Clarify DEST column in DNAT rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)

Shorewall-core/configure.pl

@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 
 	$id =~ s/ID=//;
 	
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';

Shorewall-core/install.sh

@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall-core/lib.cli

@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }

Shorewall-init/install.sh

@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)

Shorewall-lite/install.sh

@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/Perl/Shorewall/Compiler.pm

@@ -730,7 +730,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
     #
     # More /proc
     #
@@ -819,7 +819,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #

Shorewall/Perl/Shorewall/Misc.pm

@@ -775,8 +775,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $ ) {
+sub add_common_rules ( $$ ) {
-    my $upgrade = shift;
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -929,8 +929,8 @@ sub add_common_rules ( $ ) {
 	    
     run_user_exit1 'initdone';
 
-    if ( $upgrade ) {
+    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
     } else {
 	setup_blacklist;
     }

Shorewall/Perl/Shorewall/Tc.pm

@@ -338,7 +338,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    minparams      => 0,
 	    maxparams      => 0 ,
 	    function       => sub() {
-		$target = 'CHECKSUM';
+		$target = 'CHECKSUM --checksum-fill';
 	    },
 	},
        
@@ -693,7 +693,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
     ( $cmd, $designator ) = split_action( $action );
 
     if ( supplied $designator ) {
-	fatal_error "Invalid chain designator ( $designator )" unless $designator = $designators{$designator};
+	my $temp = $designators{$designator};
+	fatal_error "Invalid chain designator ( $designator )" unless $temp;
+	$designator = $temp;
     }
 
     ( $cmd , $params ) = get_target_param1( $cmd );
@@ -710,11 +712,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
     if ( $source ne '-' ) {
 	if ( $source eq $fw ) {
-	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator ne OUTPUT;
+	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
 	    $chain = OUTPUT;
 	    $source = '-';
 	} elsif ( $source =~ s/^($fw):// ) {
-	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator ne OUTPUT;
+	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
 	    $chain = OUTPUT;
 	}
     }

Shorewall/configfiles/blrules

@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
+################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
 

Shorewall/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/findgw

@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
+# The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
+# The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/mangle

@@ -1,7 +1,7 @@
 #
 # Shorewall version 4 - Mangle File
 #
-# For information about entries in this file, type "man shorewall-tcrules"
+# For information about entries in this file, type "man shorewall-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
-

Shorewall/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/shorewall.conf

@@ -12,13 +12,13 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
 BLACKLIST_LOG_LEVEL=
@@ -100,7 +100,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +271,8 @@ MASK_BITS=
 ZONE_BITS=0
 
 ################################################################################
-#                            L E G A C Y  O P T I O N
+#			     L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 
 IPSECFILE=zones

Shorewall/configfiles/tcclasses

@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX

Shorewall/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/install.sh

@@ -216,7 +216,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/manpages/shorewall-masq.xml

@@ -143,7 +143,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term>(Formerly called SUBNET) -
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
+        -
         {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 

Shorewall/manpages/shorewall-nat.xml

@@ -136,6 +136,80 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>RESTRICTIONS</title>
+
+    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
+    consequences when there are sub-zones on an
+    <replaceable>interface</replaceable>. Consider the following:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+smc:net ipv4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+smc     eth0:10.1.10.0/24</programlisting>
+
+    <para><filename>/etc/shorewall/nat</filename>:</para>
+
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
+#                                               INTERFACES
+10.1.10.100     eth0            172.20.1.100
+</programlisting>
+
+    <para>Note that the EXTERNAL address is in the <emphasis
+    role="bold">smc</emphasis> zone.</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+...
+DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
+
+    <para>For the one-to-one NAT to work correctly in this configuration, one
+    of two approaches can be taken:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Define a CONTINUE policy with <emphasis
+        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
+
+        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+<emphasis role="bold">smc		$FW		CONTINUE</emphasis>
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
+</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall/manpages/shorewall-rules.xml

@@ -991,7 +991,10 @@
           When the <emphasis role="bold">ACTION</emphasis> is <emphasis
           role="bold">DNAT</emphasis> or <emphasis
           role="bold">DNAT-</emphasis>, the connections will be assigned to
-          addresses in the range in a round-robin fashion.</para>
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>
 
           <para>If you kernel and iptables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be

Shorewall6/action.A_AllowICMPs

@@ -6,6 +6,7 @@
 #	This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
+?format 2
 #TARGET		SOURCE		DEST	PROTO		DEST
 #							PORT(S)
 ?comment Needed ICMP types (RFC4890)

Shorewall6/action.A_Drop

@@ -18,6 +18,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+?format 2
 #TARGET			SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'

Shorewall6/action.A_Reject

@@ -14,6 +14,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+?format 2
 #TARGET			SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT

Shorewall6/configfiles/actions

@@ -7,7 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
 ########################################################################################
 #ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
 #                               v        a comment describing the action)

Shorewall6/configfiles/blrules

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###########################################################################################################################################################################
+########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS	SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall6/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/clear
 #
-#	Add commands below that you want to be executed after Shorewall6
+# Add commands below that you want to be executed after Shorewall6 has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall6/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/mangle

@@ -1,7 +1,7 @@
 #
 # Shorewall6 version 4 - Mangle File
 #
-# For information about entries in this file, type "man shorewall6-tcrules"
+# For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-###########################################################################################################################################################
+############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)

Shorewall6/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refresh
 #
-#	Add commands below that you want to be executed before Shorewall6
+# Add commands below that you want to be executed before Shorewall6 has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall6
+# Add commands below that you want to be executed after Shorewall6 has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/shorewall6.conf

