Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

Update FAQ and upgrade article
2016-02-03 10:56:44 -08:00 · 2016-02-03 10:56:19 -08:00 · 2016-02-03 10:55:50 -08:00 · 2016-02-03 10:43:10 -08:00 · 2016-02-02 14:57:47 -08:00 · 2016-01-31 09:29:24 -08:00
52 changed files with 1206 additions and 638 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -24,6 +24,9 @@

 VERSION=xxx #The Build script inserts the actual version

+PRODUCT=shorewall-core
+Product="Shorewall Core"
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -100,6 +103,9 @@ require()
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }

+#
+# Change to the directory containing this script
+#
 cd "$(dirname $0)"

 #
@@ -340,8 +346,10 @@ fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}

-mkdir -p ${DESTDIR}${MANDIR}
-chmod 755 ${DESTDIR}${MANDIR}
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi

 if [ -n "${INITFILE}" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=40609
+SHOREWALL_CAPVERSION=50004

 [ -n "${g_program:=shorewall}" ]

@@ -2593,6 +2593,7 @@ determine_capabilities() {
    TARPIT_TARGET=
    IFACE_MATCH=
    TCPMSS_TARGET=
+    WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2616,6 +2617,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

+    if qt $g_tool --wait -t filter -L INPUT -n -v; then
+	WAIT_OPTION=Yes
+	tool="$tool --wait"
+    fi
+
    chain=fooX$$

    if [ -n "$NAT_ENABLED" ]; then
@@ -3074,8 +3080,10 @@ report_capabilities_unsorted() {

    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
+	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
+	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3185,6 +3193,7 @@ report_capabilities_unsorted1() {
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
+    report_capability1 WAIT_OPTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3263,9 +3272,11 @@ show_interfaces() {
    local printed

    for f in ${VARDIR}/*.status; do
-	interface=$(basename $f)
-	echo "   Interface ${interface%.status} is $(interface_status $f)"
-	printed=Yes
+	if [ -f $f ]; then
+	    interface=$(basename $f)
+	    echo "   Interface ${interface%.status} is $(interface_status $f)"
+	    printed=Yes
+	fi
    done

    [ -n "$printed" ] && echo
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -3,24 +3,21 @@
 #
 # Input: host=openwrt
 #
-HOST=openwrt
-PREFIX=/usr                             
-SHAREDIR=${PREFIX}/share                
-LIBEXECDIR=${PREFIX}/share              
-PERLLIBDIR=${PREFIX}/share/shorewall    
-CONFDIR=/etc                            
-SBINDIR=/sbin                           
-MANDIR=${PREFIX}/man                    
-INITDIR=/etc/init.d                     
-INITSOURCE=init.openwrt.sh
-INITFILE=$PRODUCT                       
-AUXINITSOURCE=
-AUXINITFILE=
-SERVICEDIR=                             
-SERVICEFILE=                            
-SYSCONFFILE=default.openwrt
-SYSCONFDIR=${CONFDIR}/sysconfig
-SPARSE=                                 
-ANNOTATED=                              
-VARLIB=/lib
-VARDIR=${VARLIB}/$PRODUCT               
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=                                 #Directory where manpages are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.openwrt.sh              #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SYSCONFDIR=${CONFDIR}/sysconfig         #Directory where SysV init parameter files are installed
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/lib                             #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -27,7 +27,9 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx #The Build script inserts the actual version
-
+PRODUCT="shorewall-core"
+Product="Shorewall Core"
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -66,6 +68,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 #
 # Read the RC file
 #
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -0,0 +1,131 @@
+#!/bin/sh /etc/rc.common
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#
+#     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall-init.
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+
+# arg1 of init script is arg2 when rc.common is sourced
+
+case "$action" in
+  start|stop|boot)
+      if [ "$(id -u)" != "0" ]
+      then
+	  echo "You must be root to start, stop or restart \"Shorewall \"."
+	  exit 1
+      fi
+
+      # check if shorewall-init is configured or not
+      if [ -f "/etc/sysconfig/shorewall-init" ]
+      then
+	  . /etc/sysconfig/shorewall-init
+	  if [ -z "$PRODUCTS" ]
+	  then
+	      exit 0
+	  fi
+      else
+	  exit 0
+      fi
+
+      ;;
+  enable|disable|enabled)
+      # Openwrt related
+      # start and stop runlevel variable
+      START=19
+      STOP=91
+      ;;
+  *)
+      echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+      exit 1
+esac
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . ${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    else
+	return 0
+    fi
+}
+
+# Initialize the firewall
+start () {
+    local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+}
+
+boot () {
+    start
+}
+
+# Clear the firewall
+stop () {
+    local PRODUCT
+    local STATEDIR
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	fi
+    fi
+}
+
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,6 +28,8 @@
 #

 VERSION=xxx #The Build script inserts the actual version.
+PRODUCT=shorewall-init
+Product="Shorewall Init"

 usage() # $1 = exit status
 {
@@ -71,39 +73,50 @@ mywhich() {
    return 2
 }

-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }

+install_file() # $1 = source $2 = target $3 = mode
+{
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }

-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
+#
+# Change to the directory containing this script
+#
 cd "$(dirname $0)"

-PRODUCT=shorewall-init
-
 #
 # Parse the run line
 #
-T='-T'

 finished=0
 configure=1
@@ -230,6 +243,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ]; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -237,22 +252,24 @@ if [ -z "$BUILD" ]; then
    esac
 fi

-[ -n "$OWNER" ] || OWNER=$(id -un)
-[ -n "$GROUP" ] || GROUP=$(id -gn)
-
 case $BUILD in
    apple)
-	T=
-	;;
-    debian|gentoo|redhat|suse|slackware|archlinux)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	;;
+    cygwin*|CYGWIN*)
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+ 	;;
    *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
-	exit 1
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac

-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"

 [ -n "$HOST" ] || HOST=$BUILD

@@ -277,6 +294,9 @@ case "$HOST" in
    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing Openwrt-specific configuration..."
+	;;
    linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	exit 1
@@ -290,12 +310,12 @@ esac
 [ -z "$TARGET" ] && TARGET=$HOST

 if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
+    if [ $(id -u) != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi

 echo "Installing Shorewall Init Version $VERSION"
@@ -311,7 +331,7 @@ fi

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi

 #
@@ -339,14 +359,14 @@ fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 755 ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
@@ -355,13 +375,13 @@ fi
 # Create /usr/share/shorewall-init if needed
 #
 mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -369,7 +389,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
@@ -412,6 +432,9 @@ else
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
+	    elif [ $HOST = openwrt ]; then
+		# Not implemented on openwrt
+		/bin/true
 	    else
 		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
@@ -419,8 +442,8 @@ else
    fi

    if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -430,13 +453,15 @@ fi
 # Install the ifupdown script
 #

-cp $IFUPDOWN ifupdown
+if [ $HOST != openwrt ]; then
+    cp $IFUPDOWN ifupdown

-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

-install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
@@ -489,7 +514,7 @@ case $HOST in
 esac

 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
@@ -511,6 +536,13 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
+	elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+	    /etc/init.d/$PRODUCT enable
+	    if /etc/init.d/$PRODUCT enabled; then
+		echo "$Product will start automatically at boot"
+	    else
+		cant_autostart
+	    fi
 	elif [ $HOST = gentoo ]; then
 	    # On Gentoo, a service must be enabled manually by the user,
 	    # not by the installer
@@ -539,6 +571,13 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
+	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+		/etc/init.d/shorewall-inir enable
+		if /etc/init.d/shorewall-init enabled; then
+		    echo "Shorrewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
 	    else
 		cant_autostart
 	    fi
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -5,7 +5,8 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
-Before=network.target
+Before=network-pre.target
+Wants=network-pre.target

 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -27,6 +27,8 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-init
+Product="Shorewall Init"

 usage() # $1 = exit status
 {
@@ -75,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1

@@ -162,7 +169,11 @@ INITSCRIPT=${CONFDIR}/init.d/shorewall-init

 if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
+	    fi
+	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
            insserv -r $INITSCRIPT
@@ -183,8 +194,13 @@ if [ -n "$SERVICEDIR" ]; then
    rm -f $SERVICEDIR/shorewall-init.service
 fi

-[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+if [ $HOST = openwrt ]; then
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+else
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+fi

 remove_file ${CONFDIR}/default/shorewall-init
 remove_file ${CONFDIR}/sysconfig/shorewall-init
@@ -198,8 +214,6 @@ remove_file ${CONFDIR}/network/if-post-down.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall

-[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
-
 if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file ${CONFDIR}/ppp/$directory/shorewall
--- a/Shorewall-lite/default.openwrt
+++ b/Shorewall-lite/default.openwrt
@@ -1,25 +0,0 @@
-# sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
-
-# startup option(default "-vvv")
-OPTIONS=
-
-# change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
-START=50
-
-# change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
-STOP=
-
-# option to pass when shorewall start is executed
-STARTOPTIONS=
-
-# option to pass when shorewall restart is executed
-RESTARTOPTIONS=
-
-# option to pass when shorewall reload is executed
-RELOADOPTIONS=
-
-# option to pass when shorewall stop is executed
-STOPOPTIONS=
-
-# option to pass when shorewall status is executed
-STATUSOPTIONS=
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -32,25 +32,24 @@
 #	   shorewall-lite start			  Starts the firewall
 #	   shorewall-lite restart		  Restarts the firewall
 #	   shorewall-lite reload		  Reload the firewall
-#						  (same as restart)
 #	   shorewall-lite stop			  Stops the firewall
 #	   shorewall-lite status		  Displays firewall status
 #

 # description: Packet filtering firewall

-# openwrt stuph
-# start and stop runlevel variable
-#START=21
-#STOP=91
-# variable to display what the status command do when /etc/init.d/shorewall-lite is invoke without argument
+# Openwrt related
+# Start and stop runlevel variable
+START=50
+STOP=89
+# Displays the status command
 EXTRA_COMMANDS="status"
-EXTRA_HELP="Displays shorewall status"
+EXTRA_HELP=" status Displays firewall status"

 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS="-vvv"
+OPTIONS=

 #
 # The installer may alter this
@@ -61,38 +60,35 @@ if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
    . ${SYSCONFDIR}/shorewall-lite
 fi

-START=${START:-21}
-STOP=${STOP:-91}
-
 SHOREWALL_INIT_SCRIPT=1

 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
-local command="start"
-start
+	local command="start"
+	start
 }

 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RELOADOPTION:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STOPOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-lite/sysconfig
+++ b/Shorewall-lite/sysconfig
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -28,6 +28,7 @@

 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
+Product="Shorewall Lite"

 usage() # $1 = exit status
 {
@@ -205,14 +206,16 @@ fi
 rm -f ${SBINDIR}/shorewall-lite

 rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}/shorewall-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
 rm -f  ${SYSCONFDIR}/shorewall-lite

-rm -f ${MANDIR}/man5/shorewall-lite*
-rm -f ${MANDIR}/man8/shorewall-lite*
+if [ -n "${MANDIR}" ]; then
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
+fi

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -291,7 +291,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 			    '' ,
 			    $target ,
 			    '' ,
-			    $disposition ,
+		            $disposition ,
+		            '' ,
 			    ''  );
 	    }
 	}
@@ -386,6 +387,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	$target ,
 	'' ,
 	$disposition ,
+	'' ,
 	'' ;

    if ( $rule2 || $jump ) {
@@ -414,7 +416,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    '' ,
 		    '' ,
 		    '' ,
-		    '' ,
+	            '' ,
+	            '' ,
 		    '' );
    }

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -47,6 +47,7 @@ our @EXPORT = ( qw(
 		    add_irule
 		    add_jump
 		    add_ijump
+		    add_ijump_extended
 		    insert_rule
 		    insert_irule
 		    clone_irule
@@ -622,9 +623,12 @@ our %ipset_exists;
 #                       Omitted, if target is ''.
 #         target     => Rule target, if jump is 'j' or 'g'.
 #         targetopts => Target options. Only included if non-empty
+#         matches    => List of matches in the rule
 #         <option>   => iptables/ip6tables -A options (e.g., i => eth0)
 #         <match>    => iptables match. Value may be a scalar or array.
 #                       if an array, multiple "-m <match>"s will be generated
+#         <origin>   => configuration file and line number that generated the rule
+#                       May be empty.
 #    }
 #
 # The following constants and hash are used to classify keys in a rule hash
@@ -642,6 +646,7 @@ use constant { UNIQUE      => 1,

 our %opttype = ( rule          => CONTROL,
 		 cmd           => CONTROL,
+		 origin        => CONTROL,

 		 dhcp          => CONTROL,

@@ -917,7 +922,7 @@ sub set_rule_option( $$$ ) {

 sub transform_rule( $;\$ ) {
    my ( $input, $completeref ) = @_;
-    my $ruleref  = { mode => CAT_MODE, matches => [], target => '' };
+    my $ruleref  = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo( '' ) };
    my $simple   = 1;
    my $target   = '';
    my $jump     = '';
@@ -1241,6 +1246,23 @@ sub add_commands ( $$;@ ) {
    $chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE );
 }

