Corrected sysconfig files

Removed unnecessary lines in sysconfig files

Signed-off-by: Matt Darfeuille <matdarf@gmail.com>
Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -24,6 +24,9 @@
 
 VERSION=xxx #The Build script inserts the actual version
 
+PRODUCT=shorewall-core
+Product="Shorewall Core"
+ 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
@@ -100,6 +103,9 @@ require()
     eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 
+#
+# Change to the directory containing this script
+#
 cd "$(dirname $0)"
 
 #
@@ -340,8 +346,10 @@ fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}
 
-mkdir -p ${DESTDIR}${MANDIR}
-chmod 755 ${DESTDIR}${MANDIR}
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi
 
 if [ -n "${INITFILE}" ]; then
     mkdir -p ${DESTDIR}${INITDIR}

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=40609
+SHOREWALL_CAPVERSION=50004
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -2593,6 +2593,7 @@ determine_capabilities() {
     TARPIT_TARGET=
     IFACE_MATCH=
     TCPMSS_TARGET=
+    WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2616,6 +2617,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
+    if qt $g_tool --wait -t filter -L INPUT -n -v; then
+	WAIT_OPTION=Yes
+	tool="$tool --wait"
+    fi
+
     chain=fooX$$
 
     if [ -n "$NAT_ENABLED" ]; then
@@ -3074,8 +3080,10 @@ report_capabilities_unsorted() {
 
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
+	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
+	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3185,6 +3193,7 @@ report_capabilities_unsorted1() {
     report_capability1 TARPIT_TARGET
     report_capability1 IFACE_MATCH
     report_capability1 TCPMSS_TARGET
+    report_capability1 WAIT_OPTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3263,9 +3272,11 @@ show_interfaces() {
     local printed
 
     for f in ${VARDIR}/*.status; do
-	interface=$(basename $f)
-	echo "   Interface ${interface%.status} is $(interface_status $f)"
-	printed=Yes
+	if [ -f $f ]; then
+	    interface=$(basename $f)
+	    echo "   Interface ${interface%.status} is $(interface_status $f)"
+	    printed=Yes
+	fi
     done
 
     [ -n "$printed" ] && echo

Shorewall-core/shorewallrc.openwrt

@@ -3,24 +3,21 @@
 #
 # Input: host=openwrt
 #
-HOST=openwrt
-PREFIX=/usr                             
-SHAREDIR=${PREFIX}/share                
-LIBEXECDIR=${PREFIX}/share              
-PERLLIBDIR=${PREFIX}/share/shorewall    
-CONFDIR=/etc                            
-SBINDIR=/sbin                           
-MANDIR=${PREFIX}/man                    
-INITDIR=/etc/init.d                     
-INITSOURCE=init.openwrt.sh
-INITFILE=$PRODUCT                       
-AUXINITSOURCE=
-AUXINITFILE=
-SERVICEDIR=                             
-SERVICEFILE=                            
-SYSCONFFILE=default.openwrt
-SYSCONFDIR=${CONFDIR}/sysconfig
-SPARSE=                                 
-ANNOTATED=                              
-VARLIB=/lib
-VARDIR=${VARLIB}/$PRODUCT               
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=                                 #Directory where manpages are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.openwrt.sh              #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SYSCONFDIR=${CONFDIR}/sysconfig         #Directory where SysV init parameter files are installed
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/lib                             #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/uninstall.sh

@@ -27,7 +27,9 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx #The Build script inserts the actual version
-
+PRODUCT="shorewall-core"
+Product="Shorewall Core"
+ 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
@@ -66,6 +68,11 @@ remove_file() # $1 = file to restore
     fi
 }
 
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 #
 # Read the RC file
 #

Shorewall-init/init.openwrt.sh

@@ -0,0 +1,131 @@
+#!/bin/sh /etc/rc.common
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#
+#     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall-init.
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+
+# arg1 of init script is arg2 when rc.common is sourced
+
+case "$action" in
+  start|stop|boot)
+      if [ "$(id -u)" != "0" ]
+      then
+	  echo "You must be root to start, stop or restart \"Shorewall \"."
+	  exit 1
+      fi
+
+      # check if shorewall-init is configured or not
+      if [ -f "/etc/sysconfig/shorewall-init" ]
+      then
+	  . /etc/sysconfig/shorewall-init
+	  if [ -z "$PRODUCTS" ]
+	  then
+	      exit 0
+	  fi
+      else
+	  exit 0
+      fi
+
+      ;;
+  enable|disable|enabled)
+      # Openwrt related
+      # start and stop runlevel variable
+      START=19
+      STOP=91
+      ;;
+  *)
+      echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+      exit 1
+esac
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . ${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    else
+	return 0
+    fi
+}
+
+# Initialize the firewall
+start () {
+    local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+}
+
+boot () {
+    start
+}
+
+# Clear the firewall
+stop () {
+    local PRODUCT
+    local STATEDIR
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	fi
+    fi
+}
+