@@ -13,7 +13,7 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
@@ -97,7 +97,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

Shorewall6/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall6
+# Add commands below that you want to be executed before Shorewall6 clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall6/manpages/shorewall6-masq.xml

@@ -530,7 +530,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 8:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>Your sit1 interface has two public IP addresses:

Shorewall6/manpages/shorewall6-rules.xml

@@ -934,6 +934,17 @@
           <para>Restriction: MAC addresses are not allowed (this is a
           Netfilter restriction).</para>
 
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>
+
           <para>If you kernel and ip6tables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be
           optionally followed by a number from 1 to 6 enclosed in square

docs/Dynamic.xml

@@ -49,8 +49,7 @@
     support is based on <ulink
     url="http://ipset.netfilter.org/">ipset</ulink>. Most current
     distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
-    </para>
   </section>
 
   <section id="xtables-addons">
@@ -211,9 +210,9 @@
 net          ipv4
 rsyncok:loc  ipv4             <emphasis role="bold">dynamic_shared</emphasis></programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
+      <programlisting>#ZONE       INTERFACE      OPTIONS
-loc         eth0           -                …
+loc         eth0           …
-loc         eth1           -                …</programlisting>
+loc         eth1           …</programlisting>
 
       <para><filename>/etc/shorewall/hosts</filename>:</para>
 
@@ -308,9 +307,8 @@ rsyncok:
 loc          ipv4
 webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
+        <programlisting>#ZONE       INTERFACE      OPTIONS
-loc         eth0           -                …
+loc         eth0           …</programlisting>
-</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename>:</para>
 

docs/FAQ.xml

@@ -516,8 +516,8 @@ DNAT       net           net:66.249.93.111:993  tcp      80          -         2
 
         <para>In <filename>/etc/shorewall/interfaces</filename>, specify the
         <emphasis role="bold">routeback</emphasis> option on
-        eth0:<programlisting>#ZONE      INTERFACE     BROADCAST            OPTIONS
+        eth0:<programlisting>#ZONE      INTERFACE     OPTIONS
-net        eth0          detect               <emphasis role="bold">routeback</emphasis></programlisting></para>
+net        eth0          <emphasis role="bold">routeback</emphasis></programlisting></para>
 
         <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>
@@ -700,15 +700,15 @@ DNAT       net           net:192.168.4.22       tcp      80,443      -         <
         <listitem>
           <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-          <programlisting>#ZONE    INTERFACE    BROADCAST    OPTIONS
+          <programlisting>#ZONE    INTERFACE    OPTIONS
-loc      eth1         detect       <emphasis role="bold">routeback</emphasis>    </programlisting>
+loc      eth1         <emphasis role="bold">routeback</emphasis>    </programlisting>
         </listitem>
 
         <listitem>
           <para>In <filename>/etc/shorewall/masq</filename>:</para>
 
           <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
-<emphasis role="bold">eth1:192.168.1.5        eth1            192.168.1.254   tcp     www</emphasis></programlisting>
+<emphasis role="bold">eth1:192.168.1.5        192.168.1.0/24  192.168.1.254   tcp     www</emphasis></programlisting>
 
           <para>Note: The technique described here is known as
           <firstterm>hairpinning NAT</firstterm> and is described in section 6
@@ -718,7 +718,7 @@ loc      eth1         detect       <emphasis role="bold">routeback</emphasis>
           source:</para>
 
           <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
-eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
+eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
         </listitem>
 
         <listitem>
@@ -746,6 +746,12 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
           DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
           time that you get a new IP address.</para>
 
+          <note>
+            <para>If your local interface is a bridge, see <link
+            linkend="faq2e">FAQ 2e</link> for additional configuration
+            steps.</para>
+          </note>
+
           <note>
             <para>For optional interfaces, use the function <emphasis
             role="bold">find_first_interface_address_if_any()</emphasis>
@@ -815,8 +821,8 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
 
           <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-          <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+          <programlisting>#ZONE    INTERFACE    OPTIONS
-dmz      eth2         192.168.2.255   <emphasis role="bold">routeback</emphasis> </programlisting>
+dmz      eth2         <emphasis role="bold">routeback</emphasis> </programlisting>
 
           <para>In <filename>/etc/shorewall/masq</filename>:</para>
 
@@ -915,6 +921,59 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         INTERFACES column of each entry in <ulink
         url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
       </section>
+
+      <section id="faq2e">
+        <title>(FAQ 2e) I have the situation in FAQ 2 but my local interface
+        is a bridge and the solution in FAQ 2 doesn't work</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: Assume that the bridge
+        is br0 and that eth2 is the bridge port that connects to the LAN
+        containing 192.168.1.5</para>
+
+        <para>In addition to the steps in FAQ 2 (replacing eth1 with br0), you
+        also need to:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Set the <firstterm>hairpin</firstterm> option on
+            eth2.</para>
+
+            <programlisting>brctl hairpin br0 eth2 on</programlisting>
+
+            <para>On Debian and derivitives, you can place that command in
+            /etc/network/interfaces as a post-up command:</para>
+
+            <programlisting>auto br0
+iface br0 inet static
+        bridge_ports    eth2
+        bridge_fd       0
+        bridge_maxwait  0
+        address         192.168.1.1
+        netmask         255.255.255.0
+        <emphasis role="bold">post-up /sbin/brctl hairpin br0 eth2 on</emphasis></programlisting>
+          </listitem>
+
+          <listitem>
+            <para>Install ebtables if it is not already installed.</para>
+          </listitem>
+
+          <listitem>
+            <para>Be sure that all traffic going out of eth2 has the correct
+            MAC address.</para>
+
+            <programlisting>ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source <emphasis>br0-MAC-address</emphasis> </programlisting>
+
+            <para>where br0-MAC-address is the MAC address of br0.</para>
+
+            <para>Here's a working example of /etc/shorewall/start that
+            executes the above command.</para>
+
+            <programlisting>if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then
+   <emphasis role="bold">ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source 0:19:21:d0:61:65</emphasis>
+fi</programlisting>
+          </listitem>
+        </orderedlist>
+      </section>
     </section>
   </section>
 