+#
+# Set the comment member of an irule
+#
+sub set_irule_comment( $$ ) {
+    my ( $chainref, $ruleref ) = @_;
+
+    our $rule_comments;
+
+    $ruleref->{origin} ||= $chainref->{origin};
+
+    if ( $rule_comments ) {
+	$ruleref->{comment} = $ruleref->{origin} || $comment;
+    } else {
+	$ruleref->{comment} = $comment;
+    }
+}
+
 #
 # Transform the passed rule and add it to the end of the passed chain's rule list.
 #
@@ -1252,7 +1274,8 @@ sub push_rule( $$ ) {
    my $complete = 0;
    my $ruleref  = transform_rule( $_[1], $complete );

-    $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
+    set_irule_comment( $chainref, $ruleref );
+
    $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};

    push @{$chainref->{rules}}, $ruleref;
@@ -1473,7 +1496,7 @@ sub create_irule( $$$;@ ) {

    ( $target, my $targetopts ) = split ' ', $target, 2;

-    my $ruleref       = { matches => [] };
+    my $ruleref = { matches => [] , origin => shortlineinfo( $chainref->{origin} ) };

    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;

@@ -1486,7 +1509,7 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{target} = '';
    }

-    $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment;
+    set_irule_comment( $chainref, $ruleref );

    $iprangematch = 0;

@@ -1642,7 +1665,7 @@ sub insert_rule1($$$)

    my $ruleref = transform_rule( $rule );

-    $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
+    set_irule_comment( $chainref, $ruleref );

    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
    $ruleref->{mode} = CAT_MODE;
@@ -1668,7 +1691,7 @@ sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;

    my $rulesref = $chainref->{rules};
-    my $ruleref  = {};
+    my $ruleref  = { origin => shortlineinfo( $chainref->{origin} ) };

    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;

@@ -1684,8 +1707,7 @@ sub insert_irule( $$$$;@ ) {
 	$chainref->{optflags} |= push_matches( $ruleref, @matches );
    }

-    
-    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
+    set_irule_comment( $chainref, $ruleref );

    if ( $number >= @$rulesref ) {
 	#
@@ -2300,6 +2322,7 @@ sub new_chain($$)
 		     references     => {},
 		     filtered       => 0,
 		     optflags       => 0,
+		     origin         => shortlineinfo( '' ),
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2388,12 +2411,12 @@ sub add_expanded_jump( $$$$ ) {
    add_reference( $chainref, $toref ) while --$splitcount > 0;
 }

-sub add_ijump_internal( $$$$;@ ) {
-    my ( $fromref, $jump, $to, $expandports, @matches ) = @_;
+sub add_ijump_internal( $$$$$;@ ) {
+    my ( $fromref, $jump, $to, $expandports, $origin, @matches ) = @_;

    return $dummyrule if $fromref->{complete};

-    our $splitcount;
+    our ( $splitcount, $file_comments, $rule_comments );

    my $toref;
    my $ruleref;
@@ -2410,6 +2433,7 @@ sub add_ijump_internal( $$$$;@ ) {
 	my ( $target ) = split ' ', $to;
 	$toref = $chain_table{$fromref->{table}}{$target};
 	fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
+	$origin ||= $fromref->{origin} if $file_comments || $rule_comments;
    }

    #
@@ -2419,6 +2443,7 @@ sub add_ijump_internal( $$$$;@ ) {
 	$toref->{referenced} = 1;
 	add_reference $fromref, $toref;
 	$jump = 'j' unless have_capability 'GOTO_TARGET';
+	$origin ||= $toref->{origin} if $file_comments || $rule_comments;
 	$ruleref = create_irule ($fromref, $jump => $to, @matches );
    } else {
 	$ruleref = create_irule( $fromref, 'j' => $to, @matches );
@@ -2428,12 +2453,19 @@ sub add_ijump_internal( $$$$;@ ) {
 	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
    }

+    $ruleref->{origin} = $origin if $origin;
+
    $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
 }

 sub add_ijump( $$$;@ ) {
    my ( $fromref, $jump, $to, @matches ) = @_;
-    add_ijump_internal( $fromref, $jump, $to, 0, @matches );
+    add_ijump_internal( $fromref, $jump, $to, 0, '', @matches );
+}
+
+sub add_ijump_extended( $$$$;@ ) {
+    my ( $fromref, $jump, $to, $origin, @matches ) = @_;
+    add_ijump_internal( $fromref, $jump, $to, 0, $origin, @matches );
 }

 sub insert_ijump( $$$$;@ ) {
@@ -2727,7 +2759,7 @@ sub ensure_manual_chain($) {
    $chainref;
 }

-sub log_irule_limit( $$$$$$$@ );
+sub log_irule_limit( $$$$$$$$@ );

 sub ensure_blacklog_chain( $$$$$ ) {
    my ( $target, $disposition, $level, $tag, $audit ) = @_;
@@ -2738,7 +2770,7 @@ sub ensure_blacklog_chain( $$$$$ ) {
 	$target =~ s/A_//;
 	$target = 'reject' if $target eq 'REJECT';

-	log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' );
+	log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' );

 	add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
 	add_ijump( $logchainref, g => $target );
@@ -2753,7 +2785,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
    unless ( $filter_table->{A_blacklog} ) {
 	my $logchainref = new_manual_chain 'A_blacklog';

-	log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
+	log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' );

 	add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );

@@ -2967,6 +2999,9 @@ sub initialize_chain_table($) {
    $globals{iLOGLIMIT} =
 	( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] :
 	  $ruleref->{limit}     ? [ limit     => $ruleref->{limit}     ] : [] );
+
+    our $file_comments = $config{TRACK_RULES} eq 'File';
+    our $rule_comments = $config{TRACK_RULES} eq 'Yes';
 }

 #
@@ -3694,10 +3729,12 @@ sub get_multi_sports( $ ) {
 }

 #
-# Return an array of keys for the passed rule. 'dport' and 'comment' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
 #
 sub get_keys( $ ) {
-    sort grep $_ ne 'dport' && $_ ne 'comment',  keys %{$_[0]};
+    my %skip = ( dport => 1, comment => 1, origin => 1 );
+
+    sort grep ! $skip{$_},  keys %{$_[0]};
 }

 #
@@ -3731,6 +3768,8 @@ sub combine_dports {
 		my $comment      = $baseref->{comment} || '';
 		my $lastcomment  = $comment;
 		my $multi_sports = get_multi_sports( $baseref );
+		my $origin       = $baseref->{origin} || '';
+		my $lastorigin   = $origin;

 	      RULE:

@@ -3744,6 +3783,7 @@ sub combine_dports {
 			# We have a candidate
 			#
 			my $comment2 = $ruleref->{comment} || '';
+			my $origin2  = $ruleref->{origin}  || '';

 			last if $comment2 ne $lastcomment && length( $comment ) + length( $comment2 ) > 253;

@@ -3784,6 +3824,25 @@ sub combine_dports {
 			    $lastcomment = $comment2;
 			}

+			if ( $origin2 ) {
+			    if ( $origin ) {
+				$origin .= ", $origin2" unless $origin2 eq $lastorigin;
+			    } else {
+				$origin = 'Others and ';
+				$origin .= $origin2;
+			    }
+
+			    $lastorigin = $origin2;
+			} else {
+			    if ( $origin ) {
+				unless ( ( $origin2 = ' and others' ) eq $lastorigin ) {
+				    $origin .= $origin2;
+				}
+			    }
+
+			    $lastorigin = $origin2;
+			}
+
 			push @ports, split ',', $ports2;

 			trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
@@ -3817,6 +3876,7 @@ sub combine_dports {
 		    }

 		    $baseref->{comment} = $comment if $comment;
+		    $baseref->{origin}  = $origin  if $origin;

 		    trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
 		}
@@ -3855,6 +3915,7 @@ sub delete_duplicates {
    my $lastrule  = @_;
    my $baseref   = pop;
    my $ruleref;
+    my %skip = ( comment => 1, origin => 1 );

    while ( @_ ) {
 	my $docheck;
@@ -3862,7 +3923,7 @@ sub delete_duplicates {

 	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
-	    my @keys1    = sort( grep $_ ne 'comment', keys( %$baseref ) );
+	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
 		
@@ -3874,7 +3935,7 @@ sub delete_duplicates {

 		    last unless $ruleref->{mode} == CAT_MODE;

-		    my @keys2 = sort(grep $_ ne 'comment', keys( %$ruleref ) );
+		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );

 		    next unless @keys1 == @keys2 ;

@@ -3946,10 +4007,12 @@ sub get_conntrack( $ ) {
 }

 #
-# Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment' & origin are omitted;
 #
 sub get_keys1( $ ) {
-    sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment',  keys %{$_[0]};
+    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+
+    sort grep ! $skip{$_},  keys %{$_[0]};
 }

 #
@@ -4235,7 +4298,8 @@ sub logchain( $$$$$$ ) {
 		       $disposition ,
 		       [] ,
 		       $logtag,
-		       'add' );
+		       'add',
+	               '' );
 	add_jump( $logchainref, $target, 0, $exceptionrule );
    }

@@ -5753,8 +5817,6 @@ sub match_source_net( $;$\$ ) {
    }

    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';

 	load_isocodes unless %isocodes;
@@ -5842,8 +5904,6 @@ sub imatch_source_net( $;$\$ ) {
    }

    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';

 	load_isocodes unless %isocodes;
@@ -5928,8 +5988,6 @@ sub match_dest_net( $;$ ) {
    }

    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';

 	load_isocodes unless %isocodes;
@@ -6011,8 +6069,6 @@ sub imatch_dest_net( $;$ ) {
    }

    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
-	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
-
 	require_capability 'GEOIP_MATCH', 'A country-code', '';

 	load_isocodes unless %isocodes;
@@ -6202,20 +6258,22 @@ sub do_ipsec($$) {
 #
 # Generate a log message
 #
-sub log_rule_limit( $$$$$$$$ ) {
-    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_;
+sub log_rule_limit( $$$$$$$$;$ ) {
+    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;

    my $prefix = '';
-    my $chain       = get_action_chain_name  || $chn;
-    my $disposition = get_action_disposition || $dispo;
+    my $chain            = get_action_chain_name  || $chn;
+    my $disposition      = get_action_disposition || $dispo;
+    my $original_matches = $matches;
+    my $ruleref;

    $level = validate_level $level; # Do this here again because this function can be called directly from user exits.

-    return 1 if $level eq '';
+    return $dummyrule if $level eq '';

    $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' ';

-    unless ( $matches =~ /-m limit / ) {
+    unless ( $matches =~ /-m (?:limit|hashlimit) / ) {
 	$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
 	$matches .= $limit if $limit;
    }
@@ -6289,19 +6347,24 @@ sub log_rule_limit( $$$$$$$$ ) {
    }

    if ( $command eq 'add' ) {
-	add_rule ( $chainref, $matches . $prefix , 1 );
+	$ruleref = add_rule ( $chainref, $matches . $prefix , $original_matches );
    } else {
-	insert_rule1 ( $chainref , 0 , $matches . $prefix );
+	$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
    }
+
+    $ruleref->{origin} = $origin if reftype( $ruleref ) && $origin;
+
+    $ruleref;
 }

-sub log_irule_limit( $$$$$$$@ ) {
-    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_;
+sub log_irule_limit( $$$$$$$$@ ) {
+    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_;

    my $prefix = '';
    my %matches;
    my $chain       = get_action_chain_name  || $chn;
    my $disposition = get_action_disposition || $dispo;
+    my $original_matches = @matches;

    $level = validate_level $level; # Do this here again because this function can be called directly from user exits.