Shorewall-init/install.sh

@@ -28,6 +28,8 @@
 #
 
 VERSION=xxx #The Build script inserts the actual version.
+PRODUCT=shorewall-init
+Product="Shorewall Init"
 
 usage() # $1 = exit status
 {
@@ -71,39 +73,50 @@ mywhich() {
     return 2
 }
 
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
     echo
     echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 
+install_file() # $1 = source $2 = target $3 = mode
+{
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
 require() 
 {
     eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
+#
+# Change to the directory containing this script
+#
 cd "$(dirname $0)"
 
-PRODUCT=shorewall-init
-
 #
 # Parse the run line
 #
-T='-T'
 
 finished=0
 configure=1
@@ -230,6 +243,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ]; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -237,22 +252,24 @@ if [ -z "$BUILD" ]; then
     esac
 fi
 
-[ -n "$OWNER" ] || OWNER=$(id -un)
-[ -n "$GROUP" ] || GROUP=$(id -gn)
-
 case $BUILD in
     apple)
-	T=
-	;;
-    debian|gentoo|redhat|suse|slackware|archlinux)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	;;
+    cygwin*|CYGWIN*)
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+ 	;;
     *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
-	exit 1
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac
 
-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
 
 [ -n "$HOST" ] || HOST=$BUILD
 
@@ -277,6 +294,9 @@ case "$HOST" in
     suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing Openwrt-specific configuration..."
+	;;
     linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	exit 1
@@ -290,12 +310,12 @@ esac
 [ -z "$TARGET" ] && TARGET=$HOST
 
 if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
+    if [ $(id -u) != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi
 
 echo "Installing Shorewall Init Version $VERSION"
@@ -311,7 +331,7 @@ fi
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 
 #
@@ -339,14 +359,14 @@ fi
 if [ -n "$SERVICEDIR" ]; then
     mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
     if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 755 ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
     fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
     echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
@@ -355,13 +375,13 @@ fi
 # Create /usr/share/shorewall-init if needed
 #
 mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
 
 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
     echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 
@@ -369,7 +389,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 
 #
 # Remove and create the symbolic link to the init script
@@ -412,6 +432,9 @@ else
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
+	    elif [ $HOST = openwrt ]; then
+		# Not implemented on openwrt
+		/bin/true
 	    else
 		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
@@ -419,8 +442,8 @@ else
     fi
 
     if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
     fi
 
     [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -430,13 +453,15 @@ fi
 # Install the ifupdown script
 #
 
-cp $IFUPDOWN ifupdown
+if [ $HOST != openwrt ]; then
+    cp $IFUPDOWN ifupdown
 
-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 
-install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
     [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
@@ -489,7 +514,7 @@ case $HOST in
 esac
 
 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
@@ -511,6 +536,13 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
+	elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+	    /etc/init.d/$PRODUCT enable
+	    if /etc/init.d/$PRODUCT enabled; then
+		echo "$Product will start automatically at boot"
+	    else
+		cant_autostart
+	    fi
 	elif [ $HOST = gentoo ]; then
 	    # On Gentoo, a service must be enabled manually by the user,
 	    # not by the installer
@@ -539,6 +571,13 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
+	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+		/etc/init.d/shorewall-inir enable
+		if /etc/init.d/shorewall-init enabled; then
+		    echo "Shorrewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
 	    else
 		cant_autostart
 	    fi

Shorewall-init/shorewall-init.service

@@ -5,7 +5,8 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
-Before=network.target
+Before=network-pre.target
+Wants=network-pre.target
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214

@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target

Shorewall-init/shorewall-init.service.214.debian

@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target

Shorewall-init/uninstall.sh

@@ -27,6 +27,8 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-init
+Product="Shorewall Init"
 
 usage() # $1 = exit status
 {
@@ -75,6 +77,11 @@ remove_file() # $1 = file to restore
     fi
 }
 
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1
 
@@ -162,7 +169,11 @@ INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 
 if [ -f "$INITSCRIPT" ]; then
     if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
+	    fi
+	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
             insserv -r $INITSCRIPT
@@ -183,8 +194,13 @@ if [ -n "$SERVICEDIR" ]; then
     rm -f $SERVICEDIR/shorewall-init.service
 fi
 
-[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+if [ $HOST = openwrt ]; then
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+else
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+fi
 
 remove_file ${CONFDIR}/default/shorewall-init
 remove_file ${CONFDIR}/sysconfig/shorewall-init
@@ -198,8 +214,6 @@ remove_file ${CONFDIR}/network/if-post-down.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
 
-[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
-
 if [ -d ${CONFDIR}/ppp ]; then
     for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file ${CONFDIR}/ppp/$directory/shorewall

Shorewall-lite/default.openwrt

@@ -1,25 +0,0 @@
-# sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
-
-# startup option(default "-vvv")
-OPTIONS=
-
-# change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
-START=50
-
-# change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
-STOP=
-
-# option to pass when shorewall start is executed
-STARTOPTIONS=
-
-# option to pass when shorewall restart is executed
-RESTARTOPTIONS=
-
-# option to pass when shorewall reload is executed
-RELOADOPTIONS=
-
-# option to pass when shorewall stop is executed
-STOPOPTIONS=
-
-# option to pass when shorewall status is executed
-STATUSOPTIONS=

