Save/restore nat OUTPUT jump to DOCKER

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {
 
     show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {
 
 }
 
+show_tc() {
+    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+    echo
+    shift
+
+    if [ -z "$1" ]; then
+	$g_tool -t mangle -L -n -v | $output_filter
+	echo
+    fi
+
+    show_tc1 $1
+}
+
 #
 # Show classifier information
 #
@@ -928,6 +941,202 @@ show_actions() {
 	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
     fi
 }
+
+show_chain() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    if [ $# -gt 0 ]; then
+	for chain in $*; do
+	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	    echo
+	done
+    else
+	$g_tool -t $table -L $g_ipt_options | $output_filter
+    fi
+}
+
+show_chains() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    for chain in $*; do
+	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	echo
+    done
+}
+
+show_table() {
+    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t $table -L $g_ipt_options | $output_filter
+}
+
+show_nat() {
+    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t nat -L $g_ipt_options | $output_filter
+}
+
+show_raw() {
+    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t raw -L $g_ipt_options | $output_filter
+}
+
+show_rawpost() {
+    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+}
+
+show_mangle() {
+    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t mangle -L $g_ipt_options | $output_filter
+}
+
+show_classifiers_command() {
+    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+    echo
+    show_classifiers
+}
+
+show_ip_addresses() {
+    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+    echo
+    ip -$g_family addr list
+}
+
+show_routing_command() {
+    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+    echo
+    show_routing
+}
+
+show_policies() {
+    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+    echo
+    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
+}
+
+show_ipa() {
+    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
+    echo
+    perip_accounting
+}
+
+show_arptables() {
+    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+    echo
+    $arptables -L -n -v
+}
+
+show_log() {
+    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
+    echo
+    show_reset
+    host=$(echo $g_hostname | sed 's/\..*$//')
+
+    if [ $# -eq 2 ]; then
+	eval search_log $2
+    elif [ -n "$g_pager" ]; then
+	packet_log 100
+    else
+	packet_log 20
+    fi
+}
+
+show_connections() {
+    if [ $g_family -eq 4 ]; then
+	if [ -d /proc/sys/net/netfilter/ ]; then
+	    local count
+	    local max
+	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	else
+	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	fi
+
+	echo
+
+	if qt mywhich conntrack ; then
+	    shift
+	    conntrack -f ipv4 -L $@ | show_connections_filter
+	else
+	    [ $# -gt 1 ] && usage 1
+	    if [ -f /proc/net/ip_conntrack ]; then
+		cat /proc/net/ip_conntrack | show_connections_filter
+	    else
+		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+	    fi
+	fi
+    elif qt mywhich conntrack ; then
+	shift
+	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	echo
+	conntrack -f ipv6 -L $@ | show_connections_filter
+    else
+	[ $# -gt 1 ] && usage 1
+	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+	    echo
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	fi
+    fi
+}
+
+show_nfacct_command() {
+    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+    echo
+    show_nfacct
+}
+
+show_events_command() {
+    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+    echo
+    show_events
+}
+
+show_blacklists() {
+    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+    echo
+    show_bl;
+}
+
+show_actions_sorted() {
+    show_actions | sort
+}
+
+show_macros() {
+    for directory in $(split $CONFIG_PATH); do
+	temp=
+	for macro in ${directory}/macro.*; do
+	    case $macro in
+		*\*)
+                ;;
+		*)
+		    if [ -z "$temp" ]; then
+			echo
+			echo "Macros in $directory:"
+			echo
+			temp=Yes
+		    fi
+		    show_macro
+		    ;;
+	    esac
+	done
+    done
+}
+
 #
 # Show Command Executor
 #
@@ -1042,108 +1251,37 @@ show_command() {
 