@@ -6383,7 +6446,7 @@ sub log_irule_limit( $$$$$$$@ ) {
    }

    if ( $command eq 'add' ) {
-	add_ijump_internal ( $chainref, j => $prefix , 1, @matches );
+	add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches );
    } else {
 	insert_ijump ( $chainref, j => $prefix, 0 , @matches );
    }
@@ -6398,7 +6461,7 @@ sub log_rule( $$$$ ) {
 sub log_irule( $$$;@ ) {
    my ( $level, $chainref, $disposition, @matches ) = @_;

-    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches;
+    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }

 #
@@ -6562,6 +6625,8 @@ sub set_chain_variables() {
 	emit( 'g_tool=$IP6TABLES' );
    }

+    emit 'g_tool="$g_tool --wait"' if have_capability 'WAIT_OPTION';
+
    if ( $config{IP} ) {
 	emit( qq(IP="$config{IP}") ,
 	      '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
@@ -7406,7 +7471,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
-			 'add' )
+			 'add' ,
+			 '' )
 	    if $loglevel;
 	#
 	# Generate Final Rule
@@ -7428,7 +7494,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7441,6 +7507,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
+	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
       ) = @_;

@@ -7490,7 +7557,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	    $loglevel = validate_level( $loglevel );
 	    $logtag   = '' unless defined $logtag;
 	}
-    } elsif ( $disposition eq 'LOG' ) {
+    } elsif ( $disposition eq 'LOG' && ! $usergenerated ) {
 	fatal_error "LOG requires a level";
    }
    #
@@ -7605,9 +7672,9 @@ sub expand_rule( $$$$$$$$$$$;$ )

 		    my $cond3 = conditional_rule( $chainref, $dnet );

-		    if ( $loglevel eq '' ) {
+		    if ( $loglevel eq '' || $usergenerated ) {
 			#
-			# No logging -- add the target rule with matches to the rule chain
+			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref , 0, $matches );
@@ -7780,9 +7847,10 @@ sub add_interface_options( $ ) {
 		    } else {
 			for my $interface ( @input_interfaces ) {
 			    $chain1ref = $input_chains{$interface};
-			    add_ijump ( $chainref ,
-					j => $chain1ref->{name},
-					@input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
+			    add_ijump_extended ( $chainref ,
+						 j => $chain1ref->{name},
+						 interface_origin( $interface ) ,
+						 @input_interfaces > 1 ? imatch_source_dev( $interface ) : () );
 			}
 		    }
 		} else {
@@ -7795,7 +7863,10 @@ sub add_interface_options( $ ) {
 		    } else {
 			for my $interface ( @forward_interfaces ) {
 			    $chain1ref = $forward_chains{$interface};
-			    add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if  @{$chain1ref->{rules}};
+			    add_ijump_extended( $chainref ,
+						j => $chain1ref->{name},
+						interface_origin( $interface ) ,
+						@forward_interfaces > 1 ? imatch_source_dev( $interface ) : () );
 			}
 		    }
 		}
@@ -7884,6 +7955,8 @@ sub enter_cmd_mode() {
 sub emitr( $$ ) {
    my ( $chainref, $ruleref ) = @_;

+    our $file_comments;
+
    assert( $chainref );

    if ( $ruleref ) {
@@ -7892,6 +7965,11 @@ sub emitr( $$ ) {
 	    # A rule
 	    #
 	    enter_cat_mode unless $mode == CAT_MODE;
+
+	    if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
+		emit_unindented '# ' . $origin;
+	    }
+
 	    emit_unindented format_rule( $chainref, $ruleref );
 	} else {
 	    #
@@ -7902,6 +7980,9 @@ sub emitr( $$ ) {
 	    if ( exists $ruleref->{cmd} ) {
 		emit join( '', '    ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
 	    } else {
+		if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
+		    emit join( '', '    ' x $ruleref->{cmdlevel} , '# ' , $origin );
+		}
 		#
 		# Must preserve quotes in the rule
 		#
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -174,6 +174,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $comment

 				       %config
+				       %origin
 				       %globals
 				       %config_files
 				       %shorewallrc
@@ -185,6 +186,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_aliases

 				       %actparms
+
+                                       PARMSMODIFIED
+                                       USEDCALLER
 				       
 		                       F_IPV4
 		                       F_IPV6
@@ -294,6 +298,10 @@ our %globals;
 #
 our %config;
 #
+# Linenumber in shorewall[6].conf where each option was specified
+#
+our %origin;
+#
 # Entries in shorewall.conf that have been renamed
 #
 our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST_LOG_LEVEL' );
@@ -396,6 +404,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
+                 WAIT_OPTION     => 'iptables --wait option',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -545,6 +554,7 @@ our %compiler_params;
 #
 our %actparms;
 our $parmsmodified;
+our $usedcaller;
 our $inline_matches;

 our $currentline;            # Current config file line image
@@ -595,6 +605,9 @@ use constant { MIN_VERBOSITY => -1,
 	       F_IPV6 => 6,
 	     };

+use constant { PARMSMODIFIED => 1,
+               USEDCALLER    => 2 };
+
 our %validlevels;            # Valid log levels.

 #
@@ -714,7 +727,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.1",
-		    CAPVERSION              => 40609 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -883,7 +896,10 @@ sub initialize( $;$$) {
 	  ZONE_BITS => undef,
 	);

-
+    #
+    # Line numbers in shorewall6.conf where options are specified
+    #
+    %origin = ();
    #
    # Valid log levels
    #
@@ -989,6 +1005,7 @@ sub initialize( $;$$) {
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
+	       WAIT_OPTION => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1043,6 +1060,7 @@ sub initialize( $;$$) {

    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
+    $usedcaller    = 0;

    %helpers_enabled = (
 			amanda       => 1,
@@ -1182,19 +1200,33 @@ sub currentlineinfo() {
    }
 }

+sub shortlineinfo2() {
+    if ( $currentfile ) {
+	join( ':', $currentfilename, $currentlinenumber );
+    } else {
+	''
+    }
+}
+
 sub shortlineinfo( $ ) {
-    if ( $config{TRACK_RULES} ) {
+    if ( my $track = $config{TRACK_RULES} ) {
 	if ( $currentfile ) {
-	    my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
-	    $comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
-	    $comment = '@@@ Filename Too Long @@@' if length $comment > 255;
-	    $comment;
+	    if ( $track eq 'Yes' ) {
+		my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
+		$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
+		$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
+		$comment;
+	    } else {
+		join( ':', $currentfilename, $currentlinenumber );
+	    }
 	} else {
 	    #
 	    # Alternate lineinfo may have been passed
 	    #
 	    $_[0] || ''
 	}
+    } else {
+	'';
    }
 }

@@ -2212,7 +2244,10 @@ sub split_line2( $$;$$$ ) {
 	$pairs = '';
    }

-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    unless ( $currline =~ /^\s*IP6?TABLES\(.*\)/ ) {
+	fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    }
+
    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;

    my @line = split_columns( $columns );
@@ -2497,7 +2532,7 @@ sub evaluate_expression( $$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
-	    $parmsmodified ||= $var eq 'caller';
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2634,7 +2669,7 @@ sub process_compiler_directive( $$$$ ) {
 		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
 									$linenumber );
-		      $parmsmodified = 1;
+		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
@@ -3169,11 +3204,13 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );

-    $actparms{modified} = $parmsmodified;
+    $actparms{modified}   = $parmsmodified;
+    $actparms{usedcaller} = $usedcaller;

    my %oldparms = %actparms;

    $parmsmodified = 0;
+    $usedcaller    = 0;

    %actparms = ();

@@ -3199,13 +3236,16 @@ sub push_action_params( $$$$$$ ) {

 #
 # Pop the action parameters using the passed hash reference
-# Return true of the popped parameters were modified
+# Return:
+#   1 if the popped parameters were modified
+#   2 if the action used @CALLER
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
    %actparms          = %$oldparms;
-    my $return         = $parmsmodified;
-    ( $parmsmodified ) = delete $actparms{modified};
+    my $return         = $parmsmodified | $usedcaller;
+    ( $parmsmodified ) = delete $actparms{modified}   || 0;
+    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
    $return;
 }

@@ -3300,6 +3340,7 @@ sub expand_variables( \$ ) {
 	    $val = $variables{$var};
 	} elsif ( exists $actparms{$var} ) { 
 	    $val = $actparms{$var};
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
 	}
@@ -3318,6 +3359,7 @@ sub expand_variables( \$ ) {
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
@@ -3963,7 +4005,7 @@ sub Udpliteredirect() {

 sub Mangle_Enabled() {
    if ( qt1( "$iptables $iptablesw -t mangle -L -n" ) ) {
-	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
+	system( "$iptables $iptablesw -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
    }
 }

@@ -4605,7 +4647,8 @@ sub determine_capabilities() {

    my $pid     = $$;

-    $capabilities{CAPVERSION} = $globals{CAPVERSION};
+    $capabilities{CAPVERSION}  = $globals{CAPVERSION};
+    $capabilities{WAIT_OPTION} = $iptablesw;

    determine_kernelversion;

@@ -5016,6 +5059,8 @@ sub process_shorewall_conf( $$ ) {

 		    warning_message "Option $var=$val is deprecated"
 			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
+
+		    $origin{$var} = shortlineinfo2;
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -5083,6 +5128,8 @@ sub read_capabilities() {

    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};

+    $iptablesw = '-w' if $capabilities{WAIT_OPTION};
+
 }

 #
@@ -5788,7 +5835,25 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
-    default_yes_no 'TRACK_RULES'                , '';
+
+    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
+	if ( lc( $val ) eq 'file' ) {
+	    $config{TRACK_RULES}  = 'File';
+	} else {
+	    default_yes_no 'TRACK_RULES'        , '';
+	}
+    } else {
+	$config{TRACK_RULES} = '';
+    }
+
+    %origin = () unless $config{TRACK_RULES} eq 'File';
+    #
+    # Ensure that all members of %origin have defined values
+    #
+    for ( keys %config ) {
+	$origin{$_} ||= '';
+    }
+	    
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -107,13 +107,15 @@ sub setup_ecn()
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;

-	    $interfaces{$interface} = 1;
+	    my $lineinfo = shortlineinfo( '' );
+
+	    $interfaces{$interface} ||= $lineinfo;

 	    $hosts = ALLIP if $hosts eq '-';

 	    for my $host( split_list $hosts, 'address' ) {
 		validate_host( $host , 1 );
-		push @hosts, [ $interface, $host ];
+		push @hosts, [ $interface, $lineinfo, $host ];
 	    }
 	}

@@ -125,12 +127,12 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );

-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
-		add_ijump $mangle_table->{OUTPUT},       j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump_extended $mangle_table->{POSTROUTING} , j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
+		add_ijump_extended $mangle_table->{OUTPUT},       j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface );
 	    }

 	    for my $host ( @hosts ) {
-		add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[1] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -614,7 +616,8 @@ sub process_stoppedrules() {
 				 $target,
 				 '',
 				 $disposition,
-				 do_proto( $proto, '-', '-' ) );
+				 do_proto( $proto, '-', '-' ),
+				 '');
 		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
@@ -654,7 +657,7 @@ sub add_common_rules ( $ ) {
    setup_mss;

    if ( $config{FASTACCEPT} ) {
-	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
+	add_ijump_extended( $filter_table->{OUTPUT} , j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )
    }

    my $policy   = $config{SFILTER_DISPOSITION};
@@ -662,6 +665,7 @@ sub add_common_rules ( $ ) {
    $tag         = $config{SFILTER_LOG_TAG};
    my $audit    = $policy =~ s/^A_//;
    my @ipsec    = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
+    my $origin   = $origin{SFILTER_DISPOSITION};

    if ( $level || $audit ) {
 	#
@@ -676,11 +680,12 @@ sub add_common_rules ( $ ) {
 			$globals{LOGLIMIT},
 			$tag,
 			'add',
-			'' ) if $level ne '';
+			'',
+			$origin{SFILTER_LOG_LEVEL} ) if $level ne '';

-	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;

-	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );

 	$target = 'sfilter';
    } else {
@@ -696,11 +701,20 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'sfilter1';

 	add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
-	log_rule $level , $chainref , $policy , '' if $level ne '';

-	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	log_rule_limit( $level,
+			$chainref,
+			$chainref->{name},
+			$policy,
+			$globals{LOGLIMIT},
+			$tag,
+			'add',
+			'' ,
+			$origin ) if $level ne '';

-	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
+
+	add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );

 	$target1 = 'sfilter1';
    } else {
@@ -720,13 +734,14 @@ sub add_common_rules ( $ ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {

 		my @filters = @{$interfaceref->{filter}};
+		my $origin  = $interfaceref->{origin};

