Support the DROP command in the mangle file

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -91,6 +91,8 @@ for p in $@; do
     fi
 done
 
+cd $(dirname $0)
+
 vendor=${params[HOST]}
 
 if [ -z "$vendor" ]; then
@@ -102,7 +104,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		vendor=debian
 		;;
 	    opensuse)
 		vendor=suse
@@ -122,7 +124,6 @@ if [ -z "$vendor" ]; then
 	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
-
 	cygwin*|CYGWIN*)
 	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -130,7 +131,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian.sysvinit
+		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -152,25 +153,32 @@ if [ -z "$vendor" ]; then
 	    fi
 	    ;;
     esac
-
     vendor=${params[HOST]}
-elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
 else
-    rcfile=shorewallrc.$vendor
+    if [ $vendor = linux ]; then
+	rcfile=shorewallrc.default;
+    elif [ $vendor = debian -a -f /etc/debian_version ]; then
+	ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+    else
+	rcfile=shorewallrc.$vendor
+    fi
+
     if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
     elif [ $vendor = default ]; then
 	params[HOST]=linux
 	vendor=linux
+    elif [[ $vendor == debian.* ]]; then
+	params[HOST]=debian
+	vendor=debian
     fi
 fi
 
 if [ $vendor = linux ]; then
     echo "INFO: Creating a generic Linux installation - " `date`;
 else
-    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
+    echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
 fi
 
 echo
@@ -183,6 +191,7 @@ done
 
 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 
 if [ $# -gt 0 ]; then

Shorewall-core/configure.pl

@@ -52,6 +52,9 @@ for ( @ARGV ) {
     $params{$pn} = $pv;
 }
 
+use File::Basename;
+chdir dirname($0);
+
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
@@ -81,16 +84,39 @@ unless ( defined $vendor ) {
 }
 
 if ( defined $vendor ) {
-    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
+    if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
+	if ( -l '/sbin/init' ) {
+	    if ( readlink('/sbin/init') =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
+    } else {
+	$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
+    }
+
     unless ( -f $rcfilename ) {
 	die qq("ERROR: $vendor" is not a recognized host type);
     } elsif ( $vendor eq 'default' ) {
 	$params{HOST} = $vendor = 'linux';
+    } elsif ( $vendor =~ /^debian\./ ) {
+	$params{HOST} = $vendor = 'debian';
     }
 } else {
     if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian.sysvinit';
+	if ( -l '/sbin/init' ) {
+	    if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -147,7 +173,8 @@ my $outfile;
 
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+print $outfile "# rc file: $rcfilename\n#\n";
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 

Shorewall-core/lib.cli

@@ -1052,11 +1052,13 @@ show_command() {
 		conntrack -f ipv6 -L $@ | show_connections_filter
 	    else
 		[ $# -gt 1 ] && usage 1
-		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-		echo
-		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
+		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+		    echo
+		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+		fi
 	    fi
 	    ;;
 	nat)
@@ -1624,7 +1626,7 @@ do_dump_command() {
 
     echo
 
-    ss -${g_family}tunap
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"

Shorewall-core/lib.common

@@ -316,6 +316,7 @@ reload_kernel_modules() {
     local moduleloader
     moduleloader=modprobe
     local uname
+    local extras
 
     if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -323,9 +324,25 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
 
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
+    if [ -n "$MODULESDIR" ]; then
+	case "$MODULESDIR" in
+	    +*)
+		extras="$MODULESDIR"
+		extras=${extras#+}
+		MODULESDIR=
+		;;
+	esac
+    fi
+
+    if [ -z "$MODULESDIR" ]; then
+	uname=$(uname -r)
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	if [ -n "$extras" ]; then
+	    for directory in $(split "$extras"); do
+		MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
+	    done
+	fi
+    fi
 
     [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -355,6 +372,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     local savemoduleinfo
     savemoduleinfo=${1:-Yes} # So old compiled scripts still work
     local uname
+    local extras
 
     if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -362,9 +380,25 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
 
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
+    if [ -n "$MODULESDIR" ]; then
+	case "$MODULESDIR" in
+	    +*)
+		extras="$MODULESDIR"
+		extras=${extras#+}
+		MODULESDIR=
+		;;
+	esac
+    fi
+
+    if [ -z "$MODULESDIR" ]; then
+	uname=$(uname -r)
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	if [ -n "$extras" ]; then
+	    for directory in $(split "$extras"); do
+		MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
+	    done
+	fi
+    fi
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"

Shorewall-init/install.sh

@@ -397,6 +397,7 @@ if [ $HOST = debian ]; then
 
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
 	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
     fi
 
     IFUPDOWN=ifupdown.debian.sh
@@ -490,7 +491,11 @@ esac
 if [ -z "$DESTDIR" ]; then
     if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    if mywhich insserv; then
+	    if [ -n "$SERVICEDIR" ]; then
+		if systemctl enable ${PRODUCT}.service; then
+                    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -554,7 +559,7 @@ fi
 
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
 
-if [ -f ${DESTDIR}/etc/ppp ]; then
+if [ -d ${DESTDIR}/etc/ppp ]; then
     case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do

Shorewall-init/uninstall.sh

@@ -174,9 +174,13 @@ if [ -f "$INITSCRIPT" ]; then
     remove_file $INITSCRIPT
 fi
 
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SYSTEMD/shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi
 
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
@@ -202,8 +206,10 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 
     for file in if-up.local if-down.local; do
-	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	if [ -f ${CONFDIR}/ppp/$file ]; then
+	    if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
+		remove_file ${CONFDIR}/ppp/$FILE
+	    fi
 	fi
     done
 fi

Shorewall-lite/uninstall.sh

@@ -153,7 +153,7 @@ if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: Shorewal Lite Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
     VERSION=""
 fi
 
@@ -195,9 +195,11 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall-lite.service
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi
 
 rm -f ${SBINDIR}/shorewall-lite

Shorewall/Perl/Shorewall/Chains.pm

@@ -6242,7 +6242,7 @@ sub log_rule_limit( $$$$$$$$ ) {
 		if ( $tag =~ /^,/ ) {
 		    ( $disposition = $tag ) =~ s/,//;
 		} elsif ( $tag =~ /,/ ) {
-		    ( $chain, $disposition ) = split ',', $tag;
+		    ( $chain, $disposition ) = split ',', $tag, 2;
 		} else { 
 		    $chain = $tag;
 		}
@@ -6336,7 +6336,7 @@ sub log_irule_limit( $$$$$$$@ ) {
 		if ( $tag =~ /^,/ ) {
 		    ( $disposition = $tag ) =~ s/,//;
 		} elsif ( $tag =~ /,/ ) {
-		    ( $chain, $disposition ) = split ',', $tag;
+		    ( $chain, $disposition ) = split ',', $tag, 2;
 		} else { 
 		    $chain = $tag;
 		}
@@ -7031,7 +7031,7 @@ sub isolate_source_interface( $ ) {
 	    $inets  = $2;
 	} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
 		  $source =~ /^(.+?):(!?\+.+)$/    ||
-		  $source =~ /^(.+?):(!?[&%].+)$/  ||
+		  $source =~ /^(.+?):(!?[&%~].+)$/ ||
 		  $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
 		) {
 	    $iiface = $1;

Shorewall/Perl/Shorewall/Config.pm

@@ -2245,7 +2245,7 @@ sub split_line2( $$;$$$ ) {
 
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
-	    my ( $column, $value ) = ( lc $1, $2 );
+	    my ( $column, $value ) = ( lc( $1 ), $2 );
 	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
 	    $column = $columnsref->{$column};
 	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;

Shorewall/Perl/Shorewall/Rules.pm

@@ -2477,13 +2477,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $actiontype |= HELPER;
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
+	    my ( $setname, $flags, $timeout, $rest ) = split ':', $param, 4;
 
