Save/restore nat OUTPUT jump to DOCKER

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Avoid duplicate rules after reload
2016-03-04 12:21:45 -08:00 · 2016-03-04 11:09:53 -08:00 · 2016-03-04 10:20:55 -08:00 · 2016-03-04 09:27:47 -08:00 · 2016-03-04 09:27:04 -08:00 · 2016-03-03 14:11:57 -08:00
40 changed files with 697 additions and 300 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {
    show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {
 }
 show_tc() {
    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
    echo
    shift
    if [ -z "$1" ]; then
 	$g_tool -t mangle -L -n -v | $output_filter
 	echo
    fi
    show_tc1 $1
 }
 #
 # Show classifier information
 #
@@ -928,6 +941,202 @@ show_actions() {
 	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
    fi
 }
 show_chain() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
    echo
    show_reset
    if [ $# -gt 0 ]; then
 	for chain in $*; do
 	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 	    echo
 	done
    else
 	$g_tool -t $table -L $g_ipt_options | $output_filter
    fi
 }
 show_chains() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
    echo
    show_reset
    for chain in $*; do
 	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
 	echo
    done
 }
 show_table() {
    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t $table -L $g_ipt_options | $output_filter
 }
 show_nat() {
    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t nat -L $g_ipt_options | $output_filter
 }
 show_raw() {
    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 show_rawpost() {
    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 }
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t mangle -L $g_ipt_options | $output_filter
 }
 show_classifiers_command() {
    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
    echo
    show_classifiers
 }
 show_ip_addresses() {
    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
    echo
    ip -$g_family addr list
 }
 show_routing_command() {
    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
    echo
    show_routing
 }
 show_policies() {
    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
    echo
    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
 }
 show_ipa() {
    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
    echo
    perip_accounting
 }
 show_arptables() {
    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
    echo
    $arptables -L -n -v
 }
 show_log() {
    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
    echo
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    if [ $# -eq 2 ]; then
 	eval search_log $2
    elif [ -n "$g_pager" ]; then
 	packet_log 100
    else
 	packet_log 20
    fi
 }
 show_connections() {
    if [ $g_family -eq 4 ]; then
 	if [ -d /proc/sys/net/netfilter/ ]; then
 	    local count
 	    local max
 	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 	else
 	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 	fi
 	echo
 	if qt mywhich conntrack ; then
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
 	    [ $# -gt 1 ] && usage 1
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
 		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
 	    fi
 	fi
    elif qt mywhich conntrack ; then
 	shift
 	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
 	[ $# -gt 1 ] && usage 1
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 	fi
    fi
 }
 show_nfacct_command() {
    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
    echo
    show_nfacct
 }
 show_events_command() {
    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
    echo
    show_events
 }
 show_blacklists() {
    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
    echo
    show_bl;
 }
 show_actions_sorted() {
    show_actions | sort
 }
 show_macros() {
    for directory in $(split $CONFIG_PATH); do
 	temp=
 	for macro in ${directory}/macro.*; do
 	    case $macro in
 		*\*)
                ;;
 		*)
 		    if [ -z "$temp" ]; then
 			echo
 			echo "Macros in $directory:"
 			echo
 			temp=Yes
 		    fi
 		    show_macro
 		    ;;
 	    esac
 	done
    done
 }
 #
 # Show Command Executor
 #
@@ -1042,108 +1251,37 @@ show_command() {
    case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
+	    eval show_connections $@ $g_pager
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
 		    local max
 		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 		else
 		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		fi
 		echo
 		if qt mywhich conntrack ; then
 		    shift
 		    conntrack -f ipv4 -L $@ | show_connections_filter
 		else
 		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
 			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