@@ -940,6 +999,12 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
         to implement blacklisting by destination IP address.</para>
       </note>
+
+      <note>
+        <para>Beginning with Shorewall 4.4.26, you can use <ulink
+        url="manpages/shorewall-blrules.html">/etc/shorewall/blrules</ulink>
+        to implement arbitrary blacklist rules.</para>
+      </note>
     </section>
 
     <section id="faq84">

docs/GenericTunnels.xml

@@ -86,8 +86,8 @@ vpn          ipv4</programlisting>
     <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
     role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
 
-    <programlisting>#ZONE      INTERFACE       BROADCAST        OPTIONS
+    <programlisting>#ZONE      INTERFACE       OPTIONS
-vpn        tun0            10.255.255.255</programlisting>
+vpn        tun0</programlisting>
 
     <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
 
@@ -99,8 +99,8 @@ generic:47       net            134.28.54.2</programlisting>
     TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
     be accepted to/from the remote gateway.</para>
 
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+    <programlisting>#ZONE        INTERFACE        OPTIONS
-vpn          tun0             192.168.1.255</programlisting>
+vpn          tun0</programlisting>
 
     <para>In /etc/shorewall/tunnels on system B, we have:</para>
 

docs/IPIP.xml

@@ -103,8 +103,8 @@ vpn          ipv4</programlisting>
     <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
     role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
 
-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
+    <programlisting>#ZONE        INTERFACE      OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+vpn          tosysb</programlisting>
 
     <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
 

docs/IPSEC-2.6.xml

@@ -238,7 +238,7 @@
 
     <para>Suppose that we have the following situation:</para>
 
-    <graphic fileref="images/TwoNets1.png"/>
+    <graphic fileref="images/TwoNets1.png" />
 
     <para>We want systems in the 192.168.1.0/24 sub-network to be able to
     communicate with systems in the 10.0.0.0/8 network. We assume that on both
@@ -481,7 +481,7 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
     when you travel and you want to be able to establish a secure connection
     back to your local network.</para>
 
-    <graphic fileref="images/Mobile.png"/>
+    <graphic fileref="images/Mobile.png" />
 
     <example id="roadWarrior">
       <title>Road Warrior VPN</title>
@@ -734,9 +734,9 @@ loc            ipv4
     <blockquote>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     eth0            detect          routefilter
+net     eth0            routefilter
-loc     eth1            192.168.1.255
+loc     eth1            -
 l2tp    ppp+            -
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
     </blockquote>
@@ -827,9 +827,9 @@ HTTPS(ACCEPT)   l2tp    $FW
     hosts in that network. In that case, IPSEC transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
+    <para><graphic fileref="images/TransportMode.png" />Here's an example
-    the ipsec-tools package. The files shown are from host 192.168.20.10; the
+    using the ipsec-tools package. The files shown are from host
-    configuration of the other nodes is similar.</para>
+    192.168.20.10; the configuration of the other nodes is similar.</para>
 
     <blockquote>
       <para><filename>/etc/racoon/racoon.conf</filename>:</para>
@@ -889,8 +889,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
     <blockquote>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
+net     eth0            routefilter,dhcp,tcpflags
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
       <para><filename>/etc/shorewall/tunnels</filename>:</para>

docs/IPSEC.xml

@@ -200,12 +200,12 @@ vpn          eth0:192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System A</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!10.0.0.0/8      192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System B</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!192.168.1.0/24  10.0.0.0/8</programlisting>
     </blockquote>
 
@@ -425,8 +425,8 @@ ipsec       net        0.0.0.0/0       vpn1,vpn2,vpn3</programlisting>
     Shorewall will issue warnings to that effect. These warnings may be safely
     ignored. FreeS/Wan may now be configured to have three different Road
     Warrior connections with the choice of connection being based on X-509
-    certificates or some other means. Each of these connections will utilize
+    certificates or some other means. Each of these connections will utilize a
-    a different updown script that adds the remote station to the appropriate
+    different updown script that adds the remote station to the appropriate
     zone when the connection comes up and that deletes the remote station when
     the connection comes down. For example, when 134.28.54.2 connects for the
     vpn2 zone the <quote>up</quote> part of the script will issue the

docs/Introduction.xml

@@ -181,10 +181,10 @@ dmz     ipv4</programlisting>
     file. In the three-interface sample, the three zones are defined using
     that file as follows:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
+    <programlisting>#ZONE      INTERFACE     OPTIONS
-net        eth0          detect        dhcp,routefilter
+net        eth0          dhcp,routefilter
-loc        eth1          detect
+loc        eth1
-dmz        eth2          detect</programlisting>
+dmz        eth2</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0, the
@@ -201,10 +201,10 @@ dmz        eth2          detect</programlisting>
     file or you may use the nets= option in
     <filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
+    <programlisting>#ZONE      INTERFACE     OPTIONS
-net        eth0          detect        dhcp,routefilter,nets=(!192.168.0.0/23)
+net        eth0          dhcp,routefilter,nets=(!192.168.0.0/23)
-loc        eth1          detect        nets=(192.168.0.0/24)
+loc        eth1          nets=(192.168.0.0/24)
-dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
+dmz        eth2          nets=(192.168.1.0/24)</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>

docs/Laptop.xml

@@ -68,10 +68,10 @@
     optional interfaces for the 'net' zone in
     <filename>/etc/shorewall/interfaces</filename>.</para>
 