-	    my ( $setname, $flags, $rest ) = split ':', $param, 3;
 	    fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
 	    $setname =~ s/^\+//;
 	    fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
-	    fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+
+	    if ( supplied $timeout ) {
+		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
+		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
+
+		$action .= " --timeout $timeout";
+	    }
 	}
     }
     #

Shorewall/Perl/Shorewall/Tc.pm

@@ -452,6 +452,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	DROP       => {
+	    defaultchain   => 0,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub() {
+		$target = 'DROP';
+	    }
+	},
+
 	DSCP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,

Shorewall/configfiles/accounting

@@ -6,6 +6,5 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#################################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
-#							PORT(S)		PORT(S)	GROUP
+#####################################################################################################
+#ACTION		CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK	IPSEC

Shorewall/configfiles/actions

@@ -5,6 +5,8 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-########################################################################################
-#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
-#                        	v        a comment describing the action)
+# Place '# ' below the 'C' in COMMENT followed by a comment describing
+# the action.
+#
+###############################################################################
+#ACTION		OPTIONS		COMMENT

Shorewall/configfiles/arprules

@@ -3,6 +3,5 @@
 #
 # For information about entries in this file, type "man shorewall-arprules"
 #
-##############################################################################################################
-#ACTION				SOURCE				DEST				ARP
-#												OPCODE
+###############################################################################
+#ACTION		SOURCE			DEST			OPCODE

Shorewall/configfiles/blrules

@@ -6,6 +6,5 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
-#									PORT	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

Shorewall/configfiles/conntrack

@@ -3,11 +3,10 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
-##############################################################################################################
 ?FORMAT 3
-##############################################################################################################
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
-#								PORT(S)		PORT(S)	GROUP
+######################################################################################################
+#ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH
+
 ?if $AUTOHELPERS && __CT_TARGET
 
 ?if __AMANDA_HELPER

Shorewall/configfiles/ecn

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-ecn.html
 #
 ###############################################################################
-#INTERFACE	HOST(S)
+#INTERFACE	HOSTS

Shorewall/configfiles/hosts

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-hosts.html
 #
 ###############################################################################
-#ZONE	HOST(S)					OPTIONS
+#ZONE		HOSTS				OPTIONS

Shorewall/configfiles/interfaces

@@ -6,7 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
-###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/isusable

@@ -13,6 +13,7 @@
 # information.
 #
 ###############################################################################
+
 local status
 status=0
 

Shorewall/configfiles/maclist

@@ -6,4 +6,4 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
+#DISPOSITION	INTERFACE		MAC			ADDRESSES

Shorewall/configfiles/mangle

@@ -11,5 +11,4 @@
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
-#							PORT(S)	PORT(S)
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP

Shorewall/configfiles/masq

@@ -7,5 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###################################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL	PROBABILITY
-#											GROUP		DEST
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/configfiles/nat

@@ -6,5 +6,4 @@
 # For additional information, see http://shorewall.net/NAT.htm
 #
 ###############################################################################
-#EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
-#						INTERFACES
+#EXTERNAL	INTERFACE	INTERNAL	ALLINTS		LOCAL

Shorewall/configfiles/netmap

@@ -6,6 +6,5 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-##############################################################################################
-#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
-#										PORT(S)	PORT(S)
+#############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DPORT	SPORT

Shorewall/configfiles/params

@@ -22,5 +22,3 @@
 #	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 ###############################################################################
-
-#LAST LINE -- DO NOT REMOVE

Shorewall/configfiles/policy

@@ -7,5 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
+#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT

Shorewall/configfiles/rules

@@ -6,9 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
-#							PORT(S)	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED

Shorewall/configfiles/scfilter

@@ -8,4 +8,5 @@
 # information.
 #
 ###############################################################################
+
 cat -

Shorewall/configfiles/secmarks

@@ -3,6 +3,5 @@
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
-############################################################################################################
-#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
-#				STATE						PORT(S)	PORT(S) GROUP
+############################################################################################
+#SECMARK	CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK

Shorewall/configfiles/start

@@ -8,4 +8,5 @@
 # information.
 #
 ###############################################################################
+
 return 0

Shorewall/configfiles/stoppedrules

@@ -10,5 +10,4 @@
 # information.
 #
 ###############################################################################
-#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
-#								PORT(S)	PORT(S)
+#ACTION		SOURCE			DEST		PROTO	DPORT	SPORT

Shorewall/configfiles/tcclasses

@@ -6,5 +6,4 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#				DMAX:UMAX
+#INTERFACE	MARK	RATE		CEIL		PRIO	OPTIONS

Shorewall/configfiles/tcdevices

@@ -6,5 +6,4 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#NUMBER:	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
-#INTERFACE							INTERFACES
+#INTERFACE	IN_BANDWITH	OUT_BANDWIDTH	OPTIONS		REDIRECT

Shorewall/configfiles/tcfilters

@@ -5,6 +5,5 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
-#CLASS							PORT(S)	PORT(S)
+######################################################################################
+#CLASS		SOURCE		DEST		PROTO	DPORT	SPORT	TOS	LENGTH

Shorewall/configfiles/tcinterfaces

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH		OUT-BANDWIDTH
+#INTERFACE	TYPE		IN_BANDWIDTH		OUT_BANDWIDTH

Shorewall/configfiles/tcpri

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER

Shorewall/configfiles/tunnels

@@ -7,5 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY(S)			GATEWAY
-#								ZONE(S)
+#TYPE			ZONE		GATEWAY			GATEWAY_ZONE

Shorewall/configfiles/zones

@@ -7,6 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
+#ZONE		TYPE		OPTIONS		IN_OPTIONS	OUT_OPTIONS
+
+fw		firewall

Shorewall/manpages/shorewall-accounting.xml

@@ -403,13 +403,15 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
         role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
 
         <listitem>
+          <para>This column was formerly named DESTINATION.</para>
+
           <para>Packet Destination.</para>
 
           <para>Format same as <emphasis role="bold">SOURCE</emphasis>
@@ -418,7 +420,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
+        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">{any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -428,6 +430,8 @@
         role="bold">all</emphasis>}]}[,...]}</term>
 
         <listitem>
+          <para>This column was formerly named PROTOCOL</para>
+
           <para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
           <emphasis>protocol-number</emphasis>, <emphasis
           role="bold">ipp2p</emphasis>, <emphasis
@@ -440,8 +444,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
-        {<emphasis role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -460,12 +464,14 @@
           ("iptables -m ipp2p --help") without the leading "--". If no option
           is given in this column, <emphasis role="bold">ipp2p</emphasis> is
           assumed.</para>
+
+          <para>This column was formerly named DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
-        {<emphasis role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -482,20 +488,22 @@
           column, provided that the DEST PORT(S) column is non-empty. This
           causes the rule to match when either the source port or the
           destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          DPORT. Use of '=' requires multi-port match in your iptables and
+          kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the <emphasis
-          role="bold">CHAIN</emphasis> is <emphasis
+          <para>This column was formerly named USER/GROUP and may only be
+          non-empty if the <emphasis role="bold">CHAIN</emphasis> is <emphasis
           role="bold">OUTPUT</emphasis>.</para>
 
           <para>When this column is non-empty, the rule applies only if the

Shorewall/manpages/shorewall-arprules.xml

@@ -273,7 +273,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
+        <term>OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
 
         <listitem>
           <para>Optional. Describes the type of frame. Possible

Shorewall/manpages/shorewall-conntrack.xml

@@ -424,7 +424,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>
+        <term>DPORT - port-number/service-name-list</term>
 
         <listitem>
           <para>A comma-separated list of port numbers and/or service names
@@ -432,11 +432,13 @@
           ranges of the form
           <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
           if your kernel and iptables include port range support.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
+        <term>SPORT - port-number/service-name-list</term>
 