Shorewall-lite/init.openwrt.sh

@@ -32,25 +32,24 @@
 #	   shorewall-lite start			  Starts the firewall
 #	   shorewall-lite restart		  Restarts the firewall
 #	   shorewall-lite reload		  Reload the firewall
-#						  (same as restart)
 #	   shorewall-lite stop			  Stops the firewall
 #	   shorewall-lite status		  Displays firewall status
 #
 
 # description: Packet filtering firewall
 
-# openwrt stuph
-# start and stop runlevel variable
-#START=21
-#STOP=91
-# variable to display what the status command do when /etc/init.d/shorewall-lite is invoke without argument
+# Openwrt related
+# Start and stop runlevel variable
+START=50
+STOP=89
+# Displays the status command
 EXTRA_COMMANDS="status"
-EXTRA_HELP="Displays shorewall status"
+EXTRA_HELP=" status Displays firewall status"
 
 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS="-vvv"
+OPTIONS=
 
 #
 # The installer may alter this
@@ -61,38 +60,35 @@ if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
     . ${SYSCONFDIR}/shorewall-lite
 fi
 
-START=${START:-21}
-STOP=${STOP:-91}
-
 SHOREWALL_INIT_SCRIPT=1
 
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"
 
 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }
 
 boot() {
-local command="start"
-start
+	local command="start"
+	start
 }
 
 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }
 
 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RELOADOPTION:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }
 
 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STOPOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }
 
 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }

Shorewall-lite/shorewall-lite.service.214

@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target

Shorewall-lite/sysconfig

@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF

Shorewall-lite/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
+Product="Shorewall Lite"
 
 usage() # $1 = exit status
 {
@@ -205,14 +206,16 @@ fi
 rm -f ${SBINDIR}/shorewall-lite
 
 rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}/shorewall-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
 rm -f  ${SYSCONFDIR}/shorewall-lite
 
-rm -f ${MANDIR}/man5/shorewall-lite*
-rm -f ${MANDIR}/man8/shorewall-lite*
+if [ -n "${MANDIR}" ]; then
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
+fi
 
 echo "Shorewall Lite Uninstalled"
 

Shorewall/Perl/Shorewall/Accounting.pm

@@ -291,7 +291,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 			    '' ,
 			    $target ,
 			    '' ,
-			    $disposition ,
+		            $disposition ,
+		            '' ,
 			    ''  );
 	    }
 	}
@@ -386,6 +387,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	$target ,
 	'' ,
 	$disposition ,
+	'' ,
 	'' ;
 
     if ( $rule2 || $jump ) {
@@ -414,7 +416,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    '' ,
 		    '' ,
 		    '' ,
-		    '' ,
+	            '' ,
+	            '' ,
 		    '' );
     }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -5753,8 +5753,6 @@ sub match_source_net( $;$\$ ) {
     }
 
     if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 
 	load_isocodes unless %isocodes;
@@ -5842,8 +5840,6 @@ sub imatch_source_net( $;$\$ ) {
     }
 
     if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 
 	load_isocodes unless %isocodes;
@@ -5928,8 +5924,6 @@ sub match_dest_net( $;$ ) {
     }
 
     if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 
 	load_isocodes unless %isocodes;
@@ -6011,8 +6005,6 @@ sub imatch_dest_net( $;$ ) {
     }
 
     if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 
 	load_isocodes unless %isocodes;
@@ -6215,7 +6207,7 @@ sub log_rule_limit( $$$$$$$$ ) {
 
     $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' ';
 
-    unless ( $matches =~ /-m limit / ) {
+    unless ( $matches =~ /-m (?:limit|hashlimit) / ) {
 	$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
 	$matches .= $limit if $limit;
     }
@@ -6562,6 +6554,8 @@ sub set_chain_variables() {
 	emit( 'g_tool=$IP6TABLES' );
     }
 
+    emit 'g_tool="$g_tool --wait"' if have_capability 'WAIT_OPTION';
+
     if ( $config{IP} ) {
 	emit( qq(IP="$config{IP}") ,
 	      '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
@@ -7428,7 +7422,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
     my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7441,6 +7435,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
+	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
        ) = @_;
 
@@ -7490,7 +7485,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	    $loglevel = validate_level( $loglevel );
 	    $logtag   = '' unless defined $logtag;
 	}
-    } elsif ( $disposition eq 'LOG' ) {
+    } elsif ( $disposition eq 'LOG' && ! $usergenerated ) {
 	fatal_error "LOG requires a level";
     }
     #
@@ -7605,9 +7600,9 @@ sub expand_rule( $$$$$$$$$$$;$ )
 
 		    my $cond3 = conditional_rule( $chainref, $dnet );
 
-		    if ( $loglevel eq '' ) {
+		    if ( $loglevel eq '' || $usergenerated ) {
 			#
-			# No logging -- add the target rule with matches to the rule chain
+			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref , 0, $matches );

Shorewall/Perl/Shorewall/Config.pm

@@ -185,6 +185,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_aliases
 
 				       %actparms
+
+                                       PARMSMODIFIED
+                                       USEDCALLER
 				       
 		                       F_IPV4
 		                       F_IPV6
@@ -396,6 +399,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                  TCPMSS_TARGET   => 'TCPMSS Target',
+                 WAIT_OPTION     => 'iptables --wait option',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -545,6 +549,7 @@ our %compiler_params;
 #
 our %actparms;
 our $parmsmodified;
+our $usedcaller;
 our $inline_matches;
 
 our $currentline;            # Current config file line image
@@ -595,6 +600,9 @@ use constant { MIN_VERBOSITY => -1,
 	       F_IPV6 => 6,
 	     };
 
+use constant { PARMSMODIFIED => 1,
+               USEDCALLER    => 2 };
+
 our %validlevels;            # Valid log levels.
 
