.0/16,\
+			169.254.0.0/16,\
-		172.16.0.0/12,\
+			172.16.0.0/12,\
-		192.168.0.0/16	eth0
+			92.168.0.0/16		eth0

Shorewall/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall SNAT/Masquerade File
+# Shorewall -- /etc/shorewall/snat
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/install.sh

@@ -703,7 +703,7 @@ run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/con
 run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
     echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
 fi
 

Shorewall/lib.cli-std

@@ -318,21 +318,23 @@ get_config() {
 
     [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
-    if [ -n "$PAGER" -a -t 1 ]; then
+    if [ -z "$g_nopager" ]; then
-	case $PAGER in
+	if [ -n "$PAGER" -a -t 1 ]; then
-	    /*)
+	    case $PAGER in
-		g_pager="$PAGER"
+		/*)
-		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		    g_pager="$PAGER"
-		;;
+		    [ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
-	    *)
+		    ;;
-		g_pager=$(mywhich $PAGER 2> /dev/null)
+		*)
-		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		;;
+		    [ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
-	esac
+		    ;;
+	    esac
 
-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	g_pager="| $g_pager"
+	    g_pager="| $g_pager"
+	fi
     fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then

Shorewall/manpages/shorewall-masq.xml

@@ -164,7 +164,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall/manpages/shorewall-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>

Shorewall/manpages/shorewall.xml

@@ -2602,8 +2602,10 @@
               </listitem>
 
               <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
               </listitem>
 
               <listitem>
@@ -2611,6 +2613,26 @@
                 tab character; there is no attempt made to otherwise align the
                 columns.</para>
               </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning: </para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
             </orderedlist>
           </important>
 

Shorewall6/configfiles/snat

@@ -1,8 +1,9 @@
 #
-# Shorewall6 SNAT/Masquerade File
+# Shorewall6 -- /etc/shorewall6/snat
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See http://shorewall.net/manpages6/shorewall6-snat.html for more information
-###################################################################################################################
+#
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall6/manpages/shorewall6-masq.xml

@@ -125,7 +125,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis

Shorewall6/manpages/shorewall6-snat.xml

@@ -75,7 +75,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>|</term>

Shorewall6/manpages/shorewall6.xml

@@ -2480,8 +2480,10 @@
               </listitem>
 
               <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
               </listitem>
 
               <listitem>
@@ -2489,6 +2491,26 @@
                 tab character; there is no attempt made to otherwise align the
                 columns.</para>
               </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning:</para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
             </orderedlist>
           </important>
 

docs/Anatomy.xml

@@ -106,8 +106,17 @@
     url="Install.htm#idp8774904608">configure scripts included with Shorewall
     Core</ulink>.</para>
 
+    <important>
+      <para>Since Shorewall 4.5.2, each of these directories is now
+      relocatable using the <ulink url="Install.htm#idp8774904608">configure
+      scripts included with Shorewall Core</ulink>. These scripts set shell
+      variables in the shorewallrc file which is normally installed in
+      /usr/share/shorewall/. The name of the variable is included in
+      parentheses in the section headings below.</para>
+    </important>
+
     <section id="sbin">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall</filename> shell program is used to
       interact with Shorewall. See <ulink
@@ -115,7 +124,7 @@
     </section>
 
     <section id="share-shorewall">
-      <title>/usr/share/shorewall</title>
+      <title>/usr/share/shorewall (${SHAREDIR}/shorewall)</title>
 
       <para>The bulk of Shorewall is installed here.</para>
 
@@ -220,22 +229,28 @@
     </section>
 
     <section id="shorewall">
-      <title>/etc/shorewall</title>
+      <title>/etc/shorewall (${CONFDIR}/shorewall)</title>
 
       <para>This is where the modifiable IPv4 configuration files are
       installed.</para>
     </section>
 
     <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
     </section>
 
     <section id="var">
-      <title>/var/lib/shorewall</title>
+      <title>/var/lib/shorewall (${VARLIB}/shorewall)</title>
 