     case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
+	    eval show_connections $@ $g_pager
-		if [ -d /proc/sys/net/netfilter/ ]; then
-		    local count
-		    local max
-		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
-		else
-		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		fi
-
-		echo
-
-		if qt mywhich conntrack ; then
-		    shift
-		    conntrack -f ipv4 -L $@ | show_connections_filter
-		else
-		    [ $# -gt 1 ] && usage 1
-		    if [ -f /proc/net/ip_conntrack ]; then
-			cat /proc/net/ip_conntrack | show_connections_filter
-		    else
-			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
-		    fi
-	        fi
-	    elif qt mywhich conntrack ; then
-		shift
-		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
-	    else
-		[ $# -gt 1 ] && usage 1
-		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
-		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-		    echo
-		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
-		fi
-	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+	    eval show_nat $g_pager
-	    echo
-	    show_reset
-	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+	    eval show_raw $g_pager
-	    echo
-	    show_reset
-	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    eval show_rawpost $g_pager
-	    echo
-	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+	    eval show_mangle $g_pager
-	    echo
-	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 
 	    setup_logread
-
+	    eval show_log $g_pager
-	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    host=$(echo $g_hostname | sed 's/\..*$//')
-
-	    if [ $# -eq 2 ]; then
-		search_log $2
-	    else
-		packet_log 20
-	    fi
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+	    eval show_tc $@ $g_pager
-	    echo
-	    shift
-
-	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v | $output_filter
-		echo
-	    fi
-
-	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+	    eval show_classifiers_command $g_pager
-	    echo
-	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1311,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+	    eval show_ip_addresses $g_pager
-	    echo
-	    ip -$g_family addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+	    eval show_routing_command $g_pager
-	    echo
-	    show_routing
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1344,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+	    eval show_chain $@ $g_pager
-	    echo
-	    show_reset
-	    if [ $# -gt 0 ]; then
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
-	    else
-		$g_tool -t $table -L $g_ipt_options | $output_filter
-	    fi
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+	    eval show_policies $g_pager
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
-	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
-	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1366,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+	    eval show_nfacct_command $g_pager
-	    echo
-	    show_nfacct
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+		eval show_arptables $g_pager
-		echo
-		$arptables -L -n -v
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1386,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    eval show_events_command $g_pager
-	    echo
-	    show_events
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    eval show_blacklists $g_pager
-	    echo
-	    show_bl;
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1410,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1427,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
+			    eval show_macros $g_pager
-			    for directory in $(split $CONFIG_PATH); do
-				temp=
-				for macro in ${directory}/macro.*; do
-				    case $macro in
-					*\*)
-                                            ;;
-					*)
-				            if [ -z "$temp" ]; then
-						echo
-						echo "Macros in $directory:"
-						echo
-						temp=Yes
-					    fi
-					    show_macro
-					    ;;
-				    esac
-				done
-			    done
 			    return
 			    ;;
 		    esac
@@ -1355,18 +1449,9 @@ show_command() {
 		    fi
 					 done
 
-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+		eval show_chains $@ $g_pager
-		echo
-		show_reset
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+		eval show_table $g_pager
-		echo
-		show_reset
-		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
     esac
@@ -1417,12 +1502,16 @@ dump_filter() {
 		;;
 	esac
 
-	$command $filter
+	eval $command $filter $g_pager
     else
 	cat -
     fi
 }
 
+dump_filter_wrapper() {
+    eval dump_filter $g_pager
+}
+
 #
 # Dump Command Executor
 #
@@ -1633,14 +1722,14 @@ do_dump_command() {
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }
 
 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }
 
 #
@@ -3700,6 +3789,23 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+     fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib
@@ -4040,6 +4146,7 @@ shorewall_cli() {
     g_counters=
     g_loopback=
     g_compiled=
+    g_pager=
 
     VERBOSE=
     VERBOSITY=1

Shorewall-core/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #

Shorewall-init/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net

Shorewall-init/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #

Shorewall-lite/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #

Shorewall-lite/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #

Shorewall/Macros/macro.SNMPTrap

@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-PARAM	-	-	udp	162
+SNMPtrap