 #
@@ -714,7 +722,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.1",
-		    CAPVERSION              => 40609 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -989,6 +997,7 @@ sub initialize( $;$$) {
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
+	       WAIT_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1043,6 +1052,7 @@ sub initialize( $;$$) {
 
     %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
     $parmsmodified = 0;
+    $usedcaller    = 0;
 
     %helpers_enabled = (
 			amanda       => 1,
@@ -2212,7 +2222,10 @@ sub split_line2( $$;$$$ ) {
 	$pairs = '';
     }
 
-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    unless ( $currline =~ /^\s*IP6?TABLES\(.*\)/ ) {
+	fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    }
+
     fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 
     my @line = split_columns( $columns );
@@ -2497,7 +2510,7 @@ sub evaluate_expression( $$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
-	    $parmsmodified ||= $var eq 'caller';
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2634,7 +2647,7 @@ sub process_compiler_directive( $$$$ ) {
 		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
 									$linenumber );
-		      $parmsmodified = 1;
+		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
@@ -3169,11 +3182,13 @@ sub push_action_params( $$$$$$ ) {
     my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
     my @parms = ( undef , split_list3( $parms , 'parameter' ) );
 
-    $actparms{modified} = $parmsmodified;
+    $actparms{modified}   = $parmsmodified;
+    $actparms{usedcaller} = $usedcaller;
 
     my %oldparms = %actparms;
 
     $parmsmodified = 0;
+    $usedcaller    = 0;
 
     %actparms = ();
 
@@ -3199,13 +3214,16 @@ sub push_action_params( $$$$$$ ) {
 
 #
 # Pop the action parameters using the passed hash reference
-# Return true of the popped parameters were modified
+# Return:
+#   1 if the popped parameters were modified
+#   2 if the action used @CALLER
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
     %actparms          = %$oldparms;
-    my $return         = $parmsmodified;
-    ( $parmsmodified ) = delete $actparms{modified};
+    my $return         = $parmsmodified | $usedcaller;
+    ( $parmsmodified ) = delete $actparms{modified}   || 0;
+    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
     $return;
 }
 
@@ -3300,6 +3318,7 @@ sub expand_variables( \$ ) {
 	    $val = $variables{$var};
 	} elsif ( exists $actparms{$var} ) { 
 	    $val = $actparms{$var};
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
 	}
@@ -3318,6 +3337,7 @@ sub expand_variables( \$ ) {
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
@@ -3963,7 +3983,7 @@ sub Udpliteredirect() {
 
 sub Mangle_Enabled() {
     if ( qt1( "$iptables $iptablesw -t mangle -L -n" ) ) {
-	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
+	system( "$iptables $iptablesw -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
     }
 }
 
@@ -4605,7 +4625,8 @@ sub determine_capabilities() {
 
     my $pid     = $$;
 
-    $capabilities{CAPVERSION} = $globals{CAPVERSION};
+    $capabilities{CAPVERSION}  = $globals{CAPVERSION};
+    $capabilities{WAIT_OPTION} = $iptablesw;
 
     determine_kernelversion;
 
@@ -5083,6 +5104,8 @@ sub read_capabilities() {
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
 
+    $iptablesw = '-w' if $capabilities{WAIT_OPTION};
+
 }
 
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -614,7 +614,8 @@ sub process_stoppedrules() {
 				 $target,
 				 '',
 				 $disposition,
-				 do_proto( $proto, '-', '-' ) );
+				 do_proto( $proto, '-', '-' ),
+				 '');
 		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";

Shorewall/Perl/Shorewall/Nat.pm

@@ -345,7 +345,8 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule )
+		     $exceptionrule ,
+		     '' )
 	    unless unreachable_warning( 0, $chainref );
 
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@@ -795,7 +796,8 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
+		  $serverport ? do_proto( $proto, '', '' ) : '' ,
+		  '' ,
 		)
 	unless unreachable_warning( $wildcard, $chainref );
 
@@ -867,6 +869,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
+			 '',
 			 dnat_chain( $sourcezone  ) )
 		unless unreachable_warning( $wildcard, $chn );
 
@@ -888,6 +891,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
+		 '',
 	       )
 	unless unreachable_warning( $wildcard, $nonat_chain );
 }

Shorewall/Perl/Shorewall/Raw.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_conntrack );
 our @EXPORT_OK = qw( handle_helper_rule );
-our $VERSION = '4.6_10';
+our $VERSION = 'MODULEVERSION';
 
 our %valid_ctevent = ( new        => 1,
 		       related    => 1,
@@ -98,6 +98,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	$action = join( ":" , 'LOG', $action );
     }
 
