Allow compact IPv6 addresses in IP6TABLES() rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1161,6 +1161,11 @@ show_macros() {
     done
 }
 
+show_a_macro() {
+    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+    cat ${directory}/macro.$1
+}
+
 #
 # Show Command Executor
 #
@@ -1441,8 +1446,7 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    eval show_a_macro $2 $g_pager
-				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -1579,6 +1583,19 @@ show_status() {
 
 }
 
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+
 #
 # Dump Command Executor
 #
@@ -1729,12 +1746,10 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    if qt mywhich setkey; then
     heading "PFKEY SPD"
-	setkey -DP
+    $IP -s xfrm policy | spd_filter
     heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
-    fi
 
     heading "/proc"
     show_proc /proc/version
@@ -1805,6 +1820,7 @@ dump_command() {
 restore_command() {
     local finished
     finished=0
+    local result
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1869,8 +1885,11 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."
 
 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+	result=$?
 
 	[ -n "$g_nolock" ] || mutex_off
+
+	exit $result
     else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -3992,6 +4011,7 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    if [ -z "$g_nopager" ]; then
 	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
 	if [ -n "$PAGER" -a -t 1 ]; then
@@ -4010,6 +4030,7 @@ get_config() {
 
 	    g_pager="| $g_pager"
 	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -4357,6 +4378,7 @@ shorewall_cli() {
     g_loopback=
     g_compiled=
     g_pager=
+    g_nopager=
     g_blacklistipset=
     g_disconnect=
 
@@ -4453,6 +4475,11 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
+			p*)
+			    g_nopager=Yes
+			    option=${option#p}
+			    ;;
+
 			-)
 			    finished=1
 			    option=

Shorewall/Perl/Shorewall/Chains.pm

@@ -810,7 +810,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
-		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1196,9 +1195,16 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 
 #
@@ -1218,6 +1224,7 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
+	    $toref->{simple} = 0;
 	}
     }
 

Shorewall/Perl/Shorewall/Config.pm

@@ -133,6 +133,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_line
 				       split_line1
 				       split_line2
+				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -174,6 +175,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;
 
 our $currentline;            # Current config file line image
+our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -1997,6 +2000,21 @@ sub find_writable_file($) {
     "$config_path[0]$filename";
 }
 
+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2055,7 +2073,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
     my ($list, $type ) = @_;
 
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
 
     my @list1 = split /:/, $list;
     my @list2;
@@ -2092,6 +2110,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2257,21 +2276,6 @@ sub split_columns( $ ) {
     @list2;
 }
 
-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();
 
 #
@@ -2442,6 +2446,25 @@ sub split_line2( $$;$$$ ) {
     @line;
 }
 
+#
+# Same as above, only it splits the raw current line
+#
+sub split_rawline2( $$;$$$ ) {
+    my $savecurrentline = $currentline;
+
+    $currentline = $rawcurrentline;
+    #
+    # Delete trailing comment
+    #
+    $currentline =~ s/\s*#.*//;
+
+    my @result = &split_line2( @_ );
+
+    $currentline = $savecurrentline;
+
+    @result;
+}
+
 sub split_line1( $$;$$ ) {
     &split_line2( @_, undef );
 }
@@ -3026,9 +3049,9 @@ sub process_compiler_directive( $$$$ ) {
 
     if ( $directive_callback ) {
         $directive_callback->( $keyword, $line ) 
-    } else {
-        $omitting;
     }
+
+    $omitting;
 }
 
 #
@@ -3736,6 +3759,7 @@ sub read_a_line($) {
 
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
+		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }
 
@@ -3790,6 +3814,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
+	    # Save Raw Image
+	    #
+	    $rawcurrentline = $currentline;
+	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3818,7 +3846,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;

Shorewall/Perl/Shorewall/Misc.pm

@@ -216,6 +216,7 @@ sub convert_blacklist() {
     my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition;
     my $orig_target = $target;
+    my $warnings    = 0;
     my @rules;
 
     if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry "Converting $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
+		split_rawline2( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+				{ networks => 0, proto => 1, port => 2, options => 3 },
+				{},
+				4,
+		);
 
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}
 
+	directive_callback(0);
+
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -395,6 +408,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
 	my $seq      = 0;
+	my $warnings = 0;
 	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}
 
+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
+		split_rawline2( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+				{},
+				6,
+				0,
+		);
 
 	    my $interfaceref;
 
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 
 	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}
 
+	directive_callback(0);
+
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;

Shorewall/Perl/Shorewall/Nat.pm

@@ -60,12 +60,12 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $pre_nat;
-    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
     my $destnets = '';
     my $baserule = '';
     my $inlinematches = '';
@@ -226,7 +226,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = $snat ? 'CONTINUE' : 'RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
@@ -249,7 +249,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			    #
 			    $target = 'SNAT ';
 