 		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
 		conntrack -f ipv6 -L $@ | show_connections_filter
 	    else
 		[ $# -gt 1 ] && usage 1
 		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 		    echo
 		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 		fi
 	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+	    eval show_nat $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+	    eval show_raw $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    eval show_rawpost $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+	    eval show_mangle $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    setup_logread
-
+	    eval show_log $g_pager
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    host=$(echo $g_hostname | sed 's/\..*$//')
 	    if [ $# -eq 2 ]; then
 		search_log $2
 	    else
 		packet_log 20
 	    fi
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+	    eval show_tc $@ $g_pager
 	    echo
 	    shift
 	    if [ -z "$1" ]; then
 		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+	    eval show_classifiers_command $g_pager
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1311,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+	    eval show_ip_addresses $g_pager
 	    echo
 	    ip -$g_family addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+	    eval show_routing_command $g_pager
 	    echo
 	    show_routing
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1344,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+	    eval show_chain $@ $g_pager
 	    echo
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
 		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+	    eval show_policies $g_pager
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
 	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
 	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1366,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+	    eval show_nfacct_command $g_pager
 	    echo
 	    show_nfacct
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+		eval show_arptables $g_pager
 		echo
 		$arptables -L -n -v
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1386,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    eval show_events_command $g_pager
 	    echo
 	    show_events
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    eval show_blacklists $g_pager
 	    echo
 	    show_bl;
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1410,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1427,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
+			    eval show_macros $g_pager
 			    for directory in $(split $CONFIG_PATH); do
 				temp=
 				for macro in ${directory}/macro.*; do
 				    case $macro in
 					*\*)
                                            ;;
 					*)
 				            if [ -z "$temp" ]; then
 						echo
 						echo "Macros in $directory:"
 						echo
 						temp=Yes
 					    fi
 					    show_macro
 					    ;;
 				    esac
 				done
 			    done
 			    return
 			    ;;
 		    esac
@@ -1353,20 +1447,11 @@ show_command() {
 			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
 			exit 1
 		    fi
-		done
+					 done
-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+		eval show_chains $@ $g_pager
 		echo
 		show_reset
 		for chain in $*; do
 		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+		eval show_table $g_pager
 		echo
 		show_reset
 		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
    esac
@@ -1417,12 +1502,16 @@ dump_filter() {
 		;;
 	esac
-	$command $filter
+	eval $command $filter $g_pager
    else
 	cat -
    fi
 }
 dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 #
 # Dump Command Executor
 #
@@ -1633,14 +1722,14 @@ do_dump_command() {
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }
 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }
 #
@@ -3700,6 +3789,23 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
 	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	g_pager="| $g_pager"
     fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -4040,6 +4146,7 @@ shorewall_cli() {
    g_counters=
    g_loopback=
    g_compiled=
    g_pager=
    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-PARAM	-	-	udp	162
+SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
@@ -0,0 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
 # This macro handles SNMP traps.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	162
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -264,6 +264,7 @@ our %EXPORT_TAGS = (
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -1525,8 +1526,7 @@ sub create_irule( $$$;@ ) {
 }
 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
+# Clone an existing rule.