 		$chainref = $filter_table->{forward_option_chain $interface};

 		if ( @filters ) {
-		    add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		    add_ijump_extended( $chainref , @ipsec ? 'j' : 'g' => $target1, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		} elsif ( $interfaceref->{bridge} eq $interface ) {
-		    add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
+		    add_ijump_extended( $chainref , @ipsec ? 'j' : 'g' => $target1, $origin, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 			unless( $config{ROUTE_FILTER} eq 'on' ||
 				$interfaceref->{options}{routeback} ||
 				$interfaceref->{options}{routefilter} ||
@@ -736,13 +751,13 @@ sub add_common_rules ( $ ) {

 		if ( @filters ) {
 		    $chainref = $filter_table->{input_option_chain $interface};
-		    add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		    add_ijump_extended( $chainref , g => $target, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		}
 	    }

 	    for ( option_chains( $interface ) ) {
-		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
    }
@@ -763,6 +778,8 @@ sub add_common_rules ( $ ) {
 	$level    = $config{RPFILTER_LOG_LEVEL};
 	$tag      = $globals{RPFILTER_LOG_TAG};
 	$audit    = $policy =~ s/^A_//;
+	my $origin
+                  = $origin{RPFILTER_DISPOSITION};
 	
 	if ( $level || $audit ) {
 	    #
@@ -777,11 +794,12 @@ sub add_common_rules ( $ ) {
 			    $globals{LOGLIMIT},
 			    $tag,
 			    'add',
-			    '' ) if $level ne '';
+			    '',
+			    $origin{RPFILTER_LOG_LEVEL} );

-	    add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	    add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;

-	    add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	    add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );

 	    $target = 'rplog';
 	} else {
@@ -793,23 +811,25 @@ sub add_common_rules ( $ ) {
 	if ( $family == F_IPV4 ) {
 	    for $interface ( @$list ) {
 		if ( get_interface_option( $interface, 'dhcp' ) ) {
-		    add_ijump( $rpfilterref,
-			       j        => 'RETURN',
-			       s        => NILIPv4,
-			       p        => UDP,
-			       dport    => 67,
-			       sport    => 68
+		    add_ijump_extended( $rpfilterref,
+					j        => 'RETURN',
+					get_interface_origin( $interface ),
+					s        => NILIPv4,
+					p        => UDP,
+					dport    => 67,
+					sport    => 68
 			);
 		    last;
 		}
 	    }
 	}

-	add_ijump( $rpfilterref,
-		   j        => $target,
-		   rpfilter => '--validmark --invert',
-		   state_imatch 'NEW,RELATED,INVALID',
-		   @ipsec
+	add_ijump_extended( $rpfilterref,
+			    j        => $target,
+			    $origin,
+			    rpfilter => '--validmark --invert',
+			    state_imatch 'NEW,RELATED,INVALID',
+			    @ipsec
 	    );
    }
 	    
@@ -829,6 +849,7 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'smurfs';

 	my $smurfdest = $config{SMURF_DISPOSITION};
+	my $origin    = $origin{SMURF_DISPOSITION};

 	if ( supplied $config{SMURF_LOG_LEVEL} ) {
 	    my $smurfref = new_chain( 'filter', 'smurflog' );
@@ -839,9 +860,12 @@ sub add_common_rules ( $ ) {
 			     'DROP',
 			     $globals{LOGILIMIT},
 			     $globals{SMURF_LOG_TAG},
-			     'add' );
-	    add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
-	    add_ijump( $smurfref, j => 'DROP' );
+			     'add',
+			     $origin{SMURF_LOG_LEVEL} );
+
+	    add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
+
+	    add_ijump_extended( $smurfref, j => 'DROP' , $origin );

 	    $smurfdest = 'smurflog';
 	} else {
@@ -855,7 +879,7 @@ sub add_common_rules ( $ ) {
 		add_ijump $chainref , j => 'RETURN', s => '::';
 	    }

-	    add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ;
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, addrtype => '--src-type BROADCAST' ) ;
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $chainref, 'for address in $ALL_BCASTS; do';
@@ -864,15 +888,15 @@ sub add_common_rules ( $ ) {
 	    }

 	    incr_cmd_level $chainref;
-	    add_ijump( $chainref, g => $smurfdest, s => '$address' );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '$address' );
 	    decr_cmd_level $chainref;
 	    add_commands $chainref, 'done';
 	}

 	if ( $family == F_IPV4 ) {
-	    add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '224.0.0.0/4' );
 	} else {
-	    add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => IPv6_MULTICAST );
 	}

 	my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
@@ -880,11 +904,13 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
+	    my $net        = $hostref->[2];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
+	    my $origin     = $hostref->[5];

 	    for $chain ( option_chains $interface ) {
-		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
+		add_ijump_extended( $filter_table->{$chain} , j => $target, $origin, @state, imatch_source_net( $net ), @policy );
 	    }
 	}
    }
@@ -937,21 +963,27 @@ sub add_common_rules ( $ ) {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';

 	for $interface ( @$list ) {
-	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
+	    my $origin = get_interface_origin($interface);
+	    set_rule_option( add_ijump_extended( $filter_table->{$_} ,
+						 j => 'ACCEPT',
+						 $origin,
+						 p => "udp --dport $ports" ) ,
 			     'dhcp',
 			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );

-	    add_ijump( $filter_table->{forward_option_chain $interface} ,
-		       j => 'ACCEPT',
-		       p =>  "udp --dport $ports" ,
-		       imatch_dest_dev( $interface ) )
+	    add_ijump_extended( $filter_table->{forward_option_chain $interface} ,
+				j => 'ACCEPT',
+				$origin,
+				p =>  "udp --dport $ports" ,
+				imatch_dest_dev( $interface ) )
 		if get_interface_option( $interface, 'bridge' );

 	    unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
-		add_ijump( $filter_table->{input_chain( $interface ) } ,
-			   j => 'ACCEPT' ,
-			   p => "udp --dport $ports" ,
-			   s => NILIPv4 . '/' . VLSMv4 );
+		add_ijump_extended( $filter_table->{input_chain( $interface ) } ,
+				    j => 'ACCEPT' ,
+				    $origin ,
+				    p => "udp --dport $ports" ,
+				    s => NILIPv4 . '/' . VLSMv4 );
 	    }
 	}
    }
@@ -963,6 +995,7 @@ sub add_common_rules ( $ ) {
 	my $tag   = $globals{TCP_FLAGS_LOG_TAG};
 	my $disposition = $config{TCP_FLAGS_DISPOSITION};
 	my $audit = $disposition =~ /^A_/;
+	my $origin = $origin{TCP_FLAGS_DISPOSITION};

 	progress_message2 "$doing TCP Flags filtering...";

@@ -982,20 +1015,20 @@ sub add_common_rules ( $ ) {
 			    $globals{LOGLIMIT},
 			    $tag,
 			    'add',
-			    ''
-			  );
+			    '' ,
+			    $origin{TCP_FLAGS_LOG_LEVEL} );

 	    $globals{LOGPARMS} = $savelogparms;

 	    if ( $audit ) {
 		$disposition =~ s/^A_//;
-		add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
+		add_ijump_extended( $logflagsref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $disposition );
 	    }

 	    if ( $disposition eq 'REJECT' ) {
-		add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+		add_ijump_extended $logflagsref , j => 'REJECT', $origin, targetopts => '--reject-with tcp-reset', p => 6;
 	    } else {
-		add_ijump $logflagsref , j => $disposition;
+		add_ijump_extended $logflagsref , j => $disposition, $origin;
 	    }

 	    $disposition = 'logflags';
@@ -1017,9 +1050,10 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my $origin     = $hostref->[5];

 	    for $chain ( option_chains $interface ) {
-		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
+		add_ijump_extended( $filter_table->{$chain} , j => $target, $origin, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
 	}
    }
@@ -1039,7 +1073,7 @@ sub add_common_rules ( $ ) {
 	    $announced = 1;

 	    for $interface ( @$list ) {
-		add_ijump $nat_table->{PREROUTING} , j => 'UPnP', imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
 	    }
 	}

@@ -1053,16 +1087,17 @@ sub add_common_rules ( $ ) {
 		my $base     = uc var_base get_physical $interface;
 		my $optional = interface_is_optional( $interface );
 		my $variable = get_interface_gateway( $interface, ! $optional );
+		my $origin   = get_interface_origin( $interface );

 		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );
-		    add_ijump( $chainref, j => 'ACCEPT', imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 		    decr_cmd_level( $chainref );
 		    add_commands( $chainref, 'fi' );
 		} else {
-		    add_ijump( $chainref, j => 'ACCEPT', imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 		}
 	    }
 	}
@@ -1190,6 +1225,7 @@ sub setup_mac_lists( $ ) {
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
+	    my $origin     = $hostref->[5];

 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

@@ -1197,11 +1233,11 @@ sub setup_mac_lists( $ ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );

 		for my $chain ( option_chains $interface ) {
-		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
+		    add_ijump_extended $filter_table->{$chain} , j => $chainref, $origin, @source, @state, @policy;
 		}
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
-		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
+		add_ijump_extended $mangle_table->{PREROUTING}, j => $chainref, $origin, imatch_source_dev( $interface ), @source, @state, @policy;
 	    }
 	}
    } else {
@@ -1257,7 +1293,7 @@ sub setup_mac_lists( $ ) {

 	    run_user_exit2( 'maclog', $chainref );

-	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne '';
+	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
    }
@@ -1292,8 +1328,8 @@ sub rules_target( $$ ) {
 #
 # Generate rules for one destination zone
 #
-sub generate_dest_rules( $$$;@ ) {
-    my ( $chainref, $chain, $z2, @matches ) = @_;
+sub generate_dest_rules( $$$$;@ ) {
+    my ( $chainref, $chain, $z2, $origin, @matches ) = @_;

    my $z2ref            = find_zone( $z2 );
    my $type2            = $z2ref->{type};
@@ -1301,16 +1337,18 @@ sub generate_dest_rules( $$$;@ ) {
    if ( $type2 & VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
 	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
+	    my $origin    = $hostref->{origin};

 	    for my $net ( @{$hostref->{hosts}} ) {
-		add_ijump( $chainref,
-			   j => $exclusion ,
-			   imatch_dest_net ( $net ),
-			   @matches );
+		add_ijump_extended( $chainref,
+				    j => $exclusion ,
+				    $origin,
+				    imatch_dest_net ( $net ),
+				    @matches );
 	    }
 	}
    } else {
-	add_ijump( $chainref, j => $chain, @matches );
+	add_ijump_extended( $chainref, j => $chain, $origin, @matches );
    }
 }

@@ -1328,11 +1366,13 @@ sub generate_source_rules( $$$;@ ) {
 	for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 	    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 	    my $exclusion   = source_exclusion( $hostref->{exclusions}, $chain);
+	    my $origin      = $hostref->{origin};

 	    for my $net ( @{$hostref->{hosts}} ) {
 		generate_dest_rules( $outchainref,
 				     $exclusion,
 				     $z2,
+				     $origin,
 				     imatch_source_net( $net ),
 				     @matches ,
 				     @ipsec_match
@@ -1401,7 +1441,7 @@ sub handle_loopback_traffic() {
 		next if $z1 eq $z2 && ( $loopback || $unmanaged );

 		my $chain = rules_target( $z1, $z2 );
-		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
+		generate_dest_rules( $outchainref, $chain, $z2, '', @rule ) if $chain;
 	    }
 	    #
 	    # Handle conntrack 
@@ -1640,14 +1680,16 @@ sub handle_complex_zone( $$ ) {
 	    #
 	    for my $hostref ( @{$arrayref} ) {
 		my @ipsec_match = match_ipsec_in $zone , $hostref;
+		my $origin      = $hostref->{origin};
 		for my $net ( @{$hostref->{hosts}} ) {
-		    add_ijump(
-			      $sourcechainref,
-			      @{$zoneref->{parents}} ? 'j' : 'g' => source_exclusion( $hostref->{exclusions}, $frwd_ref ),
-			      @interfacematch ,
-			      imatch_source_net( $net ),
-			      @ipsec_match
-			     );
+		    add_ijump_extended(
+			$sourcechainref,
+			@{$zoneref->{parents}} ? 'j' : 'g' => source_exclusion( $hostref->{exclusions}, $frwd_ref ),
+			$origin,
+			@interfacematch ,
+			imatch_source_net( $net ),
+			@ipsec_match
+			);
 		}
 	    }
 	}
@@ -1702,8 +1744,8 @@ sub handle_nested_zone( $$ ) {
 #
 # Add output jump to the passed zone:interface:hostref:net
 #
-sub add_output_jumps( $$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, ) = @_;
+sub add_output_jumps( $$$$$$$$ ) {
+    my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, $origin ) = @_;

    our @vservers;
    our %output_jump_added;
@@ -1732,15 +1774,16 @@ sub add_output_jumps( $$$$$$$ ) {
 	    #
 	    # It is a bridge port zone -- use the bridges output chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ output_chain $bridge },
-		       j => $outputref ,
-		       imatch_dest_dev( $interface, 1 ) )
+	    add_ijump_extended( $filter_table->{ output_chain $bridge },
+				j => $outputref ,
+				$origin ,
+				imatch_dest_dev( $interface, 1 ) )
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{OUTPUT}, j => $outputref, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
+	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}