+    my $usergenerated;
+
     if ( $action eq 'NOTRACK' ) {
 	#
 	# A patch that deimplements the NOTRACK target has been posted on the
@@ -204,7 +206,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $action ,
 		 $level || '' ,
 		 $disposition ,
-		 $exception_rule );
+		 $exception_rule ,
+		 $usergenerated && ! $level );
 
     progress_message "  Conntrack rule \"$currentline\" $done";
 }
@@ -247,6 +250,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '',
 			 'CT' ,
+			 '' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
@@ -261,6 +265,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '' ,
 			 'CT' ,
+			 '' ,
 			 '' );
 	}
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -79,6 +79,10 @@ use constant { NULL_SECTION          => 0x00,
 	       NEW_SECTION           => 0x40,
 	       DEFAULTACTION_SECTION => 0x80 };
 #
+# Number of elements in the action tuple
+#
+use constant { ACTION_TUPLE_ELEMENTS => 5 };
+#
 # Section => name function 
 #
 our %section_functions = ( ALL_SECTION ,        \&rules_chain,
@@ -424,6 +428,7 @@ sub print_policy($$$$) {
 sub use_policy_action( $$ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );
+sub normalize_single_action( $ );
 
 sub process_default_action( $$$$ ) {
     my ( $originalpolicy, $policy, $default, $level ) = @_;
@@ -441,7 +446,7 @@ sub process_default_action( $$$$ ) {
 	if ( "\L$default" eq 'none' ) {
 	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
 		if ( $default_option ) {
-		    fatal_error "Invalid setting (originalpolicy) for $policy";
+		    fatal_error "Invalid setting ($originalpolicy) for $policy";
 		} else {
 		    fatal_error "Invalid policy ($originalpolicy)";
 		}
@@ -560,7 +565,7 @@ sub process_a_policy() {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $default, $level, $remainder ) = split( /:/, $originalpolicy, 4 );
+    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -944,7 +949,7 @@ sub complete_standard_chain ( $$$$ ) {
 	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
     } elsif ( $defaultaction !~ /:/ ) {
-	$defaultaction = join(":", $defaultaction, 'none', '', '' );
+	$defaultaction = normalize_single_action( $defaultaction );
     }
 
 
@@ -1169,14 +1174,15 @@ sub finish_section ( $ ) {
 #
 # Create a normalized action name from the passed pieces.
 #
-# Internally, action invocations are uniquely identified by a 4-tuple that
-# includes the action name, log level, log tag and params. The pieces of the tuple
-# are separated by ":".
+# Internally, action invocations are uniquely identified by a 5-tuple that
+# includes the action name, log level, log tag, calling chain and params.
+# The pieces of the tuple are separated by ":".
 #
 sub normalize_action( $$$ ) {
     my $action = shift;
     my $level  = shift;
     my $param  = shift;
+    my $caller = '';     #We assume that the function doesn't use @CALLER
 
     ( $level, my $tag ) = split ':', $level;
 
@@ -1185,13 +1191,23 @@ sub normalize_action( $$$ ) {
     $param = ''     unless defined $param;
     $param = ''     if $param eq '-';
 
-    join( ':', $action, $level, $tag, $param );
+    join( ':', $action, $level, $tag, $caller, $param );
+}
+
+#
+# Add the actual caller into an existing normalised name
+#
+sub insert_caller($$) {
+    my ( $normalized, $caller ) = @_;
+
+    my ( $action, $level, $tag, undef, $param ) = split /:/, $normalized;
+
+    join( ':', $action, $level, $tag, $caller, $param );
 }
 
 #
 # Accepts a rule target and returns a normalized tuple
 #
-
 sub normalize_action_name( $ ) {
     my $target = shift;
     my ( $action, $loglevel) = split_action $target;
@@ -1199,11 +1215,18 @@ sub normalize_action_name( $ ) {
     normalize_action( $action, $loglevel, '' );
 }
 
+#
+# Create an action tuple from a single target name
+#
+sub normalize_single_action( $ ) {
+    join(":", $_[0], 'none', '', '', '' );
+}
+
 #
 # Produce a recognizable target from a normalized action
 #
 sub external_name( $ ) {
-    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
+    my ( $target, $level, $tag, undef, $params ) = split /:/, shift, ACTION_TUPLE_ELEMENTS;
 
     $target  = join( '', $target, '(', $params , ')' ) if $params;
     $target .= ":$level" if $level && $level ne 'none';
@@ -1333,7 +1356,7 @@ sub createsimpleactionchain( $ ) {
 sub createactionchain( $ ) {
     my $normalized = shift;
 
-    my ( $target, $level, $tag, $param ) = split /:/, $normalized, 4;
+    my ( $target, $level, $tag, $caller, $param ) = split /:/, $normalized, ACTION_TUPLE_ELEMENTS;
 
     assert( defined $param );
 