-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
+    <programlisting>#ZONE          INTERFACE      OPTIONS
-net            eth0           detect              optional,…
+net            eth0           optional,…
-net            wlan0          detect              optional,…
+net            wlan0          optional,…
-net            ppp0           -                   optional,…</programlisting>
+net            ppp0           optional,…</programlisting>
 
     <para>With this configuration, access to the 'net' zone is possible
     regardless of which of the interfaces is being used.</para>

docs/MAC_Validation.xml

@@ -172,12 +172,12 @@ MACLIST_LOG_LEVEL=info</programlisting>
 
       <para>/etc/shorewall/interfaces:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
+loc     $INT_IF         dhcp
 dmz     $DMZ_IF         -
 vpn     tun+            -
-Wifi    $WIFI_IF        -               maclist,dhcp
+Wifi    $WIFI_IF        maclist,dhcp
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
 
       <para>/etc/shorewall/maclist:</para>

docs/MultiISP.xml

@@ -832,9 +832,9 @@ ISP2    2       2       main            eth1            130.252.99.254  track,ba
 
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+      <programlisting>#ZONE    INTERFACE    OPTIONS
-net      eth0         detect          …          
+net      eth0         …          
-net      eth1         detect          …</programlisting>
+net      eth1         …</programlisting>
 
       <para><filename>/etc/shorewall/policy</filename>:</para>
 
@@ -1991,9 +1991,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
       <para>You specify the <option>optional</option> option in
       <filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+      <programlisting>#ZONE    INTERFACE    OPTIONS
-net      eth0         detect          <emphasis role="bold">optional</emphasis>         
+net      eth0         <emphasis role="bold">optional</emphasis>         
-net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>
+net      eth1         <emphasis role="bold">optional</emphasis></programlisting>
 
       <section id="lsm">
         <title>Link Status Monitor (LSM)</title>
@@ -2562,11 +2562,11 @@ kvm             all             ACCEPT
 net             all             DROP            info
 all             all             REJECT          info</programlisting></para>
 
-      <para>interfaces:<programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
+      <para>interfaces:<programlisting>#ZONE    INTERFACE      PTIONS                 GATEWAY
 #
-net     eth0            detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net     eth0            dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
-net     wlan0           detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+net     wlan0           dhcp,tcpflags,routefilter,blacklist,logmartians,optional
-kvm     br0             detect          routeback       #Virtual Machines</programlisting><note>
+kvm     br0             routeback       #Virtual Machines</programlisting><note>
           <para><filename class="devicefile">wlan0</filename> is the wireless
           adapter in the notebook. Used when the laptop is in our home but not
           connected to the wired network.</para>

docs/Multiple_Zones.xml

@@ -209,7 +209,7 @@ loc1:loc    ipv4</programlisting>
 
         <para><filename>/etc/shorewall/interfaces</filename></para>
 
-        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+        <programlisting>#ZONE               INTERFACE           OPTIONS
 loc                 eth1                -</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename></para>
@@ -247,8 +247,8 @@ loc2        ipv4</programlisting>
 
         <para><filename>/etc/shorewall/interfaces</filename></para>
 
-        <programlisting>#ZONE               INTERFACE           BROADCAST
+        <programlisting>#ZONE               INTERFACE
--                   eth1                192.168.1.255
+-                   eth1
 </programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename></para>
@@ -287,8 +287,8 @@ loc1:loc    ipv4</programlisting>
 
     <para><filename>/etc/shorewall/interfaces</filename></para>
 
-    <programlisting>#ZONE               INTERFACE           BROADCAST
+    <programlisting>#ZONE               INTERFACE
-loc                 eth1                -</programlisting>
+loc                 eth1</programlisting>
 
     <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
 loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>

docs/OPENVPN.xml

@@ -130,7 +130,7 @@ vpn     ipv4</programlisting>
       <para>In <filename>/etc/shorewall/interfaces</filename> on system
       A:</para>
 
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 vpn        tun0</programlisting>
     </blockquote>
 
@@ -198,7 +198,7 @@ verb 5</programlisting>
       <para>In <filename>/etc/shorewall/interfaces</filename> on system
       B:</para>
 
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE         OPTIONS
 vpn        tun0 </programlisting>
     </blockquote>
 
@@ -269,7 +269,7 @@ road    ipv4</programlisting>
       <para>In <filename>/etc/shorewall/interfaces</filename> on system
       A:</para>
 
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE          OPTIONS
 road       tun+</programlisting>
     </blockquote>
 
@@ -355,7 +355,7 @@ home    ipv4</programlisting>
       <para>In <filename>/etc/shorewall/interfaces</filename> on system
       B:</para>
 
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE          OPTIONS
 home       tun0</programlisting>
     </blockquote>
 
@@ -586,14 +586,14 @@ net             ipv4            #Internet
 
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+      <programlisting>#ZONE  INTERFACE  OPTIONS
-loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
+loc    INT_IF     dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
-net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
+net    COM_IF     dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
-<emphasis role="bold">vpn    TUN_IF+    detect    physical=tun+,routeback</emphasis>
+<emphasis role="bold">vpn    TUN_IF+    physical=tun+,routeback</emphasis>
--      sit1       -         ignore
+-      sit1       ignore
-<emphasis role="bold">-      mac        -         ignore</emphasis>
+<emphasis role="bold">-      mac        ignore</emphasis>
--      EXT_IF     -         ignore
+-      EXT_IF     ignore
--      lo         -         ignore</programlisting>
+-      lo         ignore</programlisting>
 