 # reference and the old.
 #
 sub clone_irule( $ ) {
    my $oldruleref = $_[0];
@@ -3003,7 +3003,8 @@ sub initialize_chain_table($) {
 	}
    }
-    if ( $config{DOCKER} ) {
+    if ( my $docker = $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
@@ -3011,6 +3012,9 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }
    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -8063,16 +8067,29 @@ sub emitr1( $$ ) {
 sub save_docker_rules($) {
    my $tool = $_[0];
-    emit( qq(),
+    emit( qq(if [ -n "\$g_docker" ]; then),
-	  qq(if [ -n "\$g_docker" ]; then),
+	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
-	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
+	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
-	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
+	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(else),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
-	  qq(    rm -f \$VARDIR/.nat_DOCKER),
+	);
-	  qq(    rm -f \$VARDIR/.nat_POSTROUTING),
+
-	  qq(    rm -f \$VARDIR/.filter_DOCKER),
+    if ( known_interface( 'docker0' ) ) {
-	  qq(fi)
+	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
    } else {
 	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
    }
    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
 	  q(else),
 	  q(    rm -f ${VARDIR}/.nat_DOCKER),
 	  q(    rm -f ${VARDIR}/.net_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
 	)
 }
@@ -8109,7 +8126,6 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
 	save_docker_rules( $tool ) if $config{DOCKER};
    } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8139,28 +8155,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
    if ( have_capability 'IPTABLES_S' ) {
 	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
 	      qq(    if chain_exists dynamic; then),
 	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
 	save_docker_rules( $tool ) if $config{DOCKER};
    } else {
 	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
 	      qq(    if chain_exists dynamic; then),
 	      qq(        $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
    }
 emit <<"EOF";
    fi
 fi
 EOF
    pop_indent;
    emit ( 'fi' ,
 	   '' );
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
 sub ensure_ipset( $ ) {
@@ -8452,7 +8453,7 @@ sub create_netfilter_load( $ ) {
 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8470,12 +8471,19 @@ sub create_netfilter_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
+
-		    enter_cmd_mode;
+		if ( $name =~ /^DOCKER/ ) {
-		    emit( 'if [ -n "$g_docker" ]; then',
+		    if ( $name eq 'DOCKER' ) {
-			  '    echo ":DOCKER - [0:0]" >&3',
+			enter_cmd_mode;
-			  'fi' );
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-		    enter_cat_mode;
+			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8567,12 +8575,18 @@ sub preview_netfilter_load() {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
+		if ( $name =~ /^DOCKER/ ) {
-		    enter_cmd_mode;
+		    if ( $name eq 'DOCKER' ) {
-		    emit( 'if [ -n "$g_docker" ]; then',
+			enter_cmd_mode;
-			  '    echo ":DOCKER - [0:0]" >&3',
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			  'fi' );
+			enter_cat_mode;
-		    enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8797,12 +8811,18 @@ sub create_stop_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
+		if ( $name =~ /^DOCKER/ ) {
-		    enter_cmd_mode;
+		    if ( $name eq 'DOCKER' ) {
-		    emit( 'if [ -n "$g_docker" ]; then',
+			enter_cmd_mode;
-			  '    echo ":DOCKER - [0:0]" >&3',
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			  'fi' );
+			enter_cat_mode;
-		    enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -263,10 +263,13 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	);
-    emit( '',
+    if ( $config{DOCKER} ) {
-	  'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
+	emit( '',
-	  ''
+	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
-	) if $config{DOCKER};
+	    );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
 	emit( '' );
    }
    pop_indent;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -876,6 +876,7 @@ sub initialize( $;$$) {
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -4912,6 +4913,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          '' );
    my $fn;
@@ -5859,7 +5861,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                     , '';
+    default_yes_no 'DOCKER'                      , '';
    if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
@@ -6438,7 +6440,7 @@ sub generate_aux_config() {
    if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }
 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -629,38 +629,23 @@ sub process_stoppedrules() {
 }
 sub create_docker_rules() {
-    my $chainref = $nat_table->{PREROUTING};
+    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
-    add_commands( $chainref , 'if [ -n "$g_docker" ]; then' );
+    my $chainref = $filter_table->{FORWARD};
    incr_cmd_level( $chainref );
    add_ijump( $chainref, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
    decr_cmd_level( $chainref );
    add_commands( $chainref, 'fi' );
-    add_commands( $chainref = $nat_table->{OUTPUT} , 'if [ -n "$g_docker" ]; then' );
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    incr_cmd_level( $chainref );
    add_ijump( $nat_table->{OUTPUT}, j => 'DOCKER', d => '! 127.0.0.0/8', addrtype => '--dst-type LOCAL' );
    decr_cmd_level( $chainref );
    add_commands( $chainref, 'fi' );
-    add_commands( $chainref = $filter_table->{FORWARD}, 'if [ -n "$g_docker" ]; then' );
+    if ( my $dockerref = known_interface('docker0') ) {
-    incr_cmd_level( $chainref );
+	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
-    add_ijump_extended( $chainref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
+	incr_cmd_level( $chainref );
-
+	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-    unless ( known_interface('docker0') ) {
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
-	#
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
-	# Emulate the Docker-generated rules
+	decr_cmd_level( $chainref );
-	#
+	add_commands( $chainref, 'fi' );
 	add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
 	#
 	# Docker creates two ACCEPT rules for traffic forwarded from docker0 -- one for routeback and one for the rest
 	# We combine them into a single rule
 	#
 	add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0' );
    }
-    decr_cmd_level( $chainref );
+    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
    add_commands( $chainref, 'fi' );
 }
 sub setup_mss();
@@ -2493,9 +2478,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
 EOF
    if ( $config{DOCKER} ) {
 	push_indent;
 	emit( 'if [ $COMMAND = stop ]; then' );
 	push_indent;
 	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
 	pop_indent;
 	emit( "fi\n");
 	pop_indent;
    }
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1178,12 +1178,11 @@ sub finish_section ( $ ) {