@@ -1689,11 +1712,15 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 #
 # Populate an action invocation chain. As new action tuples are encountered,
 # the function will be called recursively by process_rule().
+# 
+# Note that the first two parameters are passed by reference and may be
+# modified by this function.
 #
-sub process_action($$) {
-    my ( $chainref, $caller ) = @_;
-    my $wholeaction = $chainref->{action};
-    my ( $action, $level, $tag, $param ) = split /:/, $wholeaction, 4;
+sub process_action(\$\$$) {
+    my ( $wholeactionref, $chainrefref, $caller ) = @_;
+    my $wholeaction = ${$wholeactionref};
+    my $chainref    = ${$chainrefref};
+    my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
 
     if ( $targets{$action} & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1771,10 +1798,48 @@ sub process_action($$) {
 
     #
     # Pop the action parameters
-    # Caller should delete record of this chain if the action parameters
-    # were modified (and this function returns true
     #
-    pop_action_params( $oldparms );
+    if ( ( my $result = pop_action_params( $oldparms ) ) & PARMSMODIFIED ) {
+	#
+	# The action modified its parameters -- delete it from %usedactions
+	#
+	delete $usedactions{$wholeaction};
+    } elsif ( $result & USEDCALLER ) {
+	#
+	# The chain uses @CALLER but doesn't modify the action parameters.
+	# We need to see if this caller has already invoked this action
+	#
+	my $renormalized_action = insert_caller( $wholeaction, $caller );
+	my $chain1ref           = $usedactions{$renormalized_action};
+
+	if ( $chain1ref ) {
+	    #
+	    # It has -- use the prior chain
+	    #
+	    ${$chainrefref} = $chain1ref;
+	    #
+	    # We leave the new chain in place but delete it from %usedactions below
+	    # The optimizer will drop it from the final ruleset.
+	    #
+	} else {
+	    #
+	    # This is the first time that the current chain has invoked this action
+	    #
+	    $usedactions{$renormalized_action} = $chainref;
+	    #
+	    # Update the action member
+	    #
+	    $chainref->{action} = $renormalized_action;
+	}
+	#
+	# Delete the usedactions entry with the original normalized key
+	#
+	delete $usedactions{$wholeaction};
+	#
+	# New normalized target
+	#
+	${$wholeactionref} = $renormalized_action;
+    }
 }
 
 #
@@ -1907,11 +1972,14 @@ sub process_actions() {
 # Create a policy action if it doesn't already exist
 #
 sub use_policy_action( $$ ) {
-    my $ref = use_action( $_[0] );
+    my ( $normalized_target, $caller ) = @_;
+
+    my $ref = use_action( $normalized_target );
+
     if ( $ref ) {
-	delete $usedactions{$ref->{action}} if process_action( $ref, $_[1] );
+	process_action( $normalized_target, $ref, $caller );
     } else {
-	$ref = $usedactions{$_[0]};
+	$ref = $usedactions{$normalized_target};
     }
 
     $ref;
@@ -2264,6 +2332,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $matches     = $rule;
     my $raw_matches = '';
     my $exceptionrule = '';
+    my $usergenerated;
 
     if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2287,6 +2356,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
+    $usergenerated = $actiontype & IPTABLES;
+
     if ( $actiontype == MACRO ) {
 	#
 	# process_macro() will call process_rule() recursively for each rule in the macro body
@@ -2333,15 +2404,16 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
-    } elsif ( $actiontype & NFLOG ) {
-	validate_level( $action );
-	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
-	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
-	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+    } elsif ( ! $usergenerated ) {
+	if ( $actiontype & NFLOG ) {
+	    validate_level( $action );
+	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
+	    $action   = 'LOG';
+	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+	}
     }
-
     #
     # We can now dispense with the postfix character
     #
@@ -2657,7 +2729,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle actions
     #
-    my $delete_action;
+    my $actionchain; #Name of the action chain
 
     if ( $actiontype & ACTION ) {
 	#
@@ -2673,18 +2745,29 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    my $savestatematch = $statematch;
 	    $statematch        = '';
-
-	    $delete_action = process_action( $ref, $chain );
+	    #
+	    # process_action may modify both $normalized_target and $ref!!!
+	    #
+	    process_action( $normalized_target, $ref, $chain );
+	    #
+	    # Capture the name of the action chain
+	    #
+	    $actionchain = $ref->{name};
 	    #
 	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
 	    #    - Refresh $actiontype
 	    #    - Create the associated nat and/or table chain if appropriate.
 	    #
-	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
-	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
+	    ensure_chain( 'nat', $actionchain ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
+	    ensure_chain( 'raw', $actionchain ) if ( $actiontype & HELPER );
 
 	    $statematch = $savestatematch;
+	} else {
+	    #
+	    # We've seen this tuple before
+	    #
+	    $actionchain = $usedactions{$normalized_target}->{name};
 	}
 
 	$action = $basictarget; # Remove params, if any, from $action.
@@ -2804,7 +2887,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			    $ports,
 			    $sports,
 			    $sourceref,
-			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+			    ( $actiontype & ACTION ) ? $actionchain : '',
 			    $inchain ? $chain : '' ,
 			    $user ,
 			    $rule ,
@@ -2826,7 +2909,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 				     $proto,
 				     $ports,
 				     $origdest,
-				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+				     ( $actiontype & ACTION ) ? $actionchain : '',
 				     $action,
 				     $sourceref,
 				     $inaction ? $chain : '',
@@ -2883,7 +2966,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     unless ( $actiontype & NATONLY ) {
 
 	if ( $actiontype & ACTION ) {
-	    $action = $usedactions{$normalized_target}{name};
+	    $action = $actionchain;
 	    $loglevel = '';
 	}
 