Shorewall/Macros/macro.SNMPtrap

@@ -0,0 +1,9 @@
+#
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+#
+# This macro handles SNMP traps.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	162

Shorewall/Perl/Shorewall/Chains.pm

@@ -264,6 +264,7 @@ our %EXPORT_TAGS = (
                                        have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
+				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -1525,8 +1526,7 @@ sub create_irule( $$$;@ ) {
 }
 
 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
+# Clone an existing rule.
-# reference and the old.
 #
 sub clone_irule( $ ) {
     my $oldruleref = $_[0];
@@ -3003,7 +3003,8 @@ sub initialize_chain_table($) {
 	}
     }
 
-    if ( $config{DOCKER} ) {
+    if ( my $docker = $config{DOCKER} ) {
+	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
@@ -3011,6 +3012,9 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
     my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -8063,16 +8067,29 @@ sub emitr1( $$ ) {
 sub save_docker_rules($) {
     my $tool = $_[0];
 
-    emit( qq(),
+    emit( qq(if [ -n "\$g_docker" ]; then),
-	  qq(if [ -n "\$g_docker" ]; then),
+	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
-	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
+	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
-	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
+	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(else),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
-	  qq(    rm -f \$VARDIR/.nat_DOCKER),
+	);
-	  qq(    rm -f \$VARDIR/.nat_POSTROUTING),
+
-	  qq(    rm -f \$VARDIR/.filter_DOCKER),
+    if ( known_interface( 'docker0' ) ) {
-	  qq(fi)
+	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
+    } else {
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+    }
+
+    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
+	  q(else),
+	  q(    rm -f ${VARDIR}/.nat_DOCKER),
+	  q(    rm -f ${VARDIR}/.net_OUTPUT),
+	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+	  q(    rm -f ${VARDIR}/.filter_FORWARD),
+	  q(fi)
 	)
 }
 
@@ -8109,7 +8126,6 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
-	save_docker_rules( $tool ) if $config{DOCKER};
     } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8139,28 +8155,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
-EOF
-
-    if ( have_capability 'IPTABLES_S' ) {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
-	save_docker_rules( $tool ) if $config{DOCKER};
-    } else {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
-    }
-
-emit <<"EOF";
-    fi
-fi
 EOF
 
     pop_indent;
 
     emit ( 'fi' ,
 	   '' );
+    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
 
 sub ensure_ipset( $ ) {
@@ -8452,7 +8453,7 @@ sub create_netfilter_load( $ ) {
 
 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8470,12 +8471,19 @@ sub create_netfilter_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
+
+		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
-		    emit( 'if [ -n "$g_docker" ]; then',
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			  '    echo ":DOCKER - [0:0]" >&3',
-			  'fi' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8567,12 +8575,18 @@ sub preview_netfilter_load() {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
+		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
-		    emit( 'if [ -n "$g_docker" ]; then',
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			  '    echo ":DOCKER - [0:0]" >&3',
-			  'fi' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8797,12 +8811,18 @@ sub create_stop_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
+		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
-		    emit( 'if [ -n "$g_docker" ]; then',
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			  '    echo ":DOCKER - [0:0]" >&3',
-			  'fi' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -263,10 +263,13 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	);
 
+    if ( $config{DOCKER} ) {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
-	  ''
+	    );
-	) if $config{DOCKER};
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
+    }
 
     pop_indent;
 

Shorewall/Perl/Shorewall/Config.pm

@@ -876,6 +876,7 @@ sub initialize( $;$$) {
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
 	  DOCKER => undef ,
+	  PAGER => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -4912,6 +4913,7 @@ sub update_config_file( $ ) {
     update_default( 'USE_DEFAULT_RT', 'No' );
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
+    update_default( 'PAGER',          '' );
 
     my $fn;
 
@@ -6438,7 +6440,7 @@ sub generate_aux_config() {
 
     if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;