       <para>Shorewall doesn't install any files in this directory but rather
       uses the directory for storing state information. This directory may be
@@ -332,7 +347,7 @@
     <para>Shorewall6 installs its files in a number of directories:</para>
 
     <section id="sbin6">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall6</filename> shell program is used to
       interact with Shorewall6. See <ulink
@@ -340,7 +355,7 @@
     </section>
 
     <section id="share-shorewall6">
-      <title>/usr/share/shorewall6</title>
+      <title>/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</title>
 
       <para>The bulk of Shorewall6 is installed here.</para>
 
@@ -417,14 +432,28 @@
     </section>
 
     <section id="etc-shorewall6">
-      <title>/etc/shorewall6</title>
+      <title>/etc/shorewall6 (${CONFDIR}/</title>
 
       <para>This is where the modifiable IPv6 configuration files are
       installed.</para>
     </section>
 
+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall6</filename> or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
     <section id="var-shorewall6">
-      <title>/var/lib/shorewall6</title>
+      <title>/var/lib/shorewall6 (${VARLIB}/shorewall6)</title>
 
       <para>Shorewall6 doesn't install any files in this directory but rather
       uses the directory for storing state information. This directory may be
@@ -514,7 +543,7 @@
     in the sub-sections that follow.</para>
 
     <section id="sbin-lite">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR_</title>
 
       <para>The <filename>/sbin/shorewall-lite</filename> shell program is
       used to interact with Shorewall lite. See <ulink
@@ -522,22 +551,28 @@
     </section>
 
     <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
     </section>
 
     <section id="shorewall-lite">
-      <title>/etc/shorewall-lite</title>
+      <title>/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</title>
 
       <para>This is where the modifiable configuration files are
       installed.</para>
     </section>
 
     <section id="share-lite">
-      <title>/usr/share/shorewall-lite</title>
+      <title>/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</title>
 
       <para>The bulk of Shorewall-lite is installed here.</para>
 
@@ -586,7 +621,7 @@
     </section>
 
     <section id="var-lite">
-      <title>/var/lib/shorewall-lite</title>
+      <title>/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</title>
 
       <para>Shorewall-lite doesn't install any files in this directory but
       rather uses the directory for storing state information. This directory
@@ -719,15 +754,29 @@
       <filename>rc.firewall</filename>.</para>
     </section>
 
+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall</filename>6-lite or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
     <section id="etc-shorewall6-lite">
-      <title>/etc/shorewall6-lite</title>
+      <title>/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite)</title>
 
       <para>This is where the modifiable configuration files are
       installed.</para>
     </section>
 
     <section id="share-lite6">
-      <title>/usr/share/shorewall6-lite</title>
+      <title>/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite)</title>
 
       <para>The bulk of Shorewall-lite is installed here.</para>
 
@@ -776,7 +825,7 @@
     </section>
 
     <section id="var-lite6">
-      <title>/var/lib/shorewall6-lite</title>
+      <title>/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite)</title>
 
       <para>Shorewall6-lite doesn't install any files in this directory but
       rather uses the directory for storing state information. This directory

docs/PacketMarking.xml

@@ -44,7 +44,7 @@
   </caution>
 
   <important>
-    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
     4.6.0. /etc/shorwall/tcrules is still supported but its use is
     deprecated.</para>
   </important>

docs/bridge-Shorewall-perl.xml

@@ -102,12 +102,9 @@
       <listitem>
         <para>Your kernel must contain Netfilter physdev match support
         (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
-        Physdev match is standard in the 2.6 kernel series but must be patched
+        Physdev match is standard in the 2.6 and later kernel series but must
-        into the 2.4 kernels (see <ulink
+        be patched into the 2.4 kernels (see <ulink
-        url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and
+        url="http://bridge.sf.net">http://bridge.sf.net</ulink>).</para>
-        Bering uCLibc users must find and install ipt_physdev.o for their
-        distribution and add <quote>ipt_physdev</quote> to
-        /etc/modules.</para>
       </listitem>
 
       <listitem>