 #
 # Internally, action invocations are uniquely identified by a 5-tuple that
 # includes the action name, log level, log tag, calling chain and params.
-# The pieces of the tuple are separated by ":".
+# The pieces of the tuple are separated by ":". The calling chain is non-empty
 # only when the action refers to @CALLER.
 #
 sub normalize_action( $$$ ) {
-    my $action = shift;
+    my ( $action, $level, $param ) = @_;
    my $level  = shift;
    my $param  = shift;
    my $caller = '';     #We assume that the function doesn't use @CALLER
    ( $level, my $tag ) = split ':', $level;
@@ -1589,7 +1588,7 @@ sub allowBcast( $$$$ ) {
    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
-	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	}
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	ECN       => {
 	    defaultchain   => POSTROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub() {
 		fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6;
 		if ( $proto eq '-' ) {
 		    $proto = TCP;
 		} else {
 		    $proto = resolve_proto( $proto ) || 0;
 		    fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP;
 		}
 		$target = 'ECN --ecn-tcp-remove';
 	    }
 	},
 	HL        => {
 	    defaultchain   => FORWARD,
 	    allowedchains  => PREROUTING | FORWARD,
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -126,6 +126,7 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
 initialize
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,23 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
 	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	g_pager="| $g_pager"
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -339,6 +339,18 @@ DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ECN</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -738,11 +738,15 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
-          <para>Added in Shorewall 5.0.6. When set to Yes, the generated
+          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
-          script will save Docker-generated rules before and restore them
+          the generated script will save Docker-generated rules before and
-          after executing the start, reload and restart commands. If set to No
+          restore them after executing the <command>start</command>,
          <command>stop</command>, <command>reload</command> and
          <command>restart</command> commands. If set to <option>No</option>
          (the default), the generated script will delete any Docker-generated
-          rules when executing those commands.</para>
+          rules when executing those commands. See<ulink url="/Docker.html">
          http://www.shorewall.net/Docker.html</ulink> for additional
          information.</para>
        </listitem>
      </varlistentry>
@@ -1948,6 +1952,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
          program like <command>less</command> or <command>more</command>.
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -19,6 +19,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1691,6 +1691,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
          program like <command>less</command> or <command>more</command>.