Shorewall/Perl/Shorewall/Misc.pm

@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }
 
 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
     }
@@ -629,38 +629,23 @@ sub process_stoppedrules() {
 }
 
 sub create_docker_rules() {
-    my $chainref = $nat_table->{PREROUTING};
+    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
+    my $chainref = $filter_table->{FORWARD};
+
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+
+    if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
-    add_ijump( $chainref, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
+	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
-
-    add_commands( $chainref = $nat_table->{OUTPUT} , 'if [ -n "$g_docker" ]; then' );
-    incr_cmd_level( $chainref );
-    add_ijump( $nat_table->{OUTPUT}, j => 'DOCKER', d => '! 127.0.0.0/8', addrtype => '--dst-type LOCAL' );
-    decr_cmd_level( $chainref );
-    add_commands( $chainref, 'fi' );
-
-    add_commands( $chainref = $filter_table->{FORWARD}, 'if [ -n "$g_docker" ]; then' );
-    incr_cmd_level( $chainref );
-    add_ijump_extended( $chainref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
-
-    unless ( known_interface('docker0') ) {
-	#
-	# Emulate the Docker-generated rules
-	#
-	add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
-	#
-	# Docker creates two ACCEPT rules for traffic forwarded from docker0 -- one for routeback and one for the rest
-	# We combine them into a single rule
-	#
-	add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0' );
     }
 
-    decr_cmd_level( $chainref );
+    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
-    add_commands( $chainref, 'fi' );
 }
 
 sub setup_mss();
@@ -2493,9 +2478,18 @@ EOF
     if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
         echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
     fi
-
 EOF
 
+    if ( $config{DOCKER} ) {
+	push_indent;
+	emit( 'if [ $COMMAND = stop ]; then' );
+	push_indent;
+	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
+	pop_indent;
+	emit( "fi\n");
+	pop_indent;
+    }
+
     if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
     if [ -f ${VARDIR}/nat ]; then

Shorewall/Perl/Shorewall/Rules.pm

@@ -1178,12 +1178,11 @@ sub finish_section ( $ ) {
 #
 # Internally, action invocations are uniquely identified by a 5-tuple that
 # includes the action name, log level, log tag, calling chain and params.
-# The pieces of the tuple are separated by ":".
+# The pieces of the tuple are separated by ":". The calling chain is non-empty
+# only when the action refers to @CALLER.
 #
 sub normalize_action( $$$ ) {
-    my $action = shift;
+    my ( $action, $level, $param ) = @_;
-    my $level  = shift;
-    my $param  = shift;
     my $caller = '';     #We assume that the function doesn't use @CALLER
 
     ( $level, my $tag ) = split ':', $level;
@@ -1589,7 +1588,7 @@ sub allowBcast( $$$$ ) {
     if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
-	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	}
 
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';

Shorewall/Perl/Shorewall/Tc.pm

@@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	ECN       => {
+	    defaultchain   => POSTROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub() {
+		fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6;
+
+		if ( $proto eq '-' ) {
+		    $proto = TCP;
+		} else {
+		    $proto = resolve_proto( $proto ) || 0;
+		    fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP;
+		}
+
+		$target = 'ECN --ecn-tcp-remove';
+	    }
+	},
+
 	HL        => {
 	    defaultchain   => FORWARD,
 	    allowedchains  => PREROUTING | FORWARD,

Shorewall/Perl/lib.core

@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #

Shorewall/Perl/prog.footer

@@ -126,6 +126,7 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockernetwork=
 
 initialize
 

Shorewall/Samples/Universal/shorewall.conf

@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -25,6 +25,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

Shorewall/configfiles/shorewall.conf

@@ -17,6 +17,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #

Shorewall/lib.cli-std

@@ -316,6 +316,23 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+    fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib

Shorewall/manpages/shorewall-mangle.xml

@@ -339,6 +339,18 @@ DIVERTHA        -               -               tcp</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">ECN</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.6 as an alternative to entries in
+                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                supplied, TCP is assumed. This action causes all ECN bits in
+                the TCP header to be cleared.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>