       <para><filename>/etc/shorewall/tunnels</filename>:</para>
 
@@ -617,10 +617,10 @@ rest      ipv6</programlisting>
 
       <para><filename>/etc/shorewall6/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     sit1            detect          tcpflags,forward=1,nosmurfs,routeback
+net     sit1            tcpflags,forward=1,nosmurfs,routeback
-loc     eth4            detect          tcpflags,forward=1
+loc     eth4            tcpflags,forward=1
-<emphasis role="bold">loc     mac             detect          tcpflags,forward=1</emphasis>
+<emphasis role="bold">loc     mac             tcpflags,forward=1</emphasis>
 rest    eth+</programlisting>
 
       <para>Note that in the IPv6 firewall configuration, the remove Macbook

docs/OpenVZ.xml

@@ -149,9 +149,9 @@ vz       ipv4</programlisting>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
       <programlisting>###############################################################################
-#ZONE    INTERFACE          BROADCAST      OPTIONS
+#ZONE    INTERFACE          OPTIONS
-net      eth0               -              proxyarp=1
+net      eth0               proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
+vz       venet0             <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
     </section>
 
     <section>
@@ -159,8 +159,8 @@ vz       venet0             -              <emphasis role="bold">routeback,arp_f
 
       <para>If you run Shorewall Multi-ISP support on the host, you should
       arrange for traffic to your containers to use the main routing table. In
-      the configuration shown here, this entry in /etc/shorewall/rtrules
+      the configuration shown here, this entry in /etc/shorewall/rtrules is
-      is appropriate:</para>
+      appropriate:</para>
 
       <programlisting>#SOURCE            DEST              PROVIDER          PRIORITY
 -                  206.124.146.178   main              1000</programlisting>
@@ -472,11 +472,11 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=venet0</emphasis>
 ...</programlisting>
 
-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
             role="bold">proxyarp=1</emphasis>
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+<emphasis role="bold">dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
       in <filename>/etc/shorewall/rtrules</filename>:</para>
 
@@ -508,8 +508,8 @@ net         ipv4</programlisting>
 
       <para>/etc/shorewall/interfaces:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     <emphasis role="bold">venet0 </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+net     <emphasis role="bold">venet0 </emphasis>         dhcp,tcpflags,logmartians,nosmurfs</programlisting>
     </section>
   </section>
 
@@ -783,10 +783,10 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=vzbr0</emphasis>
 ...</programlisting>
 
-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
+dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
 ...</programlisting></para>
 
       <para><filename>/etc/shorewall/proxyarp:</filename></para>
@@ -820,8 +820,8 @@ net         ipv4</programlisting>
 
       <para><filename>/etc/shorewall/interfaces:</filename></para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE      OPTIONS
-net     <emphasis role="bold">eth0  </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+net     <emphasis role="bold">eth0  </emphasis>         dhcp,tcpflags,logmartians,nosmurfs</programlisting>
     </section>
   </section>
 </article>

docs/Shorewall-4.xml

@@ -147,16 +147,16 @@
   </section>
 
   <section>
-    <title>Shorewall 4.5</title>
+    <title>Shorewall 4.5/4.6</title>
 
-    <para>Shorewall 4.5 adds an additional <emphasis
+    <para>Shorewall 4.5 added an additional <emphasis
     role="bold">Shorewall-core</emphasis> package. This package contains the
     core Shorewall shell libraries that are required by the other
     packages.</para>
   </section>
 
   <section id="Prereqs">
-    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5
+    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
     Perl-based Compiler</title>
 
     <itemizedlist>

docs/Shorewall_Squid_Usage.xml

@@ -257,8 +257,8 @@ MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
             <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
             </filename>:</para>
 
-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
+            <programlisting>#ZONE   INTERFACE    OPTIONS
-loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
+loc     eth1         <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
           </listitem>
 
           <listitem>
@@ -327,8 +327,8 @@ MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
             <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
             </filename>:</para>
 
-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
+            <programlisting>#ZONE   INTERFACE    OPTIONS
-loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
+loc     eth2         <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
           </listitem>
 
           <listitem>
@@ -402,8 +402,8 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
 
     <para><filename>/etc/shorewall/interfaces:</filename></para>
 
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+    <programlisting>#ZONE        INTERFACE        OPTIONS
--            lo               -                 -</programlisting>
+-            lo               -</programlisting>
 
     <para><filename>/etc/shorewall/providers</filename>:</para>
 

docs/Shorewall_and_Aliased_Interfaces.xml

@@ -298,8 +298,8 @@ loc          ipv4</programlisting>
 
         <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
+        <programlisting>#ZONE       INTERFACE  OPTIONS
-loc         eth1       -                              <emphasis role="bold">routeback</emphasis>   </programlisting>
+loc         eth1       <emphasis role="bold">routeback</emphasis>   </programlisting>
 
         <para>In <filename>/etc/shorewall/rules</filename>, simply specify
         ACCEPT rules for the traffic that you want to permit.</para>
@@ -320,7 +320,7 @@ loc2         ipv4</programlisting>
 
         <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
+        <programlisting>#ZONE       INTERFACE  OPTIONS
 -           eth1       -   </programlisting>
 