 	$use_output = 1;
@@ -1769,11 +1812,11 @@ sub add_output_jumps( $$$$$$$ ) {
    #
    #  Add the jump
    # 
-    add_ijump $outputref , j => $nextchain, @interfacematch, @dest, @ipsec_out_match;
+    add_ijump_extended $outputref , j => $nextchain, $origin, @interfacematch, @dest, @ipsec_out_match;
    #
    #  Add jump for broadcast
    #
-    add_ijump( $outputref , j => $nextchain, @interfacematch, d => '255.255.255.255' , @ipsec_out_match )
+    add_ijump_extended( $outputref , j => $nextchain, get_interface_origin( $interface ), @interfacematch, d => '255.255.255.255' , @ipsec_out_match )
 	if $family == F_IPV4 && $hostref->{options}{broadcast};
    #
    # Move the rules from the interface output chain if we didn't use it
@@ -1784,8 +1827,8 @@ sub add_output_jumps( $$$$$$$ ) {
 #
 # Add prerouting jumps from the passed zone:interface:hostref:net
 #
-sub add_prerouting_jumps( $$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack ) = @_;
+sub add_prerouting_jumps( $$$$$$$$$ ) {
+    my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack , $origin ) = @_;

    my $dnatref         = $nat_table->{dnat_chain( $zone )};
    my $preroutingref   = $nat_table->{PREROUTING};
@@ -1800,11 +1843,12 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are DNAT/REDIRECT rules with this zone as the source.
 	# Add a jump from this source network to this zone's DNAT/REDIRECT chain
 	#
-	add_ijump( $preroutingref,
-		   j => source_exclusion( $exclusions, $dnatref),
-		   imatch_source_dev( $interface),
-		   @source,
-		   @ipsec_in_match );
+	add_ijump_extended( $preroutingref,
+			    j => source_exclusion( $exclusions, $dnatref),
+			    $origin, 
+			    imatch_source_dev( $interface),
+			    @source,
+			    @ipsec_in_match );

 	check_optimization( $dnatref ) if @source;
    }
@@ -1822,7 +1866,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
    #
    if ( $nested ) {
 	if ( $parenthasnat ) {
-	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	    add_ijump_extended $preroutingref, j => 'RETURN', $origin, imatch_source_dev( $interface), @source, @ipsec_in_match;
 	}
 	if ( $parenthasnotrack ) {
 	    my $rawref = $raw_table->{PREROUTING};
@@ -1834,8 +1878,8 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 #
 # Add input jump from the passed zone:interface:hostref:net
 #
-sub add_input_jumps( $$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
+sub add_input_jumps( $$$$$$$$$ ) {
+    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) = @_;

    our @vservers;
    our %input_jump_added;
@@ -1864,15 +1908,16 @@ sub add_input_jumps( $$$$$$$$ ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ input_chain $bridge },
-		       j => $inputchainref ,
-		       imatch_source_dev($interface, 1) )
+	    add_ijump_extended( $filter_table->{ input_chain $bridge },
+				j => $inputchainref ,
+				$origin ,
+				imatch_source_dev($interface, 1) )
 		unless $input_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{INPUT}, j => $inputchainref, imatch_source_dev($interface) unless $input_jump_added{$interface}++;
+	    add_ijump_extended $filter_table->{INPUT}, j => $inputchainref, $origin, imatch_source_dev($interface) unless $input_jump_added{$interface}++;
 	}

 	$use_input = 1;
@@ -1883,7 +1928,7 @@ sub add_input_jumps( $$$$$$$$ ) {
 	    #
 	    for my $vzone ( @vservers ) {
 		my $target = rules_target( $zone, $vzone );
-		generate_dest_rules( $inputchainref, $target, $vzone, @source, @ipsec_in_match ) if $target;
+		generate_dest_rules( $inputchainref, $target, $vzone, $origin, @source, @ipsec_in_match ) if $target;
 	    }
 	}
    } elsif ( $isport ) {
@@ -1904,7 +1949,7 @@ sub add_input_jumps( $$$$$$$$ ) {
 	#
 	# Add the jump from the input chain to the rules chain
 	#
-	add_ijump $inputchainref, j => source_exclusion( $exclusions, $chain2 ), @interfacematch, @source, @ipsec_in_match;
+	add_ijump_extended $inputchainref, j => source_exclusion( $exclusions, $chain2 ), $origin, @interfacematch, @source, @ipsec_in_match;
 	move_rules( $interfacechainref , $chain2ref ) unless $use_input;
    }
 }
@@ -1912,8 +1957,8 @@ sub add_input_jumps( $$$$$$$$ ) {
 #
 # This function is called when there is forwarding and this net isn't IPSEC protected. It adds the jump for this net to the zone forwarding chain.
 #
-sub add_forward_jump( $$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
+sub add_forward_jump( $$$$$$$$$ ) {
+    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) = @_;

    our %forward_jump_added;

@@ -1927,37 +1972,39 @@ sub add_forward_jump( $$$$$$$$ ) {
 	#
 	# We must use the interface forwarding chain -- add the jump from the interface forward chain to the zone forward chain.
 	#
-	add_ijump $forwardref , j => $ref, @source, @ipsec_in_match;
+	add_ijump_extended $forwardref , j => $ref, $origin, @source, @ipsec_in_match;

 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ forward_chain $bridge } ,
-		       j => $forwardref ,
-		       imatch_source_dev( $interface , 1 ) )
+	    add_ijump_extended( $filter_table->{ forward_chain $bridge } ,
+				j => $forwardref ,
+				$origin ,
+				imatch_source_dev( $interface , 1 ) )
 		unless $forward_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{FORWARD} , j => $forwardref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
+	    add_ijump_extended $filter_table->{FORWARD} , j => $forwardref, $origin, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 	}
    } else {
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ forward_chain $bridge } ,
-		       j => $ref ,
-		       imatch_source_dev( $interface, 1 ) ,
-		       @source,
-		       @ipsec_in_match );
+	    add_ijump_extended( $filter_table->{ forward_chain $bridge } ,
+				j => $ref ,
+				$origin ,
+				imatch_source_dev( $interface, 1 ) ,
+				@source,
+				@ipsec_in_match );
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{FORWARD} , j => $ref, imatch_source_dev( $interface ) , @source, @ipsec_in_match;
+	    add_ijump_extended $filter_table->{FORWARD} , j => $ref, $origin, imatch_source_dev( $interface ) , @source, @ipsec_in_match;
 	}

 	move_rules ( $forwardref , $frwd_ref );
@@ -2098,6 +2145,7 @@ sub generate_matrix() {

 		for my $hostref ( @{$typeref->{$interface}} ) {
 		    my $exclusions = $hostref->{exclusions};
+		    my $origin     = $hostref->{origin};

 		    for my $net ( @{$hostref->{hosts}} ) {
 			#
@@ -2107,7 +2155,7 @@ sub generate_matrix() {
 			    #
 			    # Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone
 			    #
-			    add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge );
+			    add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, $origin );
 			}

 			clearrule;
@@ -2116,15 +2164,15 @@ sub generate_matrix() {
 			    #
 			    # PREROUTING
 			    #
-			    add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack );
+			    add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack , $origin );
 			    #
 			    # INPUT
 			    #
-			    add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge );
+			    add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge , $origin );
 			    #
 			    # FORWARDING Jump for non-IPSEC host group
 			    #
-			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
+			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
 			}
 		    } # Subnet Loop
 		} # Hostref Loop
@@ -2176,8 +2224,9 @@ sub generate_matrix() {
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my @ipsec_out_match = match_ipsec_out $zone1 , $hostref;
 				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
+				my $origin = $hostref->{origin};
 				for my $net ( @{$hostref->{hosts}} ) {
-				    add_ijump $frwd_ref, j => $dest_exclusion, imatch_dest_dev( $interface) , imatch_dest_net($net), @ipsec_out_match;
+				    add_ijump_extended $frwd_ref, j => $dest_exclusion, $origin, imatch_dest_dev( $interface) , imatch_dest_net($net), @ipsec_out_match;
 				}
 			    }
 			}
@@ -2219,17 +2268,19 @@ sub generate_matrix() {
 			 nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 			 filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );

+	my $origin = $origin{LOGALLNEW};
+
 	for my $table ( qw/mangle nat filter/ ) {
 	    for my $chain ( @{$builtins{$table}} ) {
-		log_rule_limit
-		    $config{LOGALLNEW} ,
-		    $chain_table{$table}{$chain} ,
-		    $table ,
-		    $chain ,
-		    '' ,
-		    '' ,
-		    'insert' ,
-		    state_match('NEW');
+		log_rule_limit( $config{LOGALLNEW} ,
+				$chain_table{$table}{$chain} ,
+				$table ,
+				$chain ,
+				'' ,
+				'' ,
+				'insert' ,
+				state_match('NEW') ,
+				$origin );
 	    }
 	}
    }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -345,7 +345,8 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule )
+		     $exceptionrule ,
+		     '' )
 	    unless unreachable_warning( 0, $chainref );

 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@@ -795,7 +796,8 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
+		  $serverport ? do_proto( $proto, '', '' ) : '' ,
+		  '' ,
 		)
 	unless unreachable_warning( $wildcard, $chainref );

@@ -867,6 +869,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
+			 '',
 			 dnat_chain( $sourcezone  ) )
 		unless unreachable_warning( $wildcard, $chn );

@@ -888,6 +891,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
+		 '',
 	       )
 	unless unreachable_warning( $wildcard, $nonat_chain );
 }
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -144,20 +144,21 @@ sub setup_route_marking() {
 	    my $interface = $providerref->{interface};
 	    my $physical  = $providerref->{physical};
 	    my $mark      = $providerref->{mark};
+	    my $origin    = $providerref->{origin};

 	    unless ( $marked_interfaces{$interface} ) {
-		add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
-		add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
-		add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
+		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
+		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
+		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 		$marked_interfaces{$interface} = 1;
 	    }

 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
+		add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}

@@ -650,7 +651,7 @@ sub process_a_provider( $ ) {

    $balance = $default_balance unless $balance;

-    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
+    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};

    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
@@ -699,6 +700,7 @@ sub process_a_provider( $ ) {
 			   persistent_routes => [],
 			   routedests        => {} ,
 			   persistent        => $persistent,
+			   origin            => shortlineinfo( '' ),
 			 };

    $provider_interfaces{$interface} = $table unless $shared;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_conntrack );
 our @EXPORT_OK = qw( handle_helper_rule );
-our $VERSION = '4.6_10';
+our $VERSION = 'MODULEVERSION';

 our %valid_ctevent = ( new        => 1,
 		       related    => 1,
@@ -98,6 +98,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	$action = join( ":" , 'LOG', $action );
    }

+    my $usergenerated;
+
    if ( $action eq 'NOTRACK' ) {
 	#
 	# A patch that deimplements the NOTRACK target has been posted on the
@@ -204,7 +206,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $action ,
 		 $level || '' ,
 		 $disposition ,
-		 $exception_rule );
+		 $exception_rule ,
+		 $usergenerated && ! $level );

    progress_message "  Conntrack rule \"$currentline\" $done";
 }
@@ -247,6 +250,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '',
 			 'CT' ,
+			 '' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
@@ -261,6 +265,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '' ,
 			 'CT' ,
+			 '' ,
 			 '' );
 	}
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -79,6 +79,10 @@ use constant { NULL_SECTION          => 0x00,
 	       NEW_SECTION           => 0x40,
 	       DEFAULTACTION_SECTION => 0x80 };
 #
+# Number of elements in the action tuple
+#
+use constant { ACTION_TUPLE_ELEMENTS => 5 };
+#
 # Section => name function 
 #
 our %section_functions = ( ALL_SECTION ,        \&rules_chain,
@@ -424,6 +428,7 @@ sub print_policy($$$$) {
 sub use_policy_action( $$ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );
+sub normalize_single_action( $ );

 sub process_default_action( $$$$ ) {
    my ( $originalpolicy, $policy, $default, $level ) = @_;
@@ -441,7 +446,7 @@ sub process_default_action( $$$$ ) {
 	if ( "\L$default" eq 'none' ) {
 	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
 		if ( $default_option ) {
-		    fatal_error "Invalid setting (originalpolicy) for $policy";
+		    fatal_error "Invalid setting ($originalpolicy) for $policy";
 		} else {
 		    fatal_error "Invalid policy ($originalpolicy)";
 		}
@@ -560,7 +565,7 @@ sub process_a_policy() {