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -0,0 +1,94 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Docker Support</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Shorewall 5.0.5 and Earlier</title>
    <para>Both Docker and Shorewall assume that they 'own' the iptables
    configuration. This leads to problems when Shorewall is restarted or
    reloaded, because it drops all of the rules added by Docker. Fortunately,
    the extensibility features in Shorewall allow users to <ulink
    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
    their own solution</ulink> for saving the Docker-generated rules before
    these operations and restoring them afterwards.</para>
  </section>
  <section>
    <title>Shorewall 5.0.6 and Later</title>
    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
    simple Docker configurations. This support is enabled by setting
    DOCKER=Yes in shorewall.conf. With this setting, the generated script
    saves the Docker-created ruleset before executing a
    <command>stop</command>, <command>start</command>,
    <command>restart</command> or <command>reload</command> operation and
    restores those rules along with the Shorewall-generated ruleset.</para>
    <para>This support assumes that the default Docker bridge (docker0) is
    being used. It is recommended that this bridge be defined to Shorewall in
    <ulink
    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
    As shown below, you can control inter-container communication using the
    <option>bridge</option> and <option>routeback</option> options. If docker0
    is not defined to Shorewall, then Shorewall will save and restore the
    FORWARD chain rules involving that interface.</para>
    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
    <programlisting>DOCKER=Yes</programlisting>
    <para><filename>/etc/shorewall/zones</filename>:</para>
    <programlisting>#ZONE         TYPE        OPTIONS
 dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
    <para><filename>/etc/shorewall/policy</filename>:</para>
    <programlisting>#SOURCE        DEST        POLICY         LEVEL
 dock           $FW         REJECT
 dock           all         ACCEPT</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
    <programlisting>#ZONE          INTERFACE        OPTIONS
 dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
    <para>or</para>
    <programlisting>#ZONE          INTERFACE        OPTIONS
 dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
  </section>
 </article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -265,7 +265,7 @@
          </row>
          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
          </row>
          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
            subnet</ulink></entry>
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@@ -285,7 +284,8 @@
          </row>
          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
            subnet</ulink></entry>
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
          </row>
          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            <entry><ulink url="Events.html">Events</ulink></entry>
            Scripts (User Exits)</ulink></entry>
            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
@@ -304,8 +303,8 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            Scripts (User Exits)</ulink></entry>
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
          </row>
          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
            url="fallback.htm">Fallback/Uninstall</ulink></entry>
            <entry><ulink url="ports.htm">Port Information</ulink></entry>
@@ -324,8 +324,7 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
          </row>
          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            <entry><ulink
-            Same Interface</ulink></entry>
+            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
          </row>
          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
            Same Interface</ulink></entry>
            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>
-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
            Guides</ulink></entry>
            <entry/>
          </row>
@@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>
-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
            Guides</ulink></entry>
            <entry/>
          </row>
@@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>
            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>
@@ -389,7 +389,7 @@
          </row>
          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
          </row>
          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -407,18 +407,27 @@
          </row>
          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
            <entry><ulink url="samba.htm">Samba</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>
-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
            Init</ulink></entry>
            <entry/>
          </row>
@@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>
-            <entry><ulink url="Shorewall-init.html">Shorewall
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Init</ulink></entry>
+            Lite</ulink></entry>
            <entry/>
          </row>
@@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>
-            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            <entry/>
            Lite</ulink></entry>
            <entry/>
          </row>
--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
          </tgroup>
        </table></para>
    </example>
    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
    ECN flags through use of the ECN action in <ulink
    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
  </section>
  <lot/>
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Shorewall 4.4/4.5/4.6 Features</title>