         <para>In <filename>/etc/shorewall/hosts</filename>:</para>

docs/SimpleBridge.xml

@@ -108,9 +108,9 @@
 
     <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE          INTERFACE       BROADCAST      OPTIONS
+    <programlisting>#ZONE          INTERFACE       OPTIONS
-net            eth0            detect         ...
+net            eth0            ...
-loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
+loc            <emphasis role="bold">br0</emphasis>             <emphasis
         role="bold">routeback</emphasis>,...</programlisting>
 
     <para>So the key points here are:</para>
@@ -140,9 +140,9 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
 
     <para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
     should also specify the <emphasis role="bold">bridge</emphasis>
-    option:<programlisting>#ZONE          INTERFACE       BROADCAST      OPTIONS
+    option:<programlisting>#ZONE          INTERFACE       OPTIONS
-net            eth0            detect         ...
+net            eth0            ...
-loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
+loc            <emphasis role="bold">br0</emphasis>             <emphasis
           role="bold">routeback,bridge</emphasis>,...</programlisting></para>
 
     <para>Your entry in <filename>/etc/shorewall/masq</filename> should be

docs/UPnP.xml

@@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
 
     <para>Example:</para>
 
-    <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+    <programlisting>#ZONE   INTERFACE       OPTIONS
-net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
+net     eth1            dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
-        role="bold">upnp</emphasis></programlisting>
 
     <para>If your loc-&gt;fw policy is not ACCEPT then you need this
     rule:</para>

docs/VPNBasics.xml

@@ -203,8 +203,8 @@ loc             ipv4
 
     <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE           INTERFACE          BROADCAST          OPTION
+    <programlisting>#ZONE           INTERFACE          OPTION
-net             eth0               -                  tcpflags,routefilter
+net             eth0               tcpflags,routefilter
 loc             eth1               -
 <emphasis role="bold">rem             ppp0               -</emphasis></programlisting>
   </section>
@@ -259,8 +259,8 @@ rem2            ipv4    #Remote LAN 2</emphasis></programlisting>
 
     <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE           INTERFACE          BROADCAST          OPTION
+    <programlisting>#ZONE           INTERFACE          OPTION
-net             eth0               -                  tcpflags,routefilter
+net             eth0               tcpflags,routefilter
 loc             eth1               -
 <emphasis role="bold">-               tun+               -</emphasis></programlisting>
 

docs/XenMyWay-Routed.xml

@@ -580,16 +580,15 @@ OMAK=<IP address at our second home>
 
         <programlisting>echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting>
 
-        <para><filename>/etc/shorewall/interfaces</filename> (don't specify
+        <para><filename>/etc/shorewall/interfaces</filename>:</para>
-        the BROADCAST addresses if you are using Shorewall-perl):</para>
 
-        <programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+        <programlisting>#ZONE   INTERFACE       OPTIONS
-net     ${EXT_IF}       detect                  dhcp,logmartians=1,blacklist
+net     ${EXT_IF}       dhcp,logmartians=1,blacklist
-dmz     $DMZ_IF         detect                  logmartians=1
+dmz     $DMZ_IF         logmartians=1
-loc     $INT_IF         detect                  dhcp,logmartians=1,routeback,bridge
+loc     $INT_IF         dhcp,logmartians=1,routeback,bridge
-loc     $TEST_IF        detect                  optional
+loc     $TEST_IF        optional
-loc     $TEST1_IF       detect                  optional
+loc     $TEST1_IF       optional
-wifi    $WIFI_IF        detect                  dhcp,maclist,mss=1400
+wifi    $WIFI_IF        dhcp,maclist,mss=1400
 vpn     tun+            -
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
@@ -624,7 +623,7 @@ $EXT_IF:192.168.99.1    192.168.98.1    192.168.1.98
 
 COMMENT Masquerade Local Network
 
-$EXT_IF                 $INT_IF 206.124.146.179
+$EXT_IF                 192.168.1.0/24  206.124.146.179
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/proxyarp</filename>:</para>

docs/XenMyWay.xml

@@ -450,9 +450,9 @@ all             all             ACCEPT
 
         <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+        <programlisting>#ZONE   INTERFACE       OPTIONS
-loc     xenbr0          192.168.1.255   dhcp,routeback
+loc     xenbr0          dhcp,routeback
-dmz     xenbr1          -               routeback
+dmz     xenbr1          routeback
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/rules</filename>:</para>
@@ -601,11 +601,11 @@ OMAK=&lt;IP address at our second home&gt;
 
         <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+        <programlisting>#ZONE   INTERFACE       OPTIONS
-net     $EXT_IF         206.124.146.255         dhcp,logmartians,blacklist,tcpflags,nosmurfs
+net     $EXT_IF         dhcp,logmartians,blacklist,tcpflags,nosmurfs
-dmz     $DMZ_IF         192.168.0.255           logmartians
+dmz     $DMZ_IF         logmartians
-loc     $INT_IF         192.168.1.255           dhcp,routeback,logmartians
+loc     $INT_IF         dhcp,routeback,logmartians
-wifi    $WIFI_IF        192.168.3.255           dhcp,maclist
+wifi    $WIFI_IF        dhcp,maclist
 vpn     tun+            -
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 

docs/bridge-Shorewall-perl.xml

@@ -596,8 +596,8 @@ all         all         REJECT        info
     is connected to <filename class="devicefile">eth0</filename> and the
     switch to <filename class="devicefile">eth1</filename>:</para>
 