Shorewall/manpages/shorewall.conf.xml

@@ -738,11 +738,15 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Added in Shorewall 5.0.6. When set to Yes, the generated
+          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
-          script will save Docker-generated rules before and restore them
+          the generated script will save Docker-generated rules before and
-          after executing the start, reload and restart commands. If set to No
+          restore them after executing the <command>start</command>,
+          <command>stop</command>, <command>reload</command> and
+          <command>restart</command> commands. If set to <option>No</option>
           (the default), the generated script will delete any Docker-generated
-          rules when executing those commands.</para>
+          rules when executing those commands. See<ulink url="/Docker.html">
+          http://www.shorewall.net/Docker.html</ulink> for additional
+          information.</para>
         </listitem>
       </varlistentry>
 
@@ -1948,6 +1952,19 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis

Shorewall/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #

Shorewall6-lite/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -19,6 +19,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/configfiles/shorewall6.conf

@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################

Shorewall6/manpages/shorewall6.conf.xml

@@ -1691,6 +1691,19 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis

Shorewall6/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #

docs/Docker.xml

@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Docker Support</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2016</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Shorewall 5.0.5 and Earlier</title>
+
+    <para>Both Docker and Shorewall assume that they 'own' the iptables
+    configuration. This leads to problems when Shorewall is restarted or
+    reloaded, because it drops all of the rules added by Docker. Fortunately,
+    the extensibility features in Shorewall allow users to <ulink
+    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
+    their own solution</ulink> for saving the Docker-generated rules before
+    these operations and restoring them afterwards.</para>
+  </section>
+
+  <section>
+    <title>Shorewall 5.0.6 and Later</title>
+
+    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
+    simple Docker configurations. This support is enabled by setting
+    DOCKER=Yes in shorewall.conf. With this setting, the generated script
+    saves the Docker-created ruleset before executing a
+    <command>stop</command>, <command>start</command>,
+    <command>restart</command> or <command>reload</command> operation and
+    restores those rules along with the Shorewall-generated ruleset.</para>
+
+    <para>This support assumes that the default Docker bridge (docker0) is
+    being used. It is recommended that this bridge be defined to Shorewall in
+    <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
+    As shown below, you can control inter-container communication using the
+    <option>bridge</option> and <option>routeback</option> options. If docker0
+    is not defined to Shorewall, then Shorewall will save and restore the
+    FORWARD chain rules involving that interface.</para>
+
+    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
+
+    <programlisting>DOCKER=Yes</programlisting>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE         TYPE        OPTIONS
+dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
+
+    <para><filename>/etc/shorewall/policy</filename>:</para>
+
+    <programlisting>#SOURCE        DEST        POLICY         LEVEL
+dock           $FW         REJECT
+dock           all         ACCEPT</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
+
+    <para>or</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
+  </section>
+</article>

docs/Documentation_Index.xml

@@ -265,7 +265,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>
 
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
           </row>
 
           <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
-            subnet</ulink></entry>
 
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
@@ -285,7 +284,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
+            subnet</ulink></entry>
 
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
           </row>
 
           <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            <entry><ulink url="Events.html">Events</ulink></entry>
-            Scripts (User Exits)</ulink></entry>
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
@@ -304,8 +303,8 @@
           </row>
 
           <row>
-            <entry><ulink
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            Scripts (User Exits)</ulink></entry>
 
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
           </row>
 
           <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
+            url="fallback.htm">Fallback/Uninstall</ulink></entry>
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
@@ -324,8 +324,7 @@
           </row>
 
           <row>
-            <entry><ulink
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
-            url="shorewall_features.htm">Features</ulink></entry>
 
             <entry><ulink url="PortKnocking.html">Port Knocking
             (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            <entry><ulink
-            Same Interface</ulink></entry>
+            url="shorewall_features.htm">Features</ulink></entry>
 
             <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
             and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
           </row>
 