-			    unless ( $snat ) {
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -276,7 +275,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 
 				$addrlist .= '--to-source ' . $addr;
 			    }
-			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
@@ -362,7 +360,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	unless ( $snat ) {
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
 		     $prerule ,
@@ -400,10 +397,88 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	    }
 	}
     }
+
+    progress_message "   Masq record \"$currentline\" $done";
+
+}
+
+sub convert_one_masq1( $$$$$$$$$$$$ )
+{
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+
+    my $pre_nat;
+    my $destnets = '';
+    my $savelist;
+    #
+    # Leading '+'
+    #
+    $pre_nat = ( $interfacelist =~ s/^\+// );
+    #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+    }
+
+    $savelist = $interfacelist;
+    #
+    # Parse the remaining part of the INTERFACE column
+    #
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
+	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
+    }
+    #
+    # If there is no source or destination then allow all addresses
+    #
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
+
+    my $target;
+    #
+    # Parse the ADDRESSES column
+    #
+    if ( $addresses ne '-' ) {
+	my $saveaddresses = $addresses;
+	if ( $addresses ne 'random' ) {
+	    $addresses =~ s/:persistent$//;
+	    $addresses =~ s/:random$//;
+
+	    if ( $addresses eq 'detect' ) {
+		$target = 'SNAT';
+	    } elsif ( $addresses eq 'NONAT' ) {
+		$target = 'CONTINUE';
+	    } elsif ( $addresses ) {
+		if ( $addresses =~ /^:/ ) {
+		    $target = 'MASQUERADE';
+		} else {
+		    $target = 'SNAT';
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+    } else {
+	$target = 'MASQUERADE';
     }
 
     if ( $snat ) {
-	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
 
 	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
@@ -424,7 +499,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	print $snat "$line\n";
     }
 
-    progress_message "   Masq record \"$currentline\" $done";
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
 
 }
 
@@ -432,6 +507,25 @@ sub process_one_masq( $ )
 {
     my ( $snat ) = @_;
 
+    if ( $snat ) {
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+	    #
+	    # Line was not blank or all comment
+	    #
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+		split_rawline2( 'masq file',
+				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+				{},    #Nopad
+				undef, #Columns
+				1 );   #Allow inline matches
+
+	    if ( $interfacelist ne '-' ) { 
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+		}
+	    }
+	}
+    } else {
 	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'masq file',
 			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
@@ -442,7 +536,8 @@ sub process_one_masq( $ )
 	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
 
 	for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	}
     }
 }
 
@@ -497,7 +592,19 @@ sub convert_masq() {
 
 	my $have_masq_rules;
 
-	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    process_one_masq( $snat) if $snat;
+		} else {
+		    print $snat "$_[1]\n"; 0;
+		}
+	    }
+	    );
 
 	first_entry(
 	    sub {
@@ -510,7 +617,18 @@ sub convert_masq() {
 	    }
 	    );
 
-	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
+	while ( read_a_line( NORMAL_READ ) ) {
+	    #
+	    # Process the file normally
+	    #
+	    process_one_masq(0);
+	    #
+	    # Now Convert it
+	    #
+	    process_one_masq($snat);
+
+	    $have_masq_rules++;
+	}
 
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";

Shorewall/Perl/Shorewall/Providers.pm

@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
     } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
+	       '                fe80:*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
     }
 
     emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
     } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
+		'                        fe80:*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $id \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
     }
 
     emit (  '                    ;;',
@@ -1496,7 +1510,18 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
+
+	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	} else {
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    '    else',
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    '    fi',
+		    '' );
+	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1549,7 +1574,13 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
+
+	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	} else {
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
+	}
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',

Shorewall/Perl/Shorewall/Raw.pm

@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
 
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;

Shorewall/Perl/Shorewall/Rules.pm

@@ -638,7 +638,8 @@ sub process_a_policy1($$$$$$$) {
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+
+    $intrazone  ||= $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
@@ -763,26 +764,29 @@ sub process_a_policy() {
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
-    my $intrazone;
+    my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+    if ( $clientlist = ( $clients =~ /,/ ) ) {
-	$clients =~ s/\+$//;
+	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $servers =~ /.*,.*\+$/ ) {
+    if ( $serverlist = ( $servers =~ /,/ ) ) {
-	$servers =~ s/\+$//;
+	$intrazone ||= ( $servers =~ s/\+$// );
-	$intrazone = 1;
     }	
 
     fatal_error 'SOURCE must be specified' if $clients eq '-';
     fatal_error 'DEST must be specified'   if $servers eq '-';
     fatal_error 'POLICY must be specified' if $policy  eq '-';
 
+    if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
 	    for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
+    } else {
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+    }
 }
 
 #
@@ -2911,7 +2915,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2924,7 +2928,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -4495,7 +4499,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4511,7 +4515,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -5139,7 +5143,7 @@ sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
 			    { mark => 0,
 			      action => 0,
 			      source => 1,
@@ -5162,7 +5166,7 @@ sub process_tc_rule( ) {
 	$headers = '-';
     } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
 			    { mark => 0,
 			      action => 0,
 			      source => 1,