         <listitem>
           <para>A comma-separated list of port numbers and/or service names
@@ -446,22 +448,24 @@
           if your kernel and iptables include port range support.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>USER/GROUP (user) ‒
+        <term>USER ‒
         [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
 
         <listitem>
-          <para>May only be specified if the SOURCE
-          <replaceable>zone</replaceable> is $FW. Specifies the effective user
-          id and or group id of the process sending the traffic.</para>
+          <para>This column was formerly named USER/GROUP and may only be
+          specified if the SOURCE <replaceable>zone</replaceable> is $FW.
+          Specifies the effective user id and or group id of the process
+          sending the traffic.</para>
         </listitem>
       </varlistentry>
 
@@ -520,8 +524,7 @@
 
     <para>Example 1:</para>
 
-    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
-#                                                                                   PORT(S)           PORT(S)
+    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
 
     <para>Example 2 (Shorewall 4.5.10 or later):</para>
@@ -529,14 +532,12 @@ CT:helper:ftp(expevents=new)  fw                -                  tcp
     <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
 
     <programlisting>FORMAT 2
-#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
-#                                                                                   PORT(S)           PORT(S)
+#ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
 
     <para>or<programlisting>FORMAT 3
-#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
-#                                                                                   PORT(S)           PORT(S)
+#ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>

Shorewall/manpages/shorewall-exclusion.xml

@@ -76,8 +76,7 @@ z2              net           REJECT</programlisting>
 
         <para>/etc/shorewall/rules:</para>
 
-        <programlisting>#ACTION         SOURCE        DEST        PROTO         DEST
-#                                                       PORT(S)
+        <programlisting>#ACTION         SOURCE        DEST        PROTO         DPORT
 ACCEPT          all!z2        net         tcp           22</programlisting>
 
         <para>In this case, SSH connections from <emphasis

Shorewall/manpages/shorewall-ipsets.xml

@@ -57,7 +57,7 @@
       <option>dst</option>. Example: myset[src,dst].</member>
     </simplelist>
 
-    <para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
+    <para>In a SOURCE or SPORT column, the following pairs are
     equivalent:</para>
 
     <itemizedlist>
@@ -66,7 +66,7 @@
       </listitem>
     </itemizedlist>
 
-    <para>In a DEST or DEST PORT(S) column, the following pairs are
+    <para>In a DEST or DPORT column, the following pairs are
     equivalent:</para>
 
     <itemizedlist>

Shorewall/manpages/shorewall-mangle.xml

@@ -570,8 +570,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                 that problem. SAME may be used in the PREROUTING and OUTPUT
                 chains. When used in PREROUTING, it causes matching
                 connections from an individual local system to all use the
-                same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
+                same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DPORT
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                 If a host in 192.168.1.0/24 attempts a connection on TCP port
                 80 or 443 and it has sent a packet on either of those ports in
@@ -581,8 +580,7 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
 
                 <para>When used in the OUTPUT chain, it causes all matching
                 connections to an individual remote system to all use the same
-                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
+                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DPORT
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
                 optional <replaceable>timeout</replaceable> parameter was
                 added in Shorewall 4.6.7 and specifies a number of seconds .
@@ -835,7 +833,7 @@ Normal-Service       =&gt; 0x00</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
+        <term><emphasis role="bold">DPORT</emphasis>- {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
@@ -863,12 +861,13 @@ Normal-Service       =&gt; 0x00</programlisting>
           <replaceable>ipset</replaceable> name can be specified in this
           column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly named DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        {<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
@@ -882,16 +881,17 @@ Normal-Service       =&gt; 0x00</programlisting>
           the following fields is supplied.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DEST PORTS(S). Use of
+          '=' requires multi-port match in your iptables and kernel.</para>
 
           <para>Beginning with Shorewall 4.6.0, an
           <replaceable>ipset</replaceable> name can be specified in this
           column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
@@ -1097,8 +1097,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           by the named helper module.</para>
 
           <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#                                                PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   DPORT      SPORT   USER TEST LENGTH TOS CONNBYTES HELPER
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
         </listitem>
       </varlistentry>
@@ -1287,8 +1286,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <para>We assume packet/connection mark 0 means unclassified.</para>
 
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                       PORT(S)
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
        MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
        MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
        RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
@@ -1313,8 +1311,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <programlisting>/etc/shorewall/tcrules:
 
-       #ACTION            SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                                    PORT(S)
+       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
        CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
 
 /etc/shorewall/masq:

Shorewall/manpages/shorewall-masq.xml

@@ -249,7 +249,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">PORT</emphasis> (Optional) -
         {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
         <listitem>
@@ -429,13 +429,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
 
         <listitem>
+          <para>This column was formerly labelled USER/GROUP.</para>
+
           <para>Only locally-generated connections will match if this column
           is non-empty.</para>
 
@@ -538,8 +539,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
-        [<emphasis
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
@@ -550,6 +550,8 @@
           original destination address matches one of the listed addresses. It
           is useful for specifying that SNAT should occur only for connections
           that were acted on by a DNAT when they entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
         </listitem>
       </varlistentry>
 
@@ -639,7 +641,7 @@
           172.20.1.0/29 to be sent from eth0 with source IP address
           206.124.146.176.</para>
 
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   PORT(S)
+          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
         eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
         eth0         172.20.1.0/29    206.124.146.176</programlisting>
 
@@ -672,8 +674,7 @@
 
           <programlisting>/etc/shorewall/tcrules:
 
-       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                           PORT(S)
+       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
        1-3:CF    192.168.1.0/24 eth0 ; state=NEW
 
 /etc/shorewall/masq:

Shorewall/manpages/shorewall-nat.xml

@@ -106,15 +106,16 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
-        [<emphasis role="bold">Yes</emphasis>|<emphasis
-        role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>If Yes or yes, NAT will be effective from all hosts. If No or
           no (or left empty) then NAT will be effective only through the
           interface named in the <emphasis role="bold">INTERFACE</emphasis>
           column.</para>
+
+          <para>This column was formerly labelled ALL INTERFACES.</para>
         </listitem>
       </varlistentry>
 
@@ -160,8 +161,7 @@ smc     eth0:10.1.10.0/24</programlisting>
 
     <para><filename>/etc/shorewall/nat</filename>:</para>
 
-    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
-#                                               INTERFACES
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALLINTS         LOCAL
 10.1.10.100     eth0            172.20.1.100
 </programlisting>
 
@@ -170,8 +170,7 @@ smc     eth0:10.1.10.0/24</programlisting>
 
     <para><filename>/etc/shorewall/rules</filename>:</para>
 
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
-#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED

Shorewall/manpages/shorewall-nesting.xml

@@ -82,7 +82,7 @@
 
     <para>Partial <filename>/etc/shorewall/rules</filename>:</para>
 
-    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
+    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DPORT
         ...
         DNAT      sam       loc:192.168.1.3 tcp      ssh
         DNAT      net       loc:192.168.1.5 tcp      www
@@ -100,7 +100,7 @@
     Because of the way that Netfilter is constructed, this requires two rules
     as follows:</para>
 
-    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
+    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DPORT
         ...
         ACCEPT+   sam       $FW             tcp      ssh
         DNAT      net       loc:192.168.1.3 tcp      ssh
@@ -143,8 +143,7 @@
     </itemizedlist>
 
     <para>As a consequence, the following rules will have unexpected
-    behavior:<programlisting>        #ACTION     SOURCE               DEST      PROTO        DEST
-        #                                                       PORT(S)
+    behavior:<programlisting>        #ACTION     SOURCE               DEST      PROTO        DPORT
         ACCEPT      net                  dmz       tcp          80
         REDIRECT    loc                  3128      tcp          80</programlisting></para>
 