@@ -2909,12 +2992,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     $exceptionrule ,
+		     $usergenerated && ! $loglevel )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
-    delete $usedactions{$normalized_target} if $delete_action;
-
     return 1;
 }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -227,6 +227,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
     our $designator;
     our $ttl            = 0;
     my $fw              = firewall_zone;
+    my $usergenerated;
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
@@ -290,7 +291,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 			     "$target $option " . join( '/', in_hex( $markval ) , $mask ) ,
 			     '',
 			     $target ,
-			     $exceptionrule );
+			     $exceptionrule ,
+			     ''  );
 	    }
 
 	    $done = 1;
@@ -452,6 +454,37 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	DIVERTHA   => {
+	    defaultchain   => REALPREROUTING,
+	    allowedchains  => PREROUTING | REALPREROUTING,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub () {
+		fatal_error 'DIVERTHA is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
+		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
+
+		unless ( $divertref ) {
+		    $divertref = new_chain( 'mangle', 'divert' );
+		    add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
+		    add_ijump( $divertref , j => 'ACCEPT' );
+		}
+
+		$target = 'divert';
+
+		$matches = '-m socket ';
+	    },
+	},
+
+	DROP       => {
+	    defaultchain   => 0,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub() {
+		$target = 'DROP';
+	    }
+	},
+
 	DSCP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -524,7 +557,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
+		$usergenerated = 1;
 	    },
 	},
 
@@ -539,7 +573,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
+		$usergenerated = 1;
 	    },
 	},
 
@@ -850,7 +885,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 $target,
 					 '' ,
 					 $target ,
-					 $exceptionrule ) )
+					 $exceptionrule ,
+					 $usergenerated ) )
 	     && $device ) {
 	    #
 	    # expand_rule() returns destination device if any
@@ -2918,7 +2954,9 @@ sub process_traffic_shaping() {
 
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
 
-			while ( my ( $option, $type ) = each %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
+			    my $type = $validredoptions{$option};
+
 			    if ( my $value = $redopts->{$option} ) {
 				if ( $type == RED_NONE ) {
 				    $options = join( ' ', $options, $option ) if $value;
@@ -2935,7 +2973,9 @@ sub process_traffic_shaping() {
 
 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
 
-			while ( my ( $option, $type ) = each %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
+			    my $type = $validcodeloptions{$option};
+
 			    if ( my $value = $codelopts->{$option} ) {
 				if ( $type == CODEL_NONE ) {
 				    $options = join( ' ', $options, $option );
@@ -3118,6 +3158,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
 		 $target ,
 		 '' ,
 		 $disposition,
+		 '' ,
 		 '' );
 
     progress_message "Secmarks rule \"$currentline\" $done";

Shorewall/install.sh

@@ -322,6 +322,9 @@ if [ $PRODUCT = shorewall ]; then
 		exit 1;
 	    fi
 
+	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
+	    cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
+
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
@@ -332,6 +335,9 @@ if [ $PRODUCT = shorewall ]; then
 	DIGEST=SHA
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
+		cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
+		cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
+
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
@@ -1115,6 +1121,10 @@ if [ -d Perl ]; then
 	install_file $f ${DESTDIR}${PERLLIBDIR}/$f 0644
 	echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIBDIR}/$f"
     done
+
+    [ -f Perl/Shorewall/Chains.pm.bak ] && mv Perl/Shorewall/Chains.pm.bak Perl/Shorewall/Chains.pm
+    [ -f Perl/Shorewall/Config.pm.bak ] && mv Perl/Shorewall/Config.pm.bak Perl/Shorewall/Config.pm
+
     #
     # Install the program skeleton files
     #

Shorewall/manpages/shorewall-mangle.xml

@@ -271,6 +271,26 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">DIVERTHA</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.4. To setup the HAProxy
+                configuration described at <ulink
+                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
+                place this entry in <ulink
+                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
+
+                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
+TProxy   1        -       -          lo        -               tproxy</programlisting>
+
+                <para>and use this DIVERTHA entry:</para>
+
+                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
+DIVERTHA        -               -               tcp</programlisting>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">DROP</emphasis></term>
 

Shorewall/shorewall.service.214

@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall
-StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
-ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
-
-[Install]
-WantedBy=basic.target

Shorewall/sysconfig

@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF

Shorewall/uninstall.sh

@@ -80,6 +80,11 @@ remove_file() # $1 = file to restore
     fi
 }
 
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1
 

Shorewall6-lite/default.openwrt

@@ -1,25 +0,0 @@
-# sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
-
-# startup option(default "-vvv")
-OPTIONS=
-
-# change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
-START=50
-
-# change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
-STOP=
-
-# option to pass when shorewall start is executed
-STARTOPTIONS=
-
-# option to pass when shorewall restart is executed
-RESTARTOPTIONS=
-
-# option to pass when shorewall reload is executed
-RELOADOPTIONS=
-
-# option to pass when shorewall stop is executed
-STOPOPTIONS=
-
-# option to pass when shorewall status is executed
-STATUSOPTIONS=