-    <programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS
+    <programlisting>#ZONE    INTERFACE      OPTIONS
-world    br0            detect          bridge
+world    br0            bridge
 net      br0:eth0
 loc      br0:eth1
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
@@ -645,9 +645,9 @@ br0             192.168.1.0/24  routeback
 
     <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+    <programlisting>       #ZONE            INTERFACE       OPTIONS
-       world            br0             -               bridge
+       world            br0             bridge
-       world            br1             -               bridge
+       world            br1             bridge
        z1               br0:p+
        z2               br1:p+</programlisting>
 
@@ -657,11 +657,11 @@ br0             192.168.1.0/24  routeback
     configuration may be defined using the following in
     <filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+    <programlisting>       #ZONE            INTERFACE       OPTIONS
-       world            br0             -               bridge
+       world            br0             bridge
-       world            br1             -               bridge
+       world            br1             bridge
-       z1               br0:x+          -               physical=p+
+       z1               br0:x+          physical=p+
-       z2               br1:y+          -               physical=p+</programlisting>
+       z2               br1:y+          physical=p+</programlisting>
 
     <para>In this configuration, 'x+' is the logical name for ports p+ on
     bridge br0 while 'y+' is the logical name for ports p+ on bridge
@@ -710,11 +710,11 @@ loc                     ipv4</programlisting>
 
       <listitem>
         <para>The <filename>/etc/shorewall/interfaces</filename> file is as
-        follows:<programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
+        follows:<programlisting>#ZONE    INTERFACE      OPTIONS
-pub      br0            detect        routefilter,bridge
+pub      br0            routefilter,bridge
 net      br0:eth0 
 dmz      br0:eth2
-loc      eth1           detect</programlisting></para>
+loc      eth1</programlisting></para>
       </listitem>
 
       <listitem>
@@ -887,7 +887,7 @@ col     ipv4     nomark</emphasis></programlisting>
       role="bold">loc</emphasis> spelled backward.</para>
     </note>
 
-    <programlisting>#ZONE     INTERFACES        BROADCAST       OPTIONS
+    <programlisting>#ZONE     INTERFACES        OPTIONS
 net       eth0              ...
 -         br0               ...
 zone1     br0:eth1          ...

docs/shorewall_setup_guide.xml

@@ -416,10 +416,10 @@ all              all                 REJECT     info</programlisting>
     url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
     </ulink>file, that file would might contain:</para>
 
-    <programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
+    <programlisting>#ZONE    INTERFACE      OPTIONS
-net      eth0           detect
+net      eth0
-loc      eth1           detect
+loc      eth1
-dmz      eth2           detect</programlisting>
+dmz      eth2</programlisting>
 
     <para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
     in the /etc/shorewall/interfaces file.</para>
@@ -435,10 +435,10 @@ dmz      eth2           detect</programlisting>
     <example id="multi">
       <title>Multiple Interfaces to a Zone</title>
 
-      <programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
+      <programlisting>#ZONE    INTERFACE      OPTIONS
-net      eth0           detect
+net      eth0
-loc      eth1           detect
+loc      eth1
-loc      eth2           detect</programlisting>
+loc      eth2</programlisting>
     </example>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@@ -1816,22 +1816,10 @@ ACCEPT   net             $FW                tcp    ssh     #SSH to the
       <para><filename>/etc/shorewall/interfaces</filename> (The
       <quote>options</quote> will be very site-specific).</para>
 
-      <programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
+      <programlisting>#ZONE    INTERFACE      OPTIONS
-net      eth0           detect        routefilter
+net      eth0           routefilter
-loc      eth1           detect
+loc      eth1
-dmz      eth2           detect</programlisting>
+dmz      eth2</programlisting>
-
-      <para>The setup described here requires that your network interfaces be
-      brought up before Shorewall can start. This opens a short window during
-      which you have no firewall protection. If you replace
-      <quote>detect</quote> with the actual broadcast addresses in the entries
-      above, you can bring up Shorewall before you bring up your network
-      interfaces.</para>
-
-      <programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
-net      eth0           192.0.2.255
-loc      eth1           192.168.201.7
-dmz      eth2           192.168.202.7</programlisting>
 
       <para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
 

docs/support.xml

@@ -42,7 +42,7 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink> is 4.5.</para>
+        url="ReleaseModel.html">major release</ulink>s are 4.5 and 4.6.</para>
 
         <note>
           <para>Shorewall versions earlier than 4.5.0 are no longer supported;
@@ -60,7 +60,7 @@
 
       <listitem>
         <para>The <ulink url="FAQ.htm">FAQ</ulink> has solutions to more than
-        90 common problems.</para>
+        100 common problems.</para>
       </listitem>
 
       <listitem>

docs/traffic_shaping.xml

@@ -1802,7 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
 
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE          INTERFACE         BROADCAST
+      <programlisting>#ZONE          INTERFACE         OPTIONS
 -              ifb0</programlisting>
 
       <para><filename>/etc/shorewall/tcdevices</filename>:</para>

docs/two-interface.xml

@@ -1229,8 +1229,8 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
         network interface. If the wireless interface is <filename
         class="devicefile">wlan0</filename>, the entry might look like:</para>
 
-        <programlisting>#ZONE     INTERFACE       BROADCAST          OPTIONS
+        <programlisting>#ZONE     INTERFACE       OPTIONS
-loc       wlan0           detect             maclist</programlisting>
+loc       wlan0           maclist</programlisting>
 