@@ -173,8 +172,7 @@
 
     <para>When using other Shorewall versions, another way is to rewrite the
     DNAT rule (assume that the local zone is entirely within
-    192.168.2.0/23):<programlisting>        #ACTION     SOURCE                 DEST      PROTO      DEST
-        #                                                       PORT(S)
+    192.168.2.0/23):<programlisting>        #ACTION     SOURCE                 DEST      PROTO      DPORT
         ACCEPT      net                    dmz       tcp        80
         REDIRECT    loc:192.168.2.0/23     3128      tcp        80</programlisting></para>
 

Shorewall/manpages/shorewall-netmap.xml

@@ -137,7 +137,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
+        <term><emphasis role="bold">DPORT</emphasis> -
         <emphasis>port-number-or-name-list</emphasis></term>
 
         <listitem>
@@ -160,11 +160,13 @@
           <para>An entry in this field requires that the PROTO column specify
           icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
           any of the following field is supplied.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
+        <term><emphasis role="bold">SPORT</emphasis> -
         <emphasis>port-number-or-name-list</emphasis></term>
 
         <listitem>
@@ -176,6 +178,8 @@
           <para>An entry in this field requires that the PROTO column specify
           tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
           the following fields is supplied.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall/manpages/shorewall-rules.xml

@@ -173,9 +173,9 @@
 
       <listitem>
         <para>The remaining columns specify characteristics of the packet
-        before rewriting. In particular, the ORIGINAL DEST column gives the
-        original destination IP address of the packet and the DEST PORT(S)
-        column give the original destination port(s).</para>
+        before rewriting. In particular, the ORIGDEST column gives the
+        original destination IP address of the packet and the DPORT column
+        give the original destination port(s).</para>
       </listitem>
     </itemizedlist>
 
@@ -241,7 +241,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>[:<replaceable>timeout</replaceable>])</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.12. Causes addresses and/or port
@@ -256,6 +256,12 @@
                 role="bold">dst</emphasis> respectively (see the -A command in
                 ipset (8)).</para>
 
+                <para>Beginning with Shorewall 5.0.3, an optional
+                <replaceable>timeout</replaceable> can be specified. This is
+                the number of seconds that the new entry in the ipset is to
+                remain valid and overrides any timeout specified when the
+                ipset was created.</para>
+
                 <para>ADD is non-terminating. Even if a packet matches the
                 rule, it is passed on to the next rule.</para>
               </listitem>
@@ -1201,8 +1207,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
-        {<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
@@ -1234,7 +1239,7 @@
 
           <para>If your kernel contains multi-port match support, then only a
           single Netfilter rule will be generated if in this list and the
-          <emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
+          <emphasis role="bold">SPORT</emphasis> list below:</para>
 
           <para>1. There are 15 or less ports listed.</para>
 
@@ -1245,12 +1250,13 @@
           <replaceable>ipset</replaceable> name can be specified in this
           column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        {<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
@@ -1260,11 +1266,10 @@
           names, port numbers or port ranges.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DEST PORTS(S). Use of
+          '=' requires multi-port match in your iptables and kernel.</para>
 
           <warning>
             <para>Unless you really understand IP, you should leave this
@@ -1274,12 +1279,12 @@
           </warning>
 
           <para>If you don't want to restrict client ports but need to specify
-          an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
-          column, then place "-" in this column.</para>
+          an <emphasis role="bold">ORIGDEST</emphasis> in the next column,
+          then place "-" in this column.</para>
 
           <para>If your kernel contains multi-port match support, then only a
           single Netfilter rule will be generated if in this list and the
-          <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
+          <emphasis role="bold">DPORT</emphasis> list above:</para>
 
           <para>1. There are 15 or less ports listed.</para>
 
@@ -1290,12 +1295,13 @@
           <replaceable>ipset</replaceable> name can be specified in this
           column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
-        [<emphasis
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
@@ -1344,11 +1350,13 @@
           url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
           for an example of using an entry in this column with a user-defined
           action rule.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
+        <term><emphasis role="bold">RATE</emphasis> -
         <replaceable>limit</replaceable></term>
 
         <listitem>
@@ -1413,11 +1421,13 @@
           enforce the per-source limit and the compiler will pick a unique
           name for the hash table that tracks the per-destination
           limit.</para>
+
+          <para>This column was formerly labelled RATE LIMIT.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>
 
@@ -1471,6 +1481,8 @@
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
         </listitem>
       </varlistentry>
 
@@ -1626,6 +1638,8 @@
               <listitem>
                 <para>where <replaceable>dd</replaceable> is an ordinal day of
                 the month</para>
+
+                <para/>
               </listitem>
             </varlistentry>
 
@@ -1767,9 +1781,8 @@
         <listitem>
           <para>Accept SMTP requests from the DMZ to the internet</para>
 
-          <programlisting>         #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
-         #                               PORT    PORT(S) DEST
-         ACCEPT  dmz     net       tcp   smtp</programlisting>
+          <programlisting>         #ACTION SOURCE  DEST      PROTO      DPORT   SPORT   ORIGDEST
+         ACCEPT  dmz     net       tcp        smtp</programlisting>
         </listitem>
       </varlistentry>
 
@@ -1780,8 +1793,7 @@
           <para>Forward all ssh and http connection requests from the internet
           to local system 192.168.1.3</para>
 
-          <programlisting>        #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
-        #                                       PORT    PORT(S) DEST
+          <programlisting>        #ACTION SOURCE  DEST            PROTO   DPORT   SPORT   ORIGDEST
         DNAT    net     loc:192.168.1.3 tcp     ssh,http</programlisting>
         </listitem>
       </varlistentry>
@@ -1792,9 +1804,8 @@
         <listitem>
           <para>Forward all http connection requests from the internet to
           local system 192.168.1.3 with a limit of 3 per second and a maximum
-          burst of 10<programlisting>        #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
-        #                                     PORT  PORT(S) DEST     LIMIT
-        DNAT    net    loc:192.168.1.3 tcp    http  -       -        3/sec:10</programlisting></para>
+          burst of 10<programlisting>        #ACTION SOURCE DEST             PROTO  DPORT SPORT   ORIGDEST RATE
+        DNAT    net    loc:192.168.1.3  tcp    http  -       -        3/sec:10</programlisting></para>
         </listitem>
       </varlistentry>
 
@@ -1806,8 +1817,7 @@
           port 3128 on the firewall (Squid running on the firewall system)
           except when the destination address is 192.168.2.2</para>
 
-          <programlisting>        #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
-        #                               PORT    PORT(S) DEST
+          <programlisting>        #ACTION  SOURCE DEST      PROTO DPORT   SPORT   ORIGDEST
         REDIRECT loc    3128      tcp   www      -      !192.168.2.2</programlisting>
         </listitem>
       </varlistentry>
@@ -1819,8 +1829,7 @@
           <para>All http requests from the internet to address 130.252.100.69
           are to be forwarded to 192.168.1.3</para>
 
-          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
-        #                                       PORT    PORT(S) DEST
+          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
         DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69</programlisting>
         </listitem>
       </varlistentry>
@@ -1832,10 +1841,9 @@
           <para>You want to accept SSH connections to your firewall only from
           internet IP addresses 130.252.100.69 and 130.252.100.70</para>
 
-          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
-        #                                       PORT    PORT(S) DEST
-        ACCEPT   net:130.252.100.69,130.252.100.70 $FW \
-                                        tcp     22</programlisting>
+          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
+        ACCEPT   net:130.252.100.69,130.252.100.70 \
+                        $FW             tcp     22</programlisting>
         </listitem>
       </varlistentry>
 
@@ -1847,8 +1855,7 @@
           firewall on port 2222 and you want to forward them to local system
           192.168.1.3, port 22</para>
 