    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;

-    my ( $policy, $default, $level, $remainder ) = split( /:/, $originalpolicy, 4 );
+    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );

    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;

@@ -944,7 +949,7 @@ sub complete_standard_chain ( $$$$ ) {
 	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
    } elsif ( $defaultaction !~ /:/ ) {
-	$defaultaction = join(":", $defaultaction, 'none', '', '' );
+	$defaultaction = normalize_single_action( $defaultaction );
    }


@@ -970,7 +975,8 @@ sub setup_syn_flood_chains() {
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
-			    'add' )
+			    'add',
+			     ''  )
 		if $level ne '';
 	    add_ijump $synchainref, j => 'DROP';
 	}
@@ -1022,7 +1028,7 @@ sub finish_chain_section ($$$) {

    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
 	if ( $state{$_} ) {
-	    my ( $char, $level, $tag, $target ) = @{$statetable{$_}};
+	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
 	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;

 	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
@@ -1042,17 +1048,18 @@ sub finish_chain_section ($$$) {
 				    $globals{LOGLIMIT},
 				    $tag ,
 				    'add' ,
-				    '');
+				    '',
+				    $level_origin );

 		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;

-		    add_ijump( $chain2ref, g => $target ) if $target;
+		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;

 		    $target = $chain2ref->{name} unless $twochains;
 		}

 		if ( $twochains ) {
-		    add_ijump $chainref, g => $target if $target;
+		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
 		    last;
 		}
@@ -1067,7 +1074,7 @@ sub finish_chain_section ($$$) {
 			delete $state{ESTABLISHED};
 		    }

-		    add_ijump( $chainref, j => $target, state_imatch $_ );
+		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
 		}

 		delete $state{$_};
@@ -1169,14 +1176,15 @@ sub finish_section ( $ ) {
 #
 # Create a normalized action name from the passed pieces.
 #
-# Internally, action invocations are uniquely identified by a 4-tuple that
-# includes the action name, log level, log tag and params. The pieces of the tuple
-# are separated by ":".
+# Internally, action invocations are uniquely identified by a 5-tuple that
+# includes the action name, log level, log tag, calling chain and params.
+# The pieces of the tuple are separated by ":".
 #
 sub normalize_action( $$$ ) {
    my $action = shift;
    my $level  = shift;
    my $param  = shift;
+    my $caller = '';     #We assume that the function doesn't use @CALLER

    ( $level, my $tag ) = split ':', $level;

@@ -1185,13 +1193,23 @@ sub normalize_action( $$$ ) {
    $param = ''     unless defined $param;
    $param = ''     if $param eq '-';

-    join( ':', $action, $level, $tag, $param );
+    join( ':', $action, $level, $tag, $caller, $param );
+}
+
+#
+# Add the actual caller into an existing normalised name
+#
+sub insert_caller($$) {
+    my ( $normalized, $caller ) = @_;
+
+    my ( $action, $level, $tag, undef, $param ) = split /:/, $normalized;
+
+    join( ':', $action, $level, $tag, $caller, $param );
 }

 #
 # Accepts a rule target and returns a normalized tuple
 #
-
 sub normalize_action_name( $ ) {
    my $target = shift;
    my ( $action, $loglevel) = split_action $target;
@@ -1199,11 +1217,18 @@ sub normalize_action_name( $ ) {
    normalize_action( $action, $loglevel, '' );
 }

+#
+# Create an action tuple from a single target name
+#
+sub normalize_single_action( $ ) {
+    join(":", $_[0], 'none', '', '', '' );
+}
+
 #
 # Produce a recognizable target from a normalized action
 #
 sub external_name( $ ) {
-    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
+    my ( $target, $level, $tag, undef, $params ) = split /:/, shift, ACTION_TUPLE_ELEMENTS;

    $target  = join( '', $target, '(', $params , ')' ) if $params;
    $target .= ":$level" if $level && $level ne 'none';
@@ -1333,7 +1358,7 @@ sub createsimpleactionchain( $ ) {
 sub createactionchain( $ ) {
    my $normalized = shift;

-    my ( $target, $level, $tag, $param ) = split /:/, $normalized, 4;
+    my ( $target, $level, $tag, $caller, $param ) = split /:/, $normalized, ACTION_TUPLE_ELEMENTS;

    assert( defined $param );

@@ -1524,11 +1549,11 @@ sub dropBcast( $$$$ ) {

    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
-	    log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
+	    log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
 	    if ( $family == F_IPV4 ) {
-		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' );
+		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	    } else {
-		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST );
+		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
 	    }
 	}

@@ -1541,17 +1566,17 @@ sub dropBcast( $$$$ ) {
 	}

 	incr_cmd_level $chainref;
-	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }

    if ( $family == F_IPV4 ) {
-	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne '';
+	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
-	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
@@ -1563,8 +1588,8 @@ sub allowBcast( $$$$ ) {

    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
-	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
-	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' );
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
 	}

 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
@@ -1576,17 +1601,17 @@ sub allowBcast( $$$$ ) {
 	}

 	incr_cmd_level $chainref;
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }

    if ( $family == F_IPV4 ) {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
@@ -1596,7 +1621,7 @@ sub dropNotSyn ( $$$$ ) {

    my $target = require_audit( 'DROP', $audit );

-    log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
+    log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }

@@ -1611,7 +1636,7 @@ sub rejNotSyn ( $$$$ ) {
 	$target = require_audit( 'REJECT' , $audit );
    }

-    log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
+    log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }

@@ -1627,8 +1652,8 @@ sub allowinUPnP ( $$$$ ) {
    my $target = require_audit( 'ACCEPT', $audit );

    if ( $level ne '' ) {
-	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' );
-	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' );
+	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
+	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
    }

    add_ijump $chainref, j => $target, p => '17 --dport 1900';
@@ -1665,7 +1690,7 @@ sub Limit( $$$$ ) {

    if ( $level ne '' ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
-	log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' );
+	log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
 	add_ijump $xchainref, j => 'DROP';
 	add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
    } else {
@@ -1689,11 +1714,15 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 #
 # Populate an action invocation chain. As new action tuples are encountered,
 # the function will be called recursively by process_rule().
+# 
+# Note that the first two parameters are passed by reference and may be
+# modified by this function.
 #
-sub process_action($$) {
-    my ( $chainref, $caller ) = @_;
-    my $wholeaction = $chainref->{action};
-    my ( $action, $level, $tag, $param ) = split /:/, $wholeaction, 4;
+sub process_action(\$\$$) {
+    my ( $wholeactionref, $chainrefref, $caller ) = @_;
+    my $wholeaction = ${$wholeactionref};
+    my $chainref    = ${$chainrefref};
+    my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;

    if ( $targets{$action} & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1771,10 +1800,48 @@ sub process_action($$) {

    #
    # Pop the action parameters
-    # Caller should delete record of this chain if the action parameters
-    # were modified (and this function returns true
    #
-    pop_action_params( $oldparms );
+    if ( ( my $result = pop_action_params( $oldparms ) ) & PARMSMODIFIED ) {
+	#
+	# The action modified its parameters -- delete it from %usedactions
+	#
+	delete $usedactions{$wholeaction};
+    } elsif ( $result & USEDCALLER ) {
+	#
+	# The chain uses @CALLER but doesn't modify the action parameters.
+	# We need to see if this caller has already invoked this action
+	#
+	my $renormalized_action = insert_caller( $wholeaction, $caller );
+	my $chain1ref           = $usedactions{$renormalized_action};
+
+	if ( $chain1ref ) {
+	    #
+	    # It has -- use the prior chain
+	    #
+	    ${$chainrefref} = $chain1ref;
+	    #
+	    # We leave the new chain in place but delete it from %usedactions below
+	    # The optimizer will drop it from the final ruleset.
+	    #
+	} else {
+	    #
+	    # This is the first time that the current chain has invoked this action
+	    #
+	    $usedactions{$renormalized_action} = $chainref;
+	    #
+	    # Update the action member
+	    #
+	    $chainref->{action} = $renormalized_action;
+	}
+	#
+	# Delete the usedactions entry with the original normalized key
+	#
+	delete $usedactions{$wholeaction};
+	#
+	# New normalized target
+	#
+	${$wholeactionref} = $renormalized_action;
+    }
 }

 #
@@ -1907,11 +1974,14 @@ sub process_actions() {
 # Create a policy action if it doesn't already exist
 #
 sub use_policy_action( $$ ) {
-    my $ref = use_action( $_[0] );
+    my ( $normalized_target, $caller ) = @_;
+
+    my $ref = use_action( $normalized_target );
+
    if ( $ref ) {
-	delete $usedactions{$ref->{action}} if process_action( $ref, $_[1] );
+	process_action( $normalized_target, $ref, $caller );
    } else {
-	$ref = $usedactions{$_[0]};
+	$ref = $usedactions{$normalized_target};
    }

    $ref;
@@ -2264,6 +2334,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
+    my $usergenerated;

    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2287,6 +2358,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

    fatal_error "Unknown ACTION ($action)" unless $actiontype;

+    $usergenerated = $actiontype & IPTABLES;
+
    if ( $actiontype == MACRO ) {
 	#
 	# process_macro() will call process_rule() recursively for each rule in the macro body
@@ -2333,15 +2406,16 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
-    } elsif ( $actiontype & NFLOG ) {
-	validate_level( $action );
-	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
-	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
-	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+    } elsif ( ! $usergenerated ) {
+	if ( $actiontype & NFLOG ) {
+	    validate_level( $action );
+	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
+	    $action   = 'LOG';
+	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+	}
    }
-
    #
    # We can now dispense with the postfix character
    #
@@ -2657,7 +2731,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle actions
    #
-    my $delete_action;
+    my $actionchain; #Name of the action chain

    if ( $actiontype & ACTION ) {
 	#
@@ -2673,18 +2747,29 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    my $savestatematch = $statematch;
 	    $statematch        = '';
-
-	    $delete_action = process_action( $ref, $chain );
+	    #
+	    # process_action may modify both $normalized_target and $ref!!!
+	    #
+	    process_action( $normalized_target, $ref, $chain );
+	    #
+	    # Capture the name of the action chain
+	    #
+	    $actionchain = $ref->{name};
 	    #
 	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
 	    #    - Refresh $actiontype
 	    #    - Create the associated nat and/or table chain if appropriate.
 	    #
-	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
-	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
+	    ensure_chain( 'nat', $actionchain ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
+	    ensure_chain( 'raw', $actionchain ) if ( $actiontype & HELPER );

 	    $statematch = $savestatematch;
+	} else {
+	    #
+	    # We've seen this tuple before
+	    #
+	    $actionchain = $usedactions{$normalized_target}->{name};
 	}

 	$action = $basictarget; # Remove params, if any, from $action.
@@ -2804,7 +2889,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			    $ports,
 			    $sports,
 			    $sourceref,
-			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+			    ( $actiontype & ACTION ) ? $actionchain : '',
 			    $inchain ? $chain : '' ,
 			    $user ,
 			    $rule ,
@@ -2826,7 +2911,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 				     $proto,
 				     $ports,
 				     $origdest,
-				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+				     ( $actiontype & ACTION ) ? $actionchain : '',
 				     $action,
 				     $sourceref,
 				     $inaction ? $chain : '',
@@ -2883,7 +2968,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    unless ( $actiontype & NATONLY ) {

 	if ( $actiontype & ACTION ) {
-	    $action = $usedactions{$normalized_target}{name};
+	    $action = $actionchain;
 	    $loglevel = '';
 	}

@@ -2909,12 +2994,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     $exceptionrule ,
+		     $usergenerated && ! $loglevel )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }

-    delete $usedactions{$normalized_target} if $delete_action;
-
    return 1;
 }

@@ -3371,9 +3455,9 @@ sub process_rules() {
    # Populate the state table
    #
    %statetable          = ( ESTABLISHED => [ '^', '',                           '',                          'ACCEPT' ] ,
-			     RELATED     => [ '+', $config{RELATED_LOG_LEVEL},   $globals{RELATED_LOG_TAG},   $globals{RELATED_TARGET}  ] ,
-			     INVALID     => [ '_', $config{INVALID_LOG_LEVEL},   $globals{INVALID_LOG_TAG},   $globals{INVALID_TARGET} ] ,
-			     UNTRACKED   => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} ] ,
+			     RELATED     => [ '+', $config{RELATED_LOG_LEVEL},   $globals{RELATED_LOG_TAG},   $globals{RELATED_TARGET}   , $origin{RELATED_DISPOSITION}   , $origin{RELATED_LOG_LEVEL} ] ,
+			     INVALID     => [ '_', $config{INVALID_LOG_LEVEL},   $globals{INVALID_LOG_TAG},   $globals{INVALID_TARGET}   , $origin{INVALID_DISPOSITION}   , $origin{INVALID_LOG_LEVEL} ] ,
+			     UNTRACKED   => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} , $origin{UNTRACKED_DISPOSITION} , $origin{UNTRACKED_LOG_LEVEL} ] ,
 			   );
    %section_states = ( BLACKLIST_SECTION ,  $globals{BLACKLIST_STATES},
 			ESTABLISHED_SECTION, 'ESTABLISHED',
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -227,6 +227,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
+    my $usergenerated;