         <para>As shown in the above entry, I recommend using the <ulink
         url="MAC_Validation.html">maclist option</ulink> for the wireless

docs/upgrade_issues.xml

@@ -78,6 +78,166 @@
     zones.</para>
   </section>
 
+  <section>
+    <title>Version &gt;= 4.6.0</title>
+
+    <orderedlist>
+      <listitem>
+        <para>Beginning with Shorewall 4.6.0, ection headers are now preceded
+        by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
+        'SECTION' entries, the following warning is issued: </para>
+
+        <programlisting>WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ...</programlisting>
+
+        <para>As mentioned in the message, running 'shorewall[6] update -D'
+        will eliminate the warning.</para>
+      </listitem>
+
+      <listitem>
+        <para>Beginning with Shorewall 4.6.0, the 'tcrules' file has been
+        superceded by the 'mangle' file. Existing 'tcrules' files will still
+        be processed, with the restriction that TPROXY is no longer supported
+        in FORMAT 1. If your 'tcrules' file has non-commentary entries, the
+        following warning message is issued:</para>
+
+        <programlisting>WARNING: Non-empty tcrules file (...); consider running 'shorewall update -t'</programlisting>
+
+        <para>See <ulink url="manpages/shorewall.html">shorewall</ulink>(8)
+        for limitations of 'update -t'.</para>
+      </listitem>
+
+      <listitem>
+        <para>The default value LOAD_HELPERS_ONLY is now 'Yes'.</para>
+      </listitem>
+
+      <listitem>
+        <para> Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
+        deprecated and a warning will be issued for each FORMAT-1 action or
+        macro found.</para>
+
+        <programlisting>WARNING: FORMAT-1 actions are deprecated and support will be dropped in a future release.</programlisting>
+
+        <programlisting>WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release.</programlisting>
+
+        <para> To eliminate these warnings, add the following line before the
+        first rule in the action or macro: </para>
+
+        <programlisting>?FORMAT 2</programlisting>
+
+        <para>and adjust the columns appropriately. FORMAT-1 actions have the
+        following columns:</para>
+
+        <simplelist>
+          <member>TARGET</member>
+
+          <member>SOURCE</member>
+
+          <member>DEST</member>
+
+          <member>PROTO</member>
+
+          <member>DEST PORT(S)</member>
+
+          <member>SOURCE PORT(S)</member>
+
+          <member>RATE/LIMIT</member>
+
+          <member>USER/GROUP</member>
+
+          <member>MARK</member>
+        </simplelist>
+
+        <para>while FORMAT-2 actions have these columns:</para>
+
+        <simplelist>
+          <member>TARGET</member>
+
+          <member>SOURCE</member>
+
+          <member>DEST</member>
+
+          <member>PROTO</member>
+
+          <member>DEST PORT(S)</member>
+
+          <member>SOURCE PORT(S)</member>
+
+          <member>ORIGINAL DEST</member>
+
+          <member>RATE/LIMIT</member>
+
+          <member>USER/GROUP</member>
+
+          <member>MARK</member>
+
+          <member>CONLIMIT</member>
+
+          <member>TIME</member>
+
+          <member>HEADERS (Used in IPv6 only)</member>
+
+          <member>CONDITION</member>
+
+          <member>HELPER</member>
+        </simplelist>
+
+        <para>FORMAT-1 macros have the following columns:</para>
+
+        <simplelist>
+          <member>TARGET</member>
+
+          <member>SOURCE</member>
+
+          <member>DEST</member>
+
+          <member>PROTO</member>
+
+          <member>DEST PORT(S)</member>
+
+          <member>SOURCE PORT(S)</member>
+
+          <member>RATE/LIMIT</member>
+
+          <member>USER/GROUP</member>
+        </simplelist>
+
+        <para>while FORMAT-2 macros have the following columns:</para>
+
+        <simplelist>
+          <member>TARGET</member>
+
+          <member>SOURCE</member>
+
+          <member>DEST</member>
+
+          <member>PROTO</member>
+
+          <member>DEST PORT(S)</member>
+
+          <member>SOURCE PORT(S)</member>
+
+          <member>ORIGINAL DEST</member>
+
+          <member>RATE/LIMIT</member>
+
+          <member>USER/GROUP</member>
+
+          <member>MARK</member>
+
+          <member>CONLIMIT</member>
+
+          <member>TIME</member>
+
+          <member>HEADERS (Used in IPv6 only)</member>
+
+          <member>CONDITION</member>
+
+          <member>HELPER</member>
+        </simplelist>
+      </listitem>
+    </orderedlist>
+  </section>
+
   <section>
     <title>Versions &gt;= 4.5.0</title>
 
@@ -342,6 +502,26 @@
           <member><filename>tunnels</filename></member>
         </simplelist>
       </listitem>
+
+      <listitem>
+        <para>To allow finer-grained selection of the connection-tracking
+        states that are passed through blacklists (both dynamic and static), a
+        BLACKLIST option was added to shorewall.conf and shorewall6.conf in
+        Shorewall 4.5.13.</para>
+
+        <para>The BLACKLISTNEWONLY option was deprecated at that point. A
+        'shorewall update' ( 'shorewall6 update' ) will replace the
+        BLACKLISTNEWONLY option with the equivalent BLACKLIST option.</para>
+      </listitem>
+
+      <listitem>
+        <para>In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
+        BLACKLIST_LOG_LEVEL to be consistent with the other log-level option
+        names. BLACKLIST_LOGLEVEL continues to be accepted as a synonym for
+        BLACKLIST_LOG_LEVEL, but a 'shorewall update' or 'shorewall6 update'
+        command will replace BLACKLIST_LOGLEVEL with BLACKLIST_LOG_LEVEL in
+        the new .conf file.</para>
+      </listitem>
     </orderedlist>
   </section>