+    <title>Shorewall 5.0 Features</title>
    <author>
      <firstname>Tom</firstname>
@@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2014</year>
+      <year>2001-2016</year>
      <holder>Thomas M Eastep</holder>
    </copyright>
@@ -32,13 +32,6 @@
    </legalnotice>
  </articleinfo>
  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
    later. If you are running a version of Shorewall earlier than Shorewall
    4.3.5 then please see the documentation for that
    release.</emphasis></para>
  </caution>
  <section id="Features">
    <title>Features</title>
@@ -278,6 +271,10 @@
          <listitem>
            <para><ulink url="LXC.html">LXC</ulink></para>
          </listitem>
          <listitem>
            <para>Docker (Shorewall 5.0.6 and later)</para>
          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -321,6 +321,27 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis
          role="bold">log levels</emphasis>, just like info, debug, etc. even
          though they are not defined by syslog.</para>
        </important></para>
      <para>Here is a copy of a ulogd.conf file that logs to
      /var/log/firewall. It was contributed by a Shorewall user on IRC:</para>
      <programlisting>[global]
 user="ulogd"
 logfile="/var/log/ulogd/ulogd.log"
 loglevel=7
 plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
 plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
 plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
 stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
 [firewall]
 file="/var/log/firewall"
 sync=1</programlisting>
    </section>
  </section>
Author	SHA1	Message	Date
Tom Eastep	2bb143b28c	Save/restore nat OUTPUT jump to DOCKER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 12:21:45 -08:00
Tom Eastep	99f83da3ab	Avoid duplicate rules after reload Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 11:09:53 -08:00
Tom Eastep	89e3e959dc	Revert bad change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 10:20:55 -08:00
Tom Eastep	9e41264671	Go back to generating docker0 rules when it is defined to Shorewall - Avoids issues after 'stop' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:47 -08:00
Tom Eastep	3fb715740d	Avoid duplicated code blocks in save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:04 -08:00
Tom Eastep	ed6ff96aa0	Replace another $VARDIR instance Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:11:57 -08:00
Tom Eastep	18dac19d86	Remove dead code from save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:09:55 -08:00
Tom Eastep	d5ea876e93	Replace $VARDIR with ${VARDIR} for consistency Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 11:54:14 -08:00
Tom Eastep	f7a6ad1412	Clean up formatting in define_firewall() and stop_firewall() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 09:24:43 -08:00
Tom Eastep	b279869629	Fix DOCKER issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 20:59:44 -08:00
Tom Eastep	62880bdf1b	Don't populate PAGER in the sample config files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 13:04:47 -08:00
Tom Eastep	c56ba534d6	Yet more PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 12:34:39 -08:00
Tom Eastep	90bc894200	More PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:58:26 -08:00
Tom Eastep	90d254f0c3	Add PAGER option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:32:49 -08:00
Tom Eastep	4e9f4742cb	Merge branch 'master' into 5.0.6	2016-03-01 15:13:20 -08:00
Tom Eastep	a95de8d092	Page the output of verbose commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-01 15:12:54 -08:00
Tom Eastep	68cce5ff73	Eliminate some sillyness in normalize_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:17:15 -08:00
Tom Eastep	8a02624f05	Update copyrights in the install and uninstall scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:03:09 -08:00
Tom Eastep	1c1881859f	Delete untrue comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 08:45:47 -08:00
Tom Eastep	5b163e9bc2	Save/restore docker0 rules when it isn't defined to Shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 14:09:29 -08:00
Tom Eastep	71d64ab380	Add DOCKER network support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 13:36:47 -08:00
Tom Eastep	64de3d0e83	Add Docker article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 15:30:39 -08:00
Tom Eastep	36d8518562	Code compaction Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 13:13:56 -08:00
Tom Eastep	6c88eb6916	Add an ECN action to shorewall-mangle(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 09:33:16 -08:00
Tom Eastep	fb03fd0a5c	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:27 -08:00
Tom Eastep	d50ba365fb	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:17 -08:00
Tom Eastep	f265596613	Add sample ulogd.conf file to the logging article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 14:01:37 -08:00
Tom Eastep	6e1cc0f1d0	Correct stop/start Docker handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 13:37:44 -08:00
Tom Eastep	ee5ef07035	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 14:58:10 -08:00
Tom Eastep	3c8696b91d	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 09:35:13 -08:00
Tom Eastep	fd4de0c66a	Create more compact DOCKER conditional rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 14:46:35 -08:00
Tom Eastep	49536562e2	Emit more compact code when conditionally adding DOCKER chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:49:22 -08:00
Tom Eastep	36b6863b02	Update copyright date on lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:48:48 -08:00
Tom Eastep	6a8e280483	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-02-21 12:59:10 -08:00
Tuomo Soini	b39639e1f2	macro.SNMPtrap: fix file name to use common naming Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-02-20 18:45:55 +02:00
Tom Eastep	1f79bfa8dd	Use new column names in action.template Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:26:25 -08:00