    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
@@ -290,7 +291,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 			     "$target $option " . join( '/', in_hex( $markval ) , $mask ) ,
 			     '',
 			     $target ,
-			     $exceptionrule );
+			     $exceptionrule ,
+			     ''  );
 	    }

 	    $done = 1;
@@ -452,6 +454,27 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

+	DIVERTHA   => {
+	    defaultchain   => REALPREROUTING,
+	    allowedchains  => PREROUTING | REALPREROUTING,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub () {
+		fatal_error 'DIVERTHA is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
+		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
+
+		unless ( $divertref ) {
+		    $divertref = new_chain( 'mangle', 'divert' );
+		    add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
+		    add_ijump( $divertref , j => 'ACCEPT' );
+		}
+
+		$target = 'divert';
+
+		$matches = '-m socket ';
+	    },
+	},
+
 	DROP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -534,7 +557,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
+		$usergenerated = 1;
 	    },
 	},

@@ -549,7 +573,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
+		$usergenerated = 1;
 	    },
 	},

@@ -860,7 +885,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 $target,
 					 '' ,
 					 $target ,
-					 $exceptionrule ) )
+					 $exceptionrule ,
+					 $usergenerated ) )
 	     && $device ) {
 	    #
 	    # expand_rule() returns destination device if any
@@ -2928,7 +2954,9 @@ sub process_traffic_shaping() {

 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );

-			while ( my ( $option, $type ) = each %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
+			    my $type = $validredoptions{$option};
+
 			    if ( my $value = $redopts->{$option} ) {
 				if ( $type == RED_NONE ) {
 				    $options = join( ' ', $options, $option ) if $value;
@@ -2945,7 +2973,9 @@ sub process_traffic_shaping() {

 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );

-			while ( my ( $option, $type ) = each %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
+			    my $type = $validcodeloptions{$option};
+
 			    if ( my $value = $codelopts->{$option} ) {
 				if ( $type == CODEL_NONE ) {
 				    $options = join( ' ', $options, $option );
@@ -3128,6 +3158,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
 		 $target ,
 		 '' ,
 		 $disposition,
+		 '' ,
 		 '' );

    progress_message "Secmarks rule \"$currentline\" $done";
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,8 +1,8 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -91,6 +91,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    set_interface_provider
@@ -149,6 +150,7 @@ use constant { IN_OUT     => 1,
 #                                                                             }
 #                                                                  hosts   => [ <net1> , <net2> , ... ]
 #                                                                  exclusions => [ <net1>, <net2>, ... ]
+#                                                                  origin   => <where defined>
 #                                                                }
 #                                                <interface2> => ...
 #                                              }
@@ -196,6 +198,7 @@ our %reservedName = ( all => 1,
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
+#                                     origin      => <where defined>
 #                                   }
 #                 }
 #
@@ -890,7 +893,9 @@ sub add_group_to_zone($$$$$$)
    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
 			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
-			     exclusions => \@exclusions };
+			     exclusions => \@exclusions ,
+			     origin  => shortlineinfo( '' ) ,
+                            };

    if ( $type != IPSEC ) {
 	my $optref = $interfaces{$interface}{options};
@@ -1392,7 +1397,7 @@ sub process_interface( $$ ) {
 						       physical   => $physical ,
 						       base       => var_base( $physical ),
 						       zones      => {},
-						       origin     => shortlineinfo(''),
+						       origin     => shortlineinfo( '' ),
 						       wildcard   => $wildcard,
 						     };

@@ -1858,6 +1863,22 @@ sub interface_has_option( $$\$ ) {
 }

 #
+# Return the origin for an interface
+#
+sub get_interface_origin( $ ) {
+    my ( $interface ) = @_;
+
+    my $ref = $interfaces{$interface};
+
+    return $ref->{origin} if $ref;
+
+    assert( $ref = known_interface( $interface ) );
+
+    $ref->{origin};
+
+}
+
+##
 # Set an option for an interface
 #
 sub set_interface_option( $$$ ) {
@@ -2182,11 +2203,12 @@ sub find_hosts_by_option( $ ) {
 	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
-		    my $ipsec = $host->{ipsec};
+		    my $ipsec  = $host->{ipsec};
+		    my $origin = $host->{origin};
 		    unless ( $done{$interface} ) { 
 			if ( my $value = $host->{options}{$option} ) {
 			    for my $net ( @{$host->{hosts}} ) {
-				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value, $origin ];
 			    }
 			}
 		    }
@@ -2213,7 +2235,7 @@ sub find_zone_hosts_by_option( $$ ) {
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value, $host->{origin} ];
 			}
 		    }
 		}
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -322,6 +322,9 @@ if [ $PRODUCT = shorewall ]; then
 		exit 1;
 	    fi

+	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
+	    cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
+
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
@@ -332,6 +335,9 @@ if [ $PRODUCT = shorewall ]; then
 	DIGEST=SHA
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
+		cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
+		cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
+
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
@@ -1115,6 +1121,10 @@ if [ -d Perl ]; then
 	install_file $f ${DESTDIR}${PERLLIBDIR}/$f 0644
 	echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIBDIR}/$f"
    done
+
+    [ -f Perl/Shorewall/Chains.pm.bak ] && mv Perl/Shorewall/Chains.pm.bak Perl/Shorewall/Chains.pm
+    [ -f Perl/Shorewall/Config.pm.bak ] && mv Perl/Shorewall/Config.pm.bak Perl/Shorewall/Config.pm
+
    #
    # Install the program skeleton files
    #
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -271,6 +271,26 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">DIVERTHA</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.4. To setup the HAProxy
+                configuration described at <ulink
+                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
+                place this entry in <ulink
+                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
+
+                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
+TProxy   1        -       -          lo        -               tproxy</programlisting>
+
+                <para>and use this DIVERTHA entry:</para>
+
+                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
+DIVERTHA        -               -               tcp</programlisting>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1629,7 +1629,7 @@ LOG:info:,bar                        net                    fw</programlisting>
          "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
-          role="bold">g_family</emphasis> holds '4'. </para>
+          role="bold">g_family</emphasis> holds '4'.</para>
        </listitem>
      </varlistentry>

@@ -2620,7 +2620,8 @@ INLINE          -       -       -       ; -j REJECT

      <varlistentry>
        <term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>|File}</term>

        <listitem>
          <para>Added in Shorewall 4.5.20. If set to <emphasis
@@ -2633,6 +2634,12 @@ INLINE          -       -       -       ; -j REJECT
          <para>Setting this option to <emphasis role="bold">Yes</emphasis>
          requires the <firstterm>Comments</firstterm> capability in iptables
          and kernel.</para>
+
+          <para>Beginning with Shorewall 5.0.5, the option may also be set to
+          <emphasis role="bold">File</emphasis>. That setting causes similar
+          comments to be added to the
+          <filename>.iptables-restore-input</filename> file, which is normally
+          created in <filename>/var/lib/shorewall</filename>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall
-StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
-ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall/sysconfig
+++ b/Shorewall/sysconfig
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -80,6 +80,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1

--- a/Shorewall6-lite/default.openwrt
+++ b/Shorewall6-lite/default.openwrt
@@ -1,25 +0,0 @@
-# sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
-
-# startup option(default "-vvv")
-OPTIONS=
-
-# change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
-START=50
-
-# change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
-STOP=
-
-# option to pass when shorewall start is executed
-STARTOPTIONS=
-
-# option to pass when shorewall restart is executed
-RESTARTOPTIONS=
-
-# option to pass when shorewall reload is executed
-RELOADOPTIONS=
-
-# option to pass when shorewall stop is executed
-STOPOPTIONS=
-
-# option to pass when shorewall status is executed
-STATUSOPTIONS=
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -39,18 +39,18 @@

 # description: Packet filtering firewall

-# openwrt stuph
-# start and stop runlevel variable
-#START=21
-#STOP=91
-# variable to display what the status command do when /etc/init.d/shorewall6-lite is invoke without argument
+# Openwrt related
+# Start and stop runlevel variable
+START=50
+STOP=89
+# Displays the status command
 EXTRA_COMMANDS="status"
-EXTRA_HELP="Displays shorewall status"
+EXTRA_HELP=" status Displays firewall status"

 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS="-vvv"
+OPTIONS=

 #
 # The installer may alter this
@@ -61,38 +61,35 @@ if [ -f ${SYSCONFDIR}/shorewall6-lite ]; then
    . ${SYSCONFDIR}/shorewall6-lite
 fi

-START=${START:-21}
-STOP=${STOP:-91}
-
 SHOREWALL_INIT_SCRIPT=1

 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
-local command="start"
-start
+	local command="start"
+	start
 }

 restart() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RELOADOPTION:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STOPOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 }
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv6 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall6-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall6-lite/sysconfig
+++ b/Shorewall6-lite/sysconfig
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -28,6 +28,7 @@

 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall6-lite
+Product="Shorewall6 Lite"

 usage() # $1 = exit status
 {
@@ -76,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1

@@ -202,13 +208,15 @@ fi

 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
-rm -rf ${VARDIR}/shorewall6-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 rm -f  ${SYSCONFDIR}/shorewall6-lite

-rm -f ${MANDIR}/man5/shorewall6-lite*
-rm -f ${MANDIR}/man8/shorewall6-lite*
+if [ -n "${MANDIR}" ]; then
+    rm -f ${MANDIR}/man5/shorewall6-lite*
+    rm -f ${MANDIR}/man8/shorewall6-lite*
+fi

 echo "Shorewall6 Lite Uninstalled"
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -272,6 +272,26 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">DIVERTHA</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.4. To setup the HAProxy
+                configuration described at <ulink
+                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
+                place this entry in <ulink
+                url="manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>:</para>
+
+                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
+TProxy   1        -       -          lo        -               tproxy</programlisting>
+
+                <para>and use this DIVERTHA entry:</para>
+
+                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
+DIVERTHA        -               -               tcp</programlisting>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2295,7 +2295,8 @@ INLINE          -       -       -       ; -j REJECT

      <varlistentry>
        <term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>|File}</term>

        <listitem>
          <para>Added in Shorewall 4.5.20. If set to <emphasis
@@ -2306,8 +2307,14 @@ INLINE          -       -       -       ; -j REJECT
          added.</para>

          <para>Setting this option to <emphasis role="bold">Yes</emphasis>
-          requires the <firstterm>Comments</firstterm> capability in ip6tables
+          requires the <firstterm>Comments</firstterm> capability in iptables
          and kernel.</para>
+
+          <para>Beginning with Shorewall 5.0.5, the option may also be set to
+          <emphasis role="bold">File</emphasis>. That setting causes similar
+          comments to be added to the
+          <filename>.ip6tables-restore-input</filename> file, which is
+          normally created in <filename>/var/lib/shorewall</filename>6.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/shorewall6.service.214
+++ b/Shorewall6/shorewall6.service.214
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv6 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall6
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
-ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall6/sysconfig
+++ b/Shorewall6/sysconfig
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -28,6 +28,7 @@

 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall6
+Product=Shorewall6

 usage() # $1 = exit status
 {
@@ -76,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1

@@ -200,7 +206,7 @@ fi

 rm -f ${SBINDIR}/shorewall6
 rm -rf ${CONFDIR}/shorewall6
-rm -rf ${VARDIR}/shorewall6
+rm -rf ${VARDIR}
 rm -rf ${LIBEXECDIR}/shorewall6
 rm -rf ${SHAREDIR}/shorewall6

--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -5,7 +5,7 @@
  <!--/$Id$-->

  <articleinfo>
-    <title>Shorewall 4.4/4.5/4.6 Documentation</title>
+    <title>Shorewall 4.4/4.5/4.6/5.0 Documentation</title>

    <authorgroup>
      <author>
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2014</year>
+      <year>2001-2016</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -327,7 +327,7 @@
            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -337,7 +337,7 @@
            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -345,7 +345,7 @@

            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -354,7 +354,7 @@

            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -364,7 +364,7 @@
            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
            Guides</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -373,7 +373,7 @@