-          <programlisting>        #ACTION  SOURCE DEST                PROTO   DEST    SOURCE  ORIGINAL
-        #                                           PORT    PORT(S) DEST
+          <programlisting>        #ACTION  SOURCE DEST                PROTO   DPORT   SPORT   ORIGDEST
         DNAT     net    loc:192.168.1.3:22  tcp     2222</programlisting>
         </listitem>
       </varlistentry>
@@ -1860,8 +1867,7 @@
           <para>You want to redirect connection requests to port 80 randomly
           to the port range 81-90.</para>
 
-          <programlisting>        #ACTION  SOURCE DEST                PROTO DEST    SOURCE  ORIGINAL
-        #                                         PORT    PORT(S) DEST
+          <programlisting>        #ACTION  SOURCE DEST                PROTO DPORT   SPORT   ORIGDEST
         REDIRECT net    $FW::81-90:random   tcp   www</programlisting>
         </listitem>
       </varlistentry>
@@ -1897,8 +1903,7 @@
 
           <para>rules:</para>
 
-          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST
-        #                                                  PORT(S)
+          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DPORT
         REDIRECT    loc             3128       tcp         80                                                   </programlisting>
 
           <simpara>Note that it would have been tempting to simply define the
@@ -1926,8 +1931,7 @@
           <para>Add the tuple (source IP, dest port, dest IP) of an incoming
           SSH connection to the ipset S:</para>
 
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
         ADD(+S:dst,src,dst)           net              fw             tcp         22</programlisting>
         </listitem>
       </varlistentry>
@@ -1939,8 +1943,7 @@
           <para>You wish to limit SSH connections from remote systems to 1/min
           with a burst of three (to allow for limited retry):</para>
 
-          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST         SOURCE    ORIGINAL         RATE
-        #                                                  PORT(S)      PORT(S)   DEST             LIMIT
+          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DPORT        SPORT     ORIGDEST         RATE
         SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
         </listitem>
       </varlistentry>
@@ -1952,8 +1955,7 @@
           <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
           is on.</para>
 
-          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
-        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
         DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
         </listitem>
       </varlistentry>
@@ -1965,8 +1967,7 @@
           <para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
           and <emphasis>Satellite Provider</emphasis> address ranges:</para>
 
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
         DROP                          net:^A1,A2       fw             tcp         25</programlisting>
         </listitem>
       </varlistentry>
@@ -1978,8 +1979,7 @@
           <para>You want to generate your own rule involving iptables targets
           and matches not supported by Shorewall.</para>
 
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
         INLINE                        $FW              net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
 
           <para>The above will generate the following iptables-restore

Shorewall/manpages/shorewall-secmarks.xml

@@ -93,7 +93,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CHAIN:STATE (chain) -
+        <term><emphasis role="bold">CHAIN -
         {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
 
         <listitem>
@@ -140,6 +140,8 @@
 
             <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
           </simplelist>
+
+          <para>This column was formerly labelled CHAIN:STATE.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -236,7 +238,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
@@ -259,12 +261,13 @@
           <para>This column is ignored if PROTOCOL = all but must be entered
           if any of the following field is supplied. In that case, it is
           suggested that this field contain "-"</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        [<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
@@ -272,6 +275,8 @@
           <para>Optional source port(s). If omitted, any source port is
           acceptable. Specified as a comma-separated list of port names, port
           numbers or port ranges.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
@@ -388,8 +393,7 @@
 
     <para><filename>/etc/shorewall/secmarks</filename>:</para>
 
-    <programlisting>#SECMARK                              CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
-#                                     STATE                                 PORT(S)    PORT(S)     GROUP
+    <programlisting>#SECMARK                              CHAIN      SOURCE  DEST       PROTO   DPORT      SPORT       USER      MARK       
 system_u:object_r:mysqld_packet_t:s0  I:N        lo      127.0.0.1  tcp     3306
 SAVE                                  I:N        lo      127.0.0.1  tcp     3306
 RESTORE                               I:ER</programlisting>

Shorewall/manpages/shorewall-stoppedrules.xml

@@ -112,7 +112,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> ‒
+        <term><emphasis role="bold">DPORT</emphasis> ‒
         <replaceable>service-name/port-number-list</replaceable></term>
 
         <listitem>
@@ -121,11 +121,13 @@
           include port ranges of the form
           <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
           if your kernel and iptables include port range support.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> ‒
+        <term><emphasis role="bold">SPORT</emphasis> ‒
         <replaceable>service-name/port-number-list</replaceable></term>
 
         <listitem>
@@ -136,11 +138,12 @@
           if your kernel and iptables include port range support.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DEST PORTS(S). Use of
+          '=' requires multi-port match in your iptables and kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall/manpages/shorewall-tcfilters.xml

@@ -135,7 +135,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
@@ -143,16 +143,19 @@
           a <emphasis>port number</emphasis>; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s).</para>
+
+          <para>This column was previously labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
-        [<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
           <para>Optional source port.</para>
+
+          <para>This column was previously labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
@@ -292,8 +295,7 @@
           ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
           protocols.</para>
 
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST
-       #                                        PORT
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT
 
        IPV4
 
@@ -314,8 +316,7 @@
           <para>Add two filters with priority 10 (Shorewall 4.5.8 or
           later).</para>
 
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
-       #                                        PORT
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
 
        IPV4
 

Shorewall/manpages/shorewall.conf.xml

@@ -1625,11 +1625,11 @@ LOG:info:,bar                        net                    fw</programlisting>
         <listitem>
           <para>This parameter specifies the directory/directories where your
           kernel netfilter modules may be found. If you leave the variable
-          empty, Shorewall will supply the value "/lib/modules/`uname
-          -r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
-          3.2.4 and "/lib/modules/`uname
-          -r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
-          -r`/kernel/net/ipv4/netfilter" in later versions.</para>
+          empty, Shorewall will supply the value
+          "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
+          where <emphasis role="bold">uname</emphasis> holds the output of
+          '<command>uname -r</command>' and <emphasis
+          role="bold">g_family</emphasis> holds '4'. </para>
         </listitem>
       </varlistentry>
 

Shorewall/uninstall.sh

@@ -168,8 +168,8 @@ fi
 
 rm -f ${SBINDIR}/shorewall
 
-if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+if [ -L ${SHAREDIR}/shorewall/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
@@ -188,17 +188,19 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall.service
+    rm -f $SERVICEDIR/shorewall.service
 fi
 
 rm -rf ${SHAREDIR}/shorewall/version
 rm -rf ${CONFDIR}/shorewall
 
 if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] || SYSCONFFILE=${PRODUCT};
-    rm -f ${SYSCONFDIR}/${SYSCONFFILE}
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
 fi
 
 rm -rf ${VARDIR}/shorewall

Shorewall6-lite/uninstall.sh

@@ -193,9 +193,11 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall6-lite.service
+    rm -f $SERVICEDIR/shorewall6-lite.service
 fi
 
 rm -f ${SBINDIR}/shorewall6-lite
@@ -205,7 +207,6 @@ rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 rm -f  ${SYSCONFDIR}/shorewall6-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
 
 rm -f ${MANDIR}/man5/shorewall6-lite*
 rm -f ${MANDIR}/man8/shorewall6-lite*

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Off
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -160,7 +160,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Off
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=On
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=On
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/configfiles/accounting

@@ -7,5 +7,4 @@
 # additional information about how to use this file.
 #
 ###############################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC	HEADERS
-#							PORT(S)		PORT(S)	GROUP
+#ACTION		CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK	IPSEC	HEADERS

Shorewall6/configfiles/actions

@@ -5,6 +5,8 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-########################################################################################
-#ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
-#                               v        a comment describing the action)
+# Place '# ' below the 'C' in COMMENT followed by a comment describing
+# the action.
+#
+###############################################################################
+#ACTION		OPTIONS		COMMENT