Shorewall6-lite/init.openwrt.sh

@@ -39,18 +39,18 @@
 
 # description: Packet filtering firewall
 
-# openwrt stuph
-# start and stop runlevel variable
-#START=21
-#STOP=91
-# variable to display what the status command do when /etc/init.d/shorewall6-lite is invoke without argument
+# Openwrt related
+# Start and stop runlevel variable
+START=50
+STOP=89
+# Displays the status command
 EXTRA_COMMANDS="status"
-EXTRA_HELP="Displays shorewall status"
+EXTRA_HELP=" status Displays firewall status"
 
 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS="-vvv"
+OPTIONS=
 
 #
 # The installer may alter this
@@ -61,38 +61,35 @@ if [ -f ${SYSCONFDIR}/shorewall6-lite ]; then
     . ${SYSCONFDIR}/shorewall6-lite
 fi
 
-START=${START:-21}
-STOP=${STOP:-91}
-
 SHOREWALL_INIT_SCRIPT=1
 
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"
 
 start() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STARTOPTIONS
 }
 
 boot() {
-local command="start"
-start
+	local command="start"
+	start
 }
 
 restart() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
 }
 
 reload() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RELOADOPTION:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
 }
 
 stop() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STOPOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
 }
 
 status() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 }

Shorewall6-lite/shorewall6-lite.service.214

@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv6 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall6-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target

Shorewall6-lite/sysconfig

@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF

Shorewall6-lite/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall6-lite
+Product="Shorewall6 Lite"
 
 usage() # $1 = exit status
 {
@@ -76,6 +77,11 @@ remove_file() # $1 = file to restore
     fi
 }
 
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1
 
@@ -202,13 +208,15 @@ fi
 
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
-rm -rf ${VARDIR}/shorewall6-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 rm -f  ${SYSCONFDIR}/shorewall6-lite
 
-rm -f ${MANDIR}/man5/shorewall6-lite*
-rm -f ${MANDIR}/man8/shorewall6-lite*
+if [ -n "${MANDIR}" ]; then
+    rm -f ${MANDIR}/man5/shorewall6-lite*
+    rm -f ${MANDIR}/man8/shorewall6-lite*
+fi
 
 echo "Shorewall6 Lite Uninstalled"

Shorewall6/manpages/shorewall6-mangle.xml

@@ -272,6 +272,26 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">DIVERTHA</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.4. To setup the HAProxy
+                configuration described at <ulink
+                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
+                place this entry in <ulink
+                url="manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>:</para>
+
+                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
+TProxy   1        -       -          lo        -               tproxy</programlisting>
+
+                <para>and use this DIVERTHA entry:</para>
+
+                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
+DIVERTHA        -               -               tcp</programlisting>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">DROP</emphasis></term>
 

Shorewall6/shorewall6.service.214

@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv6 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall6
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
-ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS
-
-[Install]
-WantedBy=basic.target

Shorewall6/sysconfig

@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF

Shorewall6/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall6
+Product=Shorewall6
 
 usage() # $1 = exit status
 {
@@ -76,6 +77,11 @@ remove_file() # $1 = file to restore
     fi
 }
 
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1
 
@@ -200,7 +206,7 @@ fi
 
 rm -f ${SBINDIR}/shorewall6
 rm -rf ${CONFDIR}/shorewall6
-rm -rf ${VARDIR}/shorewall6
+rm -rf ${VARDIR}
 rm -rf ${LIBEXECDIR}/shorewall6
 rm -rf ${SHAREDIR}/shorewall6
 

docs/MultiISP.xml

@@ -1950,8 +1950,8 @@ ONBOOT=yes</programlisting>
       url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
       is available in the form of a PROBABILITY column in <ulink
       url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
-      This feature requires the <firstterm>Statistic Match</firstterm>
+      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>)
+      (5). This feature requires the <firstterm>Statistic Match</firstterm>
       capability in your iptables and kernel.</para>
 
       <para>This method works when there are multiple links to the same ISP
@@ -2219,7 +2219,7 @@ EOF
    #
    # Run LSM -- by default, it forks into the background
    #
-   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
+   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
 
         <para>eth0 has a dynamic IP address so I need to use the
@@ -2272,8 +2272,8 @@ defaults {
 
 include /etc/lsm/shorewall.conf</programlisting>
 
-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and
-        later)<programlisting>#!/bin/sh
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
+        - note that this script must be executable by root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;

docs/dhcp.xml

@@ -72,9 +72,9 @@
 
       <listitem>
         <para>If you set 'ping-check' true in your
-        <filename>/etc/shorewall/dhcpd.conf</filename> file then you will want
-        to <ulink url="ping.html">accept 'ping'</ulink> from your firewall to
-        the zone(s) served by the firewall's DHCP server.</para>
+        <filename>/etc/dhcp/dhcpd.conf</filename> file then you will want to
+        <ulink url="ping.html">accept 'ping'</ulink> from your firewall to the
+        zone(s) served by the firewall's DHCP server.</para>
       </listitem>
     </itemizedlist>
   </section>