            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -382,7 +382,7 @@
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -391,7 +391,7 @@
            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -400,7 +400,7 @@
            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -408,7 +408,7 @@

            <entry><ulink url="samba.htm">Samba</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -417,7 +417,7 @@

            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -427,7 +427,7 @@
            <entry><ulink url="Shorewall-init.html">Shorewall
            Init</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -437,7 +437,7 @@
            <entry><ulink url="Shorewall-Lite.html">Shorewall
            Lite</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>
        </tbody>
      </tgroup>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -20,7 +20,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2014</year>
+      <year>2001-2016</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -62,7 +62,9 @@
      Shorewall 4.4.0 or later, you must install the <emphasis
      role="bold">shorewall</emphasis> package. If you want to configure an
      IPv6 firewall, you must also install <emphasis
-      role="bold">shorewall6</emphasis>.</para>
+      role="bold">shorewall6</emphasis>. Beginning with Shorewall 4.5, you
+      must first install the <emphasis role="bold">shorewall-core</emphasis>
+      package.</para>

      <section id="faq92a">
        <title>(FAQ 92a) Someone once told me to install shorewall-perl;
@@ -123,7 +125,9 @@
      <firstterm>shorewall-shell</firstterm> package was discontinued. The
      <firstterm>shorewall-common</firstterm> and
      <firstterm>shorewall-perl</firstterm> packages were combined to form a
-      single <firstterm>shorewall</firstterm> package.</para>
+      single <firstterm>shorewall</firstterm> package. In Shorewall 4.5, the
+      <firstterm>shorewall-core</firstterm> package was added and all of the
+      other packages depend on shorewall-core.</para>
    </section>
  </section>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1950,8 +1950,8 @@ ONBOOT=yes</programlisting>
      url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
      is available in the form of a PROBABILITY column in <ulink
      url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
-      This feature requires the <firstterm>Statistic Match</firstterm>
+      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>)
+      (5). This feature requires the <firstterm>Statistic Match</firstterm>
      capability in your iptables and kernel.</para>

      <para>This method works when there are multiple links to the same ISP
@@ -2219,7 +2219,7 @@ EOF
   #
   # Run LSM -- by default, it forks into the background
   #
-   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
+   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>

        <para>eth0 has a dynamic IP address so I need to use the
@@ -2272,8 +2272,8 @@ defaults {

 include /etc/lsm/shorewall.conf</programlisting>

-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and
-        later)<programlisting>#!/bin/sh
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
+        - note that this script must be executable by root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -72,9 +72,9 @@

      <listitem>
        <para>If you set 'ping-check' true in your
-        <filename>/etc/shorewall/dhcpd.conf</filename> file then you will want
-        to <ulink url="ping.html">accept 'ping'</ulink> from your firewall to
-        the zone(s) served by the firewall's DHCP server.</para>
+        <filename>/etc/dhcp/dhcpd.conf</filename> file then you will want to
+        <ulink url="ping.html">accept 'ping'</ulink> from your firewall to the
+        zone(s) served by the firewall's DHCP server.</para>
      </listitem>
    </itemizedlist>
  </section>
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -35,6 +35,8 @@

      <year>2013</year>

+      <year>2015</year>
+
      <holder>Thomas M. Eastep</holder>

      <holder/>
Author	SHA1	Message	Date
Tom Eastep	1c4815358b	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-02-03 10:56:44 -08:00
Tom Eastep	1fa2ecf6b9	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-02-03 10:56:19 -08:00
Tom Eastep	10e84b8505	Update FAQ and upgrade article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-03 10:55:50 -08:00
Tom Eastep	bd9e8142b9	Ensure that the chain origin is used when there is no rule origin Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-03 10:43:10 -08:00
Tom Eastep	916a392fb0	Improve chain-completion rule tracking Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-02 14:57:47 -08:00
Tom Eastep	28983a0194	Add comment describing the origin member of a rule Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-31 09:29:24 -08:00
Tom Eastep	2a56f50d99	Update documentation index for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 13:52:25 -08:00
Tom Eastep	2cd098ba31	Update heading versions and copyrights Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 13:46:34 -08:00
Tom Eastep	9188f7efa3	Don't export shortlineinfo2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 13:38:26 -08:00
Tom Eastep	95a029316a	Improve get_keys*() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 12:51:23 -08:00
Tom Eastep	d4bea3d3ec	Optimize TRACK_RULES handling in the Chains module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 11:38:48 -08:00
Tom Eastep	6085c6092f	Add origin comments to command-mode rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 10:58:09 -08:00
Tom Eastep	48df3d9627	Add origin member to the providers table Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 10:34:36 -08:00
Tom Eastep	94442abfcf	Correct check for duplicate interface in providers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-28 10:34:16 -08:00
Tom Eastep	86f2e23f33	Invoke add_irule_extended rather than a hack that predated that function Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-27 19:01:23 -08:00
Tom Eastep	6e9d5f45ec	Avoid spurious comment in jump to interface option chains. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-27 16:50:03 -08:00
Tom Eastep	039fd6ddd8	Move origin handling into log_[i]rule_limit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-27 14:24:56 -08:00
Tom Eastep	57288086bf	Unify TRACK_RULES handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-27 12:55:21 -08:00
Tom Eastep	f999acda63	Eliminate shortlineinfo1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-27 10:21:08 -08:00
Tom Eastep	b4723da07c	Eliminate $globals{TRACK_GLOBALS} Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-26 16:45:47 -08:00
Tom Eastep	3860a1dc72	Ensure that %origin is populated Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-26 16:31:04 -08:00
Tom Eastep	e756820ca1	Revert "Unify TRACK_RULES settings implementation" This reverts commit `866cb04cbb`.	2016-01-26 11:49:26 -08:00
Tom Eastep	866cb04cbb	Unify TRACK_RULES settings implementation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-25 18:07:46 -08:00
Tom Eastep	6ef136a546	Add origin information for entries in shorewall[6].conf Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-25 15:49:18 -08:00
Tom Eastep	9b3b4579a2	Change TRACK_RULES setting from Internal to File Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-24 16:15:36 -08:00
Tom Eastep	3e404b765f	Make .ip[6]tables-restore-input comments conditional Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 17:04:52 -08:00
Tom Eastep	2235641c9f	Add origin to the ip[6]tables input. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 15:13:12 -08:00
Tom Eastep	3fe4619f66	Fix origin in interfaces and hosts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 13:49:52 -08:00
Tom Eastep	247698a14d	Add origin in some rules from the Misc module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 12:31:53 -08:00
Tom Eastep	73b20c832c	Add 'origin' member to rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 10:45:26 -08:00
Tom Eastep	8ac754caed	Add 'origin' member to the interface and hosts tables Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-21 17:08:19 -08:00
Matt Darfeuille	c85ced09af	Corrected sysconfig files Removed unnecessary lines in sysconfig files Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-19 09:25:37 -08:00
Tom Eastep	1abb77d66d	Remove restrictions on -m geoip Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-18 22:30:15 -08:00
Tom Eastep	a28f3012d5	Correct $VERSION setting in Raw.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-18 09:38:35 -08:00
Tom Eastep	7d443b5e2e	Eliminate return value from process_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-18 09:08:35 -08:00
Tom Eastep	a945b3e0dd	Tweak the process_action() changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 17:03:46 -08:00
Tom Eastep	ec6c233666	Centralize Rules module handling of @CALLER in actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 16:29:35 -08:00
Tom Eastep	4059e9de95	Clean up use_policy_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 12:35:12 -08:00
Tom Eastep	1ee645cd79	Another determinism fix -- red and codel options are now sorted Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 09:50:34 -08:00
Tom Eastep	1fedb26f1d	Handle @CALLER in policy chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 09:42:01 -08:00
Tom Eastep	031371f259	Improve maintainability of action-tuple code Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-16 17:26:16 -08:00
Tom Eastep	742c15b289	Improve @CALLER fix to create unique chains per caller Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-16 17:12:03 -08:00
Tom Eastep	9aa915a5e0	Avoid errors from 'status -i' when there are no optional interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-15 16:39:47 -08:00
Tom Eastep	f95c67ec6b	Restore unmodified .pm files after installation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-15 13:55:46 -08:00
matt darfeuille	f1ed963077	Shorewall 5.0.4 Beta 2 Hi Tom, Some unnecessary lines need to be removed from the sysconfig files. I made some more changes to the init.openwrt.sh scripts(lite and lite6) Attached as sysconfig-lite.patch! In order to be able to use the build50 script I had to make a few changes(attached as build50.patch): - Adding a variable BASEDIR (to build shorewall in a subdirectory) BASEDIR=$PWD and doing: $BASEDIR/annotate.pl and so on ... - Adding a variable CYGWINSTYLESHEET and modifying the script to use this new variable(added cygwin clause in case statement) - Adding a variable GITRELEASEDIR and modifying the lines around 624(to specify an other name for the release repo) from ../release/ to ../$GITRELEASEDIR/ - Added line to remove unnecessary *.bak files - Added an if statement if a subdirectory is used when patches are created question/request: Would it be possible to use the build50 script without the '-t' option? That way only the packages would be built but the tarballs wouldn't be created. -Matt On 12 Jan 2016 at 7:57, Tom Eastep wrote: > Shorewall 5.0.4 Beta 2 is now available for download. > > New Feature since Beta 1: > > 1) The mangle file now supports an DIVERTHA action that provides > support for HAProxy. > > To setup the HAProxy transparent configuration described at > > http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x, > place this entry in shorewall-providers(5): > > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > TProxy 1 - - lo - tproxy > > and use this DIVERTHA entry: > > #ACTION SOURCE DEST PROTO ... > DIVERTHA - - tcp > > Thank you for testing, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > -------------- Enclosure number 1 ---------------- >From ca4c854433e1c4c5870ea3e71225e5df8da4e255 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Wed, 13 Jan 2016 21:28:47 +0100 Subject: [PATCH 1/2] Modified lite and lite6.init.openwrt.sh Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-14 16:36:21 -08:00
Tom Eastep	3bce4627f8	Correct typo in the dhcp article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-14 08:56:19 -08:00
Tom Eastep	726d1492cd	Correct error message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 17:08:57 -08:00
Tom Eastep	12513e24a3	Revert "Implement dynamic actions" This reverts commit `8075ba719a`.	2016-01-13 11:04:41 -08:00
Tom Eastep	21765d618d	Create unique chains when @caller is used Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 11:04:23 -08:00
Tom Eastep	de21c59885	Correct hashlimit in logging rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 09:49:22 -08:00
Tom Eastep	8075ba719a	Implement dynamic actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 09:33:38 -08:00
Tom Eastep	3828eb856b	Rename HADIVERT to DIVERTHA Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-08 15:36:10 -08:00
Tom Eastep	e29e2d117d	Documentation updates - update LSM section of the Multi-ISP article - Correct formatting of HAPROXY examples Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-08 08:33:42 -08:00
Tom Eastep	ad2f20b824	Finish HAProxy support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-06 09:12:33 -08:00
Tom Eastep	4c33c2b957	Add support for HAProxy Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-06 08:27:50 -08:00
Tom Eastep	2778e8c6b5	Restore debian service file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-05 10:56:00 -08:00
Tom Eastep	ee6a1dadbb	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-01-05 10:48:48 -08:00
Tuomo Soini	da93669245	Revert "shorewall6*.service: make sure shorewall and shorewall6 won't start at same time" This reverts commit `ff821e57c2`. Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-01-05 20:18:25 +02:00
Tom Eastep	2f59ea5ca3	Implement the WAIT_OPTION capability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-05 09:28:24 -08:00
Tuomo Soini	ff821e57c2	shorewall6*.service: make sure shorewall and shorewall6 won't start at same time Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-01-05 12:04:46 +02:00
Tuomo Soini	c447ddd03e	systemd service: rename pre214 systemd versions to pre214 and remove separeate 214 variants	2016-01-05 12:01:21 +02:00
Tom Eastep	0c66e5f1b2	More Openwrt support in Shorewall-init from Matt Darfeuille - Also, various cleanup in install/uninstall scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-04 15:45:21 -08:00
Tom Eastep	e695e08009	A couple of corrections to the IP[6]TABLE transparency change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-04 14:13:58 -08:00
Tom Eastep	c91b78a875	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-01-04 13:10:48 -08:00
Tom Eastep	70a9240de6	Make IP[6]TABLES transparent Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-04 13:10:03 -08:00
Tom Eastep	06dd5dc38f	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-01-02 12:37:43 -08:00
Tom Eastep	fad41e262a	Support the DROP command in the mangle file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-02 12:36:38 -08:00
Tom Eastep	89d91d37a1	Add Shorewall-init installer support for OpenWRT - Supply sysconfig files for all products Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-27 16:47:31 -08:00