Shorewall6/configfiles/blrules

@@ -6,6 +6,5 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS	SWITCH
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

Shorewall6/configfiles/conntrack

@@ -3,11 +3,10 @@
 #
 # For information about entries in this file, type "man shorewall6-conntrack"
 #
-##############################################################################################################
 ?FORMAT 3
-##############################################################################################################
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
-#								PORT(S)		PORT(S)	GROUP
+##############################################################################################
+#ACTION			SOURCE		DEST		PROTO	DPORT	SPORT	USER	SWITCH
+
 ?if $AUTOHELPERS && __CT_TARGET
 
 ?if __AMANDA_HELPER

Shorewall6/configfiles/hosts

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-hosts.html
 #
 ###############################################################################
-#ZONE	HOST(S)					OPTIONS
+#ZONE		HOSTS				OPTIONS

Shorewall6/configfiles/interfaces

@@ -6,7 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
-###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall6/configfiles/isusable

@@ -13,6 +13,7 @@
 # information.
 #
 ###############################################################################
+
 local status
 status=0
 

Shorewall6/configfiles/maclist

@@ -6,4 +6,4 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
+#DISPOSITION	INTERFACE		MAC			ADDRESSES

Shorewall6/configfiles/mangle

@@ -11,5 +11,4 @@
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
-#							PORT(S)	PORT(S)
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP

Shorewall6/configfiles/masq

@@ -6,6 +6,5 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-masq.html
 #
-########################################################################################################################
-#INTERFACE	SOURCE			ADDRESS			PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#												GROUP		DEST
+######################################################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH

Shorewall6/configfiles/nat

@@ -7,5 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-nat.html
 #
 ###############################################################################
-#EXTERNAL		INTERFACE		INTERNAL	ALL	LOCAL
-#						INTERFACES
+#EXTERNAL	INTERFACE	INTERNAL	ALLINTS		LOCAL

Shorewall6/configfiles/netmap

@@ -6,6 +6,5 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-##############################################################################################
-#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
-#										PORT(S)	PORT(S)
+#############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DPORT	SPORT

Shorewall6/configfiles/params

@@ -21,5 +21,3 @@
 #	net	eth0		-	dhcp,nosmurfs
 #
 ###############################################################################
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/configfiles/policy

@@ -7,5 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
+#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT

Shorewall6/configfiles/rules

@@ -6,9 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
-#							PORT(S)	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED

Shorewall6/configfiles/scfilter

@@ -8,4 +8,5 @@
 # information.
 #
 ###############################################################################
+
 cat -

Shorewall6/configfiles/secmarks

@@ -3,6 +3,5 @@
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
-############################################################################################################
-#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
-#										PORT(S)	PORT(S)
+####################################################################################################
+#SECMARK		CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK

Shorewall6/configfiles/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Off
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/configfiles/stoppedrules

@@ -11,5 +11,4 @@
 # information.
 #
 ###############################################################################
-#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
-#								PORT(S)	PORT(S)
+#ACTION		SOURCE			DEST		PROTO	DPORT	SPORT

Shorewall6/configfiles/tcclasses

@@ -6,4 +6,4 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#INTERFACE:CLASS	MARK	RATE	CEIL	PRIORITY	OPTIONS
+#INTERFACE	MARK	RATE		CEIL		PRIO	OPTIONS

Shorewall6/configfiles/tcdevices

@@ -6,5 +6,4 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#NUMBER:	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
-#INTERFACE							INTERFACES
+#INTERFACE	IN_BANDWITH	OUT_BANDWIDTH	OPTIONS		REDIRECT

Shorewall6/configfiles/tcfilters

@@ -5,6 +5,5 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
-#CLASS							PORT(S)	PORT(S)
+######################################################################################
+#CLASS		SOURCE		DEST		PROTO	DPORT	SPORT	TOS	LENGTH

Shorewall6/configfiles/tcinterfaces

@@ -8,4 +8,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE		TYPE	IN-BANDWIDTH		OUT-INTERFACE
+#INTERFACE	TYPE		IN_BANDWIDTH		OUT_BANDWIDTH

Shorewall6/configfiles/tcpri

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER

Shorewall6/configfiles/tunnels

@@ -7,5 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY(S)			GATEWAY
-#								ZONE(S)
+#TYPE			ZONE		GATEWAY			GATEWAY_ZONE

Shorewall6/configfiles/zones

@@ -7,6 +7,6 @@
 # http://www.shorewall.net/manpages6/shorewall6-zones.html
 #
 ###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
+#ZONE		TYPE		OPTIONS		IN_OPTIONS	OUT_OPTIONS
+
+fw		firewall

Shorewall6/manpages/shorewall6-accounting.xml

@@ -349,7 +349,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
@@ -359,11 +359,13 @@
 
           <para>Format same as <emphasis role="bold">SOURCE</emphasis>
           column.</para>
+
+          <para>This column was formerly labelled DESTINATION.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
+        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -381,12 +383,14 @@
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>
+
+          <para>This column was formerly labelled PROTOCOL.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
-        {<emphasis role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -405,12 +409,14 @@
           ("ip6tables -m ipp2p --help") without the leading "--". If no option
           is given in this column, <emphasis role="bold">ipp2p</emphasis> is
           assumed.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        {<emphasis role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -424,16 +430,17 @@
           support.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
@@ -490,6 +497,8 @@
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-blacklist.xml

@@ -1,217 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall6-blacklist</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>blacklist</refname>
-
-    <refpurpose>shorewall6 Blacklist file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall6/blacklist</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>The blacklist file is used to perform static blacklisting by source
-    address (IP or MAC), or by application. The use of this file is deprecated
-    in favor of <ulink
-    url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
-    and beginning with Shorewall 4.5.7, the blacklist file is no longer
-    installed. Existing blacklist files can be converted to a corresponding
-    blrules file using the <command>shorewall6 update -b</command>
-    command.</para>
-
-    <para>The columns in the file are as follows (where the column name is
-    followed by a different name in parentheses, the different name is used in
-    the alternate specification syntax).</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
-        role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
-
-        <listitem>
-          <para>Host address, network address, MAC address, IP address range
-          (if your kernel and ip6tables contain iprange match support) or
-          ipset name prefaced by "+" (if your kernel supports ipset match).
-          Exclusion (<ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
-          is supported.</para>
-
-          <para>MAC addresses must be prefixed with "~" and use "-" as a
-          separator.</para>
-
-          <para>Example: ~00-A0-C9-15-39-78</para>
-
-          <para>A dash ("-") in this column means that any source address will
-          match. This is useful if you want to blacklist a particular
-          application using entries in the PROTOCOL and PORTS columns.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
-        role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
-
-        <listitem>
-          <para>Optional - if specified, must be a protocol number or a
-          protocol name from protocols(5).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
-        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
-
-        <listitem>
-          <para>May only be specified if the protocol is TCP (6), UDP (17),
-          DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
-          destination port numbers or service names from services(5).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
-
-        <listitem>
-          <para>Optional - added in 4.4.12. If specified, indicates whether
-          traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
-          role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
-          ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
-          blacklisted. The default is <emphasis role="bold">src</emphasis>. If
-          the ADDRESS/SUBNET column is empty, then this column has no effect
-          on the generated rule.</para>
-
-          <note>
-            <para>In Shorewall 4.4.12, the keywords from and to were used in
-            place of src and dst respectively. Blacklisting was still
-            restricted to traffic <emphasis>arriving</emphasis> on an
-            interface that has the 'blacklist' option set. So to block traffic
-            from your local network to an internet host, you had to specify
-            <option>blacklist</option> on your internal interface in <ulink
-            url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
-            (5).</para>
-          </note>
-
-          <note>
-            <para>Beginning with Shorewall 4.4.13, entries are applied based
-            on the <emphasis role="bold">blacklist</emphasis> setting in
-            <ulink
-            url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5):</para>
-
-            <orderedlist>
-              <listitem>
-                <para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
-                from this zone is passed against the entries in this file that
-                have the <emphasis role="bold">src</emphasis> option
-                (specified or defaulted).</para>
-              </listitem>
-
-              <listitem>
-                <para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
-                Traffic to this zone is passed against the entries in this
-                file that have the <emphasis role="bold">dst</emphasis>
-                option.</para>
-              </listitem>
-            </orderedlist>
-          </note>
-
-          <para>In Shorewall 4.4.20, the <emphasis
-          role="bold">whitelist</emphasis> option was added. When <emphasis
-          role="bold">whitelist</emphasis> is specified, packets/connections
-          that match the entry are not matched against the remaining entries
-          in the file.</para>
-
-          <para>The <emphasis role="bold">audit</emphasis> option was also
-          added in 4.4.20 and causes packets matching the entry to be audited.
-          The <emphasis role="bold">audit</emphasis> option may not be
-          specified in whitelist entries and require AUDIT_TARGET support in
-          the kernel and ip6tables.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>When a packet arrives on an interface that has the <emphasis
-    role="bold">blacklist</emphasis> option specified in <ulink
-    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
-    its source IP address and MAC address is checked against this file and
-    disposed of according to the <emphasis
-    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
-    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
-    <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
-    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
-    are supplied, only packets matching the protocol (and one of the ports if
-    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Example</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>Example 1:</term>
-
-        <listitem>
-          <para>To block DNS queries from address
-          fe80::2a0:ccff:fedb:31c4:</para>
-
-          <programlisting>        #ADDRESS/SUBNET            PROTOCOL        PORT
-        fe80::2a0:ccff:fedb:31c4/  udp             53</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 2:</term>
-
-        <listitem>
-          <para>To block some of the nuisance applications:</para>
-
-          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
-        -                       udp             1024:1033,1434
-        -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall6/blacklist</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
-
-    <para><ulink
-    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
-  </refsect1>
-</refentry>