Shorewall/Perl/Shorewall/Tc.pm

@@ -2150,41 +2150,14 @@ sub process_secmark_rule() {
     }
 }
 
-
+sub convert_one_tos( $ ) {
-sub convert_tos($$) {
+    my ( $mangle ) = @_;
-    my ( $mangle, $fn1 ) = @_;
-
-    my $have_tos = 0;
-
-    sub unlink_tos( $ ) {
-	my $fn = shift;
-
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-
-    if ( my $fn = open_file 'tos' ) {
-	first_entry(
-		    sub {
-			my $date = compiletime;
-			progress_message2 "Converting $fn...";
-			print( $mangle
-			       "#\n" ,
-			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
-			       "#\n" );
-		    }
-		   );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-
-	    $have_tos = 1;
 
     my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
+	split_rawline2( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
+			undef,
+			7 );
 
     my $chain_designator = 'P';
 
@@ -2219,8 +2192,62 @@ sub convert_tos($$) {
     $mark   = '-' unless supplied $mark;
 
     print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+}
 
+
+sub convert_tos($$) {
+    my ( $mangle, $fn1 ) = @_;
+
+    my $have_tos = 0;
+
+    sub unlink_tos( $ ) {
+	my $fn = shift;
+
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
 	}
+    }
+
+    if ( my $fn = open_file 'tos' ) {
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+			print $mangle "$_[1]\n";
+		    } else {
+			convert_one_tos( $mangle );
+			$have_tos = 1;
+		    }
+		} else {
+		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+		}
+	    }
+	    );
+
+	first_entry(
+		    sub {
+			my $date = compiletime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    convert_one_tos( $mangle );
+	    $have_tos = 1;
+	}
+
+	directive_callback(0);
 
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -2337,7 +2364,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
+		    sub ()
+		    {
+			if ( $_[0] eq 'OMITTED' ) {
+			    #
+			    # Convert the raw rule
+			    #
+			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+				print $mangle "$_[1]\n";
+			    } else {
+				process_tc_rule;
+				$have_tcrules++;
+			    }
+			} else {
+			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+			}
+		    }
+		    );
 
 		first_entry(
 			    sub {

Shorewall/Perl/compiler.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/lib.cli-std

@@ -318,6 +318,7 @@ get_config() {
 
     [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
 
+    if [ -z "$g_nopager" ]; then
 	if [ -n "$PAGER" -a -t 1 ]; then
 	    case $PAGER in
 		/*)
@@ -334,6 +335,7 @@ get_config() {
 
 	    g_pager="| $g_pager"
 	fi
+    fi
 
     if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -1233,7 +1235,7 @@ safe_commands() {
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi

Shorewall/manpages/shorewall-snat.xml

@@ -171,7 +171,7 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
         [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall.xml

@@ -2602,8 +2602,10 @@
               </listitem>
 
               <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
               </listitem>
 
               <listitem>
@@ -2611,6 +2613,26 @@
                 tab character; there is no attempt made to otherwise align the
                 columns.</para>
               </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning: </para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
             </orderedlist>
           </important>
 

Shorewall/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
+Product=Shorewall
 
 usage() # $1 = exit status
 {

Shorewall6/Macros/macro.mDNSbi

@@ -0,0 +1,14 @@
+#
+# Shorewall6 -- /usr/share/shorewall6/macro.mDNSbi
+#
+# This macro handles bidirectional multicast DNS traffic.
+#
+###############################################################################
+#ACTION SOURCE  DEST                    PROTO   DPORT   SPORT
+
+PARAM   -       [ff02::fb]              udp     5353
+PARAM   -       -                       udp     1024:   5353
+PARAM   -       [ff02::fb]              2
+PARAM   DEST    SOURCE:[ff02::fb]       udp     5353
+PARAM   DEST    SOURCE                  udp     1024:   5353
+PARAM   DEST    SOURCE:[ff02::fb]       2

Shorewall6/manpages/shorewall6-actions.xml

@@ -131,6 +131,18 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>mangle</option></term>
 
@@ -143,6 +155,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>nat</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>noinline</option></term>
 

Shorewall6/manpages/shorewall6-snat.xml

@@ -170,7 +170,7 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
         [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to SNAT; one or more host or

Shorewall6/manpages/shorewall6.xml

@@ -2480,8 +2480,10 @@
               </listitem>
 
               <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
               </listitem>
 
               <listitem>
@@ -2489,6 +2491,26 @@
                 tab character; there is no attempt made to otherwise align the
                 columns.</para>
               </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning:</para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
             </orderedlist>
           </important>
 

docs/PacketMarking.xml

@@ -44,7 +44,7 @@
   </caution>
 
   <important>
-    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
     4.6.0. /etc/shorwall/tcrules is still supported but its use is
     deprecated.</para>
   </important>

docs/QOSExample.xml

@@ -76,7 +76,11 @@
     <para>The shell variables set in the OpenWRT script are set in the
     Shorewall params file:</para>
 
-    <programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
+    <programlisting># local network
+
+MYNET=192.168.0.0/24
+
+DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
 UPLOAD=7000 # set xx% of real upload speed
 
 # multiports = up to 15 ports