           <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            Same Interface</ulink></entry>
 
             <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
 
             <entry/>
           </row>
 
+          <row>
+            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+
+            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+
+            <entry/>
+          </row>
+
           <row>
             <entry><ulink url="FoolsFirewall.html">Fool's
             Firewall</ulink></entry>
 
-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            Guides</ulink></entry>
 
             <entry/>
           </row>
@@ -364,8 +373,7 @@
             <entry><ulink url="Helpers.html">Helpers/Helper
             Modules</ulink></entry>
 
-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
-            Guides</ulink></entry>
 
             <entry/>
           </row>
@@ -374,14 +382,6 @@
             <entry><ulink
             url="Install.htm">Installation/Upgrade</ulink></entry>
 
-            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
-
-            <entry/>
-          </row>
-
-          <row>
-            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
-
             <entry><ulink
             url="shorewall_prerequisites.htm">Requirements</ulink></entry>
 
@@ -389,7 +389,7 @@
           </row>
 
           <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
 
             <entry><ulink url="Shorewall_and_Routing.html">Routing and
             Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
           </row>
 
           <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
 
             <entry><ulink url="Multiple_Zones.html">Routing on One
             Interface</ulink></entry>
@@ -407,18 +407,27 @@
           </row>
 
           <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
 
             <entry><ulink url="samba.htm">Samba</ulink></entry>
 
             <entry/>
           </row>
 
+          <row>
+            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+
+            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+
+            <entry/>
+          </row>
+
           <row>
             <entry><ulink url="ISO-3661.html">ISO 3661 Country
             Codes</ulink></entry>
 
-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>
 
             <entry/>
           </row>
@@ -427,8 +436,8 @@
             <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
             Filtering</ulink></entry>
 
-            <entry><ulink url="Shorewall-init.html">Shorewall
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Init</ulink></entry>
+            Lite</ulink></entry>
 
             <entry/>
           </row>
@@ -437,8 +446,7 @@
             <entry><ulink url="kernel.htm">Kernel
             Configuration</ulink></entry>
 
-            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            <entry/>
-            Lite</ulink></entry>
 
             <entry/>
           </row>

docs/ECN.xml

@@ -118,6 +118,10 @@
           </tgroup>
         </table></para>
     </example>
+
+    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
+    ECN flags through use of the ECN action in <ulink
+    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
   </section>
 
   <lot/>

docs/shorewall_features.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Shorewall 4.4/4.5/4.6 Features</title>
+    <title>Shorewall 5.0 Features</title>
 
     <author>
       <firstname>Tom</firstname>
@@ -16,7 +16,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2014</year>
+      <year>2001-2016</year>
 
       <holder>Thomas M Eastep</holder>
     </copyright>
@@ -32,13 +32,6 @@
     </legalnotice>
   </articleinfo>
 
-  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
-    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
-    release.</emphasis></para>
-  </caution>
-
   <section id="Features">
     <title>Features</title>
 
@@ -278,6 +271,10 @@
           <listitem>
             <para><ulink url="LXC.html">LXC</ulink></para>
           </listitem>
+
+          <listitem>
+            <para>Docker (Shorewall 5.0.6 and later)</para>
+          </listitem>
         </itemizedlist>
       </listitem>
     </itemizedlist>

docs/shorewall_logging.xml

@@ -321,6 +321,27 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis
           role="bold">log levels</emphasis>, just like info, debug, etc. even
           though they are not defined by syslog.</para>
         </important></para>
+
+      <para>Here is a copy of a ulogd.conf file that logs to
+      /var/log/firewall. It was contributed by a Shorewall user on IRC:</para>
+
+      <programlisting>[global]
+user="ulogd"
+logfile="/var/log/ulogd/ulogd.log"
+loglevel=7
+
+plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
+plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
+plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
+
+stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
+
+[firewall]
+file="/var/log/firewall"
+sync=1</programlisting>
     </section>
   </section>