Shorewall6/manpages/shorewall6-conntrack.xml

@@ -414,7 +414,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST PORT(S) (dport) -
+        <term>DPORT -
         {-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
 
         <listitem>
@@ -427,11 +427,13 @@
           <para>Beginning with Shorewall 4.6.0, an ipset name can be specified
           in this column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE PORT(S) (sport) -
+        <term>SPORT -
         {-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
 
         <listitem>
@@ -442,25 +444,28 @@
           if your kernel and iptables include port range support.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S).</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT.</para>
 
           <para>Beginning with Shorewall 4.6.0, an ipset name can be specified
           in this column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>USER/GROUP (user) ‒
+        <term>USER ‒
         [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
 
         <listitem>
           <para>May only be specified if the SOURCE
           <replaceable>zone</replaceable> is $FW. Specifies the effective user
           id and or group id of the process sending the traffic.</para>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
         </listitem>
       </varlistentry>
 
@@ -523,8 +528,7 @@
     itself.</para>
 
     <programlisting>FORMAT 2
-#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
-#                                                                                   PORT(S)           PORT(S)
+#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
 
     <para>Example 2 (Shorewall 4.5.10 or later):</para>
@@ -532,15 +536,13 @@ CT:helper:ftp(expevents=new)  fw                -                  tcp
     <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
 
     <programlisting>FORMAT 2
-#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
-#                                                                                   PORT(S)           PORT(S)
+#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
 DROP                          all-:2001:1.2.3::4 -
 DROP                          all                2001:1.2.3::4
 </programlisting>
 
     <para>or<programlisting>FORMAT 3
-#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
-#                                                                                   PORT(S)           PORT(S)
+#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
 DROP:P                        2001:1.2.3::4      -
 DROP:PO                       -                  2001:1.2.3::4
 </programlisting></para>

Shorewall6/manpages/shorewall6-ipsets.xml

@@ -56,7 +56,7 @@
       <option>dst</option>. Example: myset[src,dst].</member>
     </simplelist>
 
-    <para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
+    <para>In a SOURCE or SPORT column, the following pairs are
     equivalent:</para>
 
     <itemizedlist>
@@ -65,7 +65,7 @@
       </listitem>
     </itemizedlist>
 
-    <para>In a DEST or DEST PORT(S) column, the following pairs are
+    <para>In a DEST or DPORT column, the following pairs are
     equivalent:</para>
 
     <itemizedlist>

Shorewall6/manpages/shorewall6-mangle.xml

@@ -593,8 +593,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                 that problem. SAME may be used in the PREROUTING and OUTPUT
                 chains. When used in PREROUTING, it causes matching
                 connections from an individual local system to all use the
-                same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
+                same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DPORT
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                 If a host in 192.168.1.0/24 attempts a connection on TCP port
                 80 or 443 and it has sent a packet on either of those ports in
@@ -604,8 +603,7 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
 
                 <para>When used in the OUTPUT chain, it causes all matching
                 connections to an individual remote system to all use the same
-                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
+                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DPORT
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
                 optional <replaceable>timeout</replaceable> parameter was
                 added in Shorewall 4.6.7 and specifies a number of seconds .
@@ -812,7 +810,7 @@ Normal-Service       =&gt; 0x00</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
@@ -835,12 +833,13 @@ Normal-Service       =&gt; 0x00</programlisting>
           <para>An entry in this field requires that the PROTO column specify
           icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
           any of the following field is supplied.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        [<emphasis
+        <term><emphasis role="bold">SPORT </emphasis>- [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
@@ -854,11 +853,12 @@ Normal-Service       =&gt; 0x00</programlisting>
           the following fields is supplied.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
@@ -1064,8 +1064,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           by the named helper module.</para>
 
           <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#                                                PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   DPORT      SPORT   USER TEST LENGTH TOS CONNBYTES HELPER
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
         </listitem>
       </varlistentry>
@@ -1348,8 +1347,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <para>We assume packet/connection mark 0 means unclassified.</para>
 
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                       PORT(S)
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
        MARK(1):T  ::/0      ::/0         icmp    echo-request
        MARK(1):T  ::/0      ::/0         icmp    echo-reply
        RESTORE:T  ::/0      ::/0         all     -             -       -       0

Shorewall6/manpages/shorewall6-masq.xml

@@ -199,7 +199,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">DPORT</emphasis> (Optional) -
         {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
         <listitem>
@@ -379,8 +379,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
@@ -488,8 +487,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
-        [<emphasis
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
@@ -500,6 +498,8 @@
           the listed addresses. It is useful for specifying that SNAT should
           occur only for connections that were acted on by a DNAT when they
           entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-nat.xml

@@ -103,15 +103,16 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
-        [<emphasis role="bold">Yes</emphasis>|<emphasis
-        role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>If Yes or yes, NAT will be effective from all hosts. If No or
           no (or left empty) then NAT will be effective only through the
           interface named in the <emphasis role="bold">INTERFACE</emphasis>
           column.</para>
+
+          <para>This column was formerly labelled ALL INTERFACES.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-nesting.xml

@@ -82,7 +82,7 @@
 
     <para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
 
-    <programlisting>        #ACTION   SOURCE    DEST                  PROTO    DEST PORT(S)
+    <programlisting>        #ACTION   SOURCE    DEST                  PROTO    DPORT
         ...
         ACCEPT    sam       loc:2001:19f0:feee::3 tcp      ssh
         ACCEPT    net       loc:2001:19f0:feee::5 tcp      www

Shorewall6/manpages/shorewall6-netmap.xml

@@ -137,7 +137,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
+        <term><emphasis role="bold">DPORT</emphasis> -
         <emphasis>port-number-or-name-list</emphasis></term>
 
         <listitem>
@@ -159,11 +159,13 @@
           <para>An entry in this field requires that the PROTO column specify
           icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
           any of the following field is supplied.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
+        <term><emphasis role="bold">SPORT</emphasis> -
         <emphasis>port-number-or-name-list</emphasis></term>
 
         <listitem>
@@ -174,6 +176,8 @@
           <para>An entry in this field requires that the PROTO column specify
           tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
           the following fields is supplied.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6-rules.xml

@@ -229,6 +229,12 @@
                 role="bold">dst</emphasis> respectively (see the -A command in
                 ipset (8)).</para>
 
+                <para>Beginning with Shorewall 5.0.3, an optional
+                <replaceable>timeout</replaceable> can be specified. This is
+                the number of seconds that the new entry in the ipset is to
+                remain valid and overrides any timeout specified when the
+                ipset was created.</para>
+
                 <para>ADD is non-terminating. Even if a packet matches the
                 rule, it is passed on to the next rule.</para>
               </listitem>
@@ -1111,8 +1117,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
-        {<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
@@ -1144,8 +1149,7 @@
 
           <para>If your kernel contains multi-port match support, then only a
           single Netfilter rule will be generated in this list and the
-          <emphasis role="bold">CLIENT PORT(S)</emphasis> list below
-          if:</para>
+          <emphasis role="bold">SPORT</emphasis> list below if:</para>
 
           <para>1. There are 15 or less ports listed.</para>
 
@@ -1156,12 +1160,13 @@
           <replaceable>ipset</replaceable> name can be specified in this
           column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        {<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
@@ -1171,11 +1176,10 @@
           numbers or port ranges.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
 
           <warning>
             <para>Unless you really understand IP, you should leave this
@@ -1189,7 +1193,7 @@
 
           <para>If your kernel contains multi-port match support, then only a
           single Netfilter rule will be generated if in this list and the
-          <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
+          <emphasis role="bold">DPORT</emphasis> list above:</para>
 
           <para>1. There are 15 or less ports listed.</para>
 
@@ -1199,21 +1203,25 @@
           <para>Beginning with Shorewall 4.6.0, an ipset name can be specified
           in this column. This is intended to be used with
           <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
-        [<emphasis role="bold">-</emphasis>]</term>
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>]</term>
 
         <listitem>
           <para>Included for compatibility with Shorewall. Enter '-' in this
           column if you need to specify one of the later columns.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
+        <term><emphasis role="bold">RATE</emphasis> -
         <replaceable>limit</replaceable></term>
 
         <listitem>
@@ -1278,11 +1286,13 @@
           enforce the per-source limit and the compiler will pick a unique
           name for the hash table that tracks the per-destination
           limit.</para>
+
+          <para>This column was formerly labelled RATE LIMIT.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>
 
@@ -1336,6 +1346,8 @@
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
         </listitem>
       </varlistentry>
 
@@ -1716,8 +1728,7 @@
         <listitem>
           <para>Accept SMTP requests from the DMZ to the internet</para>
 
-          <programlisting>         #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
-         #                               PORT    PORT(S) DEST
+          <programlisting>         #ACTION SOURCE  DEST PROTO      DPORT   SPORT   ORIGDEST
          ACCEPT  dmz     net       tcp   smtp</programlisting>
         </listitem>
       </varlistentry>
@@ -1730,8 +1741,7 @@
           internet IP addresses 2002:ce7c::92b4:1::2 and
           2002:ce7c::92b4:1::22</para>
 
-          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
-        #                                       PORT    PORT(S) DEST
+          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
         ACCEPT   net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
                         $FW              tcp     22</programlisting>
         </listitem>
@@ -1744,8 +1754,7 @@
           <para>You wish to limit SSH connections from remote systems to 1/min
           with a burst of three (to allow for limited retry):</para>
 
-          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST         SOURCE    ORIGINAL         RATE
-        #                                                  PORT(S)      PORT(S)   DEST             LIMIT
+          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DPORT        SPORT     ORIGDEST         RATE
         SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
         </listitem>
       </varlistentry>
@@ -1757,8 +1766,7 @@
           <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
           is set.</para>
 
-          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
-        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
         DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
         </listitem>
       </varlistentry>
@@ -1770,8 +1778,7 @@
           <para>Drop all email from IP addresses in the country whose ISO-3661
           country code is ZZ.</para>
 
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
         DROP                          net:^ZZ          fw             tcp         25</programlisting>
         </listitem>
       </varlistentry>
@@ -1783,8 +1790,7 @@
           <para>You want to generate your own rule involving ip6tables targets
           and matches not supported by Shorewall.</para>
 
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
         INLINE                        $FW              net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
 
           <para>The above will generate the following ip6tables-restore

Shorewall6/manpages/shorewall6-secmarks.xml

@@ -92,7 +92,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CHAIN:STATE (chain) -
+        <term><emphasis role="bold">CHAIN -
         {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
 
         <listitem>
@@ -139,6 +139,8 @@
 
             <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
           </simplelist>
+
+          <para>This column was formerly labelled CHAIN:STATE.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -229,7 +231,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
@@ -249,15 +251,14 @@
           If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
           assumed.</para>
 
-          <para>This column is ignored if PROTOCOL = all but must be entered
-          if any of the following field is supplied. In that case, it is
+          <para>This column is ignored if PROTO = all but must be entered if
+          any of the following field is supplied. In that case, it is
           suggested that this field contain "-"</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
-        [<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
@@ -267,11 +268,10 @@
           numbers or port ranges.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
         </listitem>
       </varlistentry>
 
@@ -318,6 +318,8 @@
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
         </listitem>
       </varlistentry>
 
@@ -388,8 +390,7 @@
 
     <para><filename>/etc/shorewall6/secmarks</filename>:</para>
 
-    <programlisting>#SECMARK                              CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
-#                                     STATE                                 PORT(S)    PORT(S)     GROUP
+    <programlisting>#SECMARK                              CHAIN      SOURCE  DEST       PROTO   DPORT      SPORT       USER      MARK
 system_u:object_r:mysqld_packet_t:s0  I:N        lo      ::1        tcp     3306
 SAVE                                  I:N
 RESTORE                               I:ER</programlisting>

Shorewall6/manpages/shorewall6-stoppedrules.xml

@@ -112,7 +112,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST PORT(S) (dport) ‒
+        <term>DPORT ‒
         <replaceable>service-name/port-number-list</replaceable></term>
 
         <listitem>
@@ -121,11 +121,13 @@
           include port ranges of the form
           <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
           if your kernel and iptables include port range support.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE PORT(S) (sport) ‒
+        <term>SPORT ‒
         <replaceable>service-name/port-number-list</replaceable></term>
 
         <listitem>
@@ -136,11 +138,12 @@
           if your kernel and iptables include port range support.</para>
 
           <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DEST PORT(S) column is non-empty. This
-          causes the rule to match when either the source port or the
-          destination port in a packet matches one of the ports specified in
-          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          and kernel.</para>
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6-tcfilters.xml

@@ -131,7 +131,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
+        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
@@ -139,16 +139,19 @@
           a <emphasis>port number</emphasis>; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s).</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
-        [<emphasis
+        <term><emphasis role="bold">SPORT</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
           <para>Optional source port.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
         </listitem>
       </varlistentry>
 
@@ -286,8 +289,7 @@
           ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
           protocols.</para>
 
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST
-       #                                        PORT
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT
 
        IPV4
 
@@ -308,8 +310,7 @@
           <para>Add two filters with priority 10 (Shorewall 4.5.8 or
           later).</para>
 
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
-       #                                        PORT
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
 
        IPV6
 
@@ -338,6 +339,6 @@
     <para><ulink
     url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
 
-    <para></para>
+    <para/>
   </refsect1>
 </refentry>