Merge branch '5.0.7'

Document + in the MODULESDIR setting.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-04-01 09:46:53 -07:00 · 2016-04-01 09:43:06 -07:00 · 2016-04-01 08:57:08 -07:00 · 2016-03-31 14:16:43 -07:00 · 2016-03-31 12:55:16 -07:00 · 2016-03-31 12:52:30 -07:00
75 changed files with 3419 additions and 2206 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {

    show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {

 }

+show_tc() {
+    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+    echo
+    shift
+
+    if [ -z "$1" ]; then
+	$g_tool -t mangle -L -n -v | $output_filter
+	echo
+    fi
+
+    show_tc1 $1
+}
+
 #
 # Show classifier information
 #
@@ -909,25 +922,208 @@ show_events() {
 }

 show_actions() {
-    echo "A_ACCEPT                        # Audit and accept the connection"
-    echo "A_DROP                          # Audit and drop the connection"
-    echo "A_REJECT                        # Audit and reject the connection "
-    echo "allowBcast                      # Silently Allow Broadcast/multicast"
-    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
-    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
-    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-    echo "dropBcast                       # Silently Drop Broadcast/multicast"
-    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
-    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
-    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
-    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
-
    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
    else
-	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
    fi
 }
+
+show_chain() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    if [ $# -gt 0 ]; then
+	for chain in $*; do
+	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	    echo
+	done
+    else
+	$g_tool -t $table -L $g_ipt_options | $output_filter
+    fi
+}
+
+show_chains() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    for chain in $*; do
+	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	echo
+    done
+}
+
+show_table() {
+    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t $table -L $g_ipt_options | $output_filter
+}
+
+show_nat() {
+    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t nat -L $g_ipt_options | $output_filter
+}
+
+show_raw() {
+    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t raw -L $g_ipt_options | $output_filter
+}
+
+show_rawpost() {
+    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+}
+
+show_mangle() {
+    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t mangle -L $g_ipt_options | $output_filter
+}
+
+show_classifiers_command() {
+    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+    echo
+    show_classifiers
+}
+
+show_ip_addresses() {
+    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+    echo
+    ip -$g_family addr list
+}
+
+show_routing_command() {
+    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+    echo
+    show_routing
+}
+
+show_policies() {
+    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+    echo
+    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
+}
+
+show_ipa() {
+    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
+    echo
+    perip_accounting
+}
+
+show_arptables() {
+    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+    echo
+    $arptables -L -n -v
+}
+
+show_log() {
+    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
+    echo
+    show_reset
+    host=$(echo $g_hostname | sed 's/\..*$//')
+
+    if [ $# -eq 2 ]; then
+	eval search_log $2
+    elif [ -n "$g_pager" ]; then
+	packet_log 100
+    else
+	packet_log 20
+    fi
+}
+
+show_connections() {
+    if [ $g_family -eq 4 ]; then
+	if [ -d /proc/sys/net/netfilter/ ]; then
+	    local count
+	    local max
+	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	else
+	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	fi
+
+	echo
+
+	if qt mywhich conntrack ; then
+	    shift
+	    conntrack -f ipv4 -L $@ | show_connections_filter
+	else
+	    [ $# -gt 1 ] && usage 1
+	    if [ -f /proc/net/ip_conntrack ]; then
+		cat /proc/net/ip_conntrack | show_connections_filter
+	    else
+		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+	    fi
+	fi
+    elif qt mywhich conntrack ; then
+	shift
+	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	echo
+	conntrack -f ipv6 -L $@ | show_connections_filter
+    else
+	[ $# -gt 1 ] && usage 1
+	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+	    echo
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	fi
+    fi
+}
+
+show_nfacct_command() {
+    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+    echo
+    show_nfacct
+}
+
+show_events_command() {
+    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+    echo
+    show_events
+}
+
+show_blacklists() {
+    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+    echo
+    show_bl;
+}
+
+show_actions_sorted() {
+    show_actions | sort
+}
+
+show_macros() {
+    for directory in $(split $CONFIG_PATH); do
+	temp=
+	for macro in ${directory}/macro.*; do
+	    case $macro in
+		*\*)
+                ;;
+		*)
+		    if [ -z "$temp" ]; then
+			echo
+			echo "Macros in $directory:"
+			echo
+			temp=Yes
+		    fi
+		    show_macro
+		    ;;
+	    esac
+	done
+    done
+}
+
 #
 # Show Command Executor
 #
@@ -1042,108 +1238,37 @@ show_command() {

    case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
-		if [ -d /proc/sys/net/netfilter/ ]; then
-		    local count
-		    local max
-		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
-		else
-		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		fi
-
-		echo
-
-		if qt mywhich conntrack ; then
-		    shift
-		    conntrack -f ipv4 -L $@ | show_connections_filter
-		else
-		    [ $# -gt 1 ] && usage 1
-		    if [ -f /proc/net/ip_conntrack ]; then
-			cat /proc/net/ip_conntrack | show_connections_filter
-		    else
-			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
-		    fi
-	        fi
-	    elif qt mywhich conntrack ; then
-		shift
-		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
-	    else
-		[ $# -gt 1 ] && usage 1
-		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
-		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-		    echo
-		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
-		fi
-	    fi
+	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t nat -L $g_ipt_options | $output_filter
+	    eval show_nat $g_pager
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t raw -L $g_ipt_options | $output_filter
+	    eval show_raw $g_pager
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options | $output_filter
+	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1

 	    setup_logread
-
-	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    host=$(echo $g_hostname | sed 's/\..*$//')
-
-	    if [ $# -eq 2 ]; then
-		search_log $2
-	    else
-		packet_log 20
-	    fi
+	    eval show_log $g_pager
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
-	    echo
-	    shift
-
-	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v | $output_filter
-		echo
-	    fi
-
-	    show_tc $1
+	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
-	    echo
-	    show_classifiers
+	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1298,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
-	    echo
-	    ip -$g_family addr list
+	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
-	    echo
-	    show_routing
+	    eval show_routing_command $g_pager
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1331,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    if [ $# -gt 0 ]; then
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
-	    else
-		$g_tool -t $table -L $g_ipt_options | $output_filter
-	    fi
+	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    eval show_policies $g_pager
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
-	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
-	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1353,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
-	    echo
-	    show_nfacct
+	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
-		echo
-		$arptables -L -n -v
+		eval show_arptables $g_pager
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1373,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
-	    echo
-	    show_events
+	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
-	    echo
-	    show_bl;
+	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1397,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1414,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
-			    for directory in $(split $CONFIG_PATH); do
-				temp=
-				for macro in ${directory}/macro.*; do
-				    case $macro in
-					*\*)
-                                            ;;
-					*)
-				            if [ -z "$temp" ]; then
-						echo
-						echo "Macros in $directory:"
-						echo
-						temp=Yes
-					    fi
-					    show_macro
-					    ;;
-				    esac
-				done
-			    done
+			    eval show_macros $g_pager
 			    return
 			    ;;
 		    esac
@@ -1353,20 +1434,11 @@ show_command() {
 			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
 			exit 1
 		    fi
-		done
+					 done

-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
-		echo
-		show_reset
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
+		eval show_chains $@ $g_pager
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
-		echo
-		show_reset
-		$g_tool -t $table -L $g_ipt_options | $output_filter
+		eval show_table $g_pager
 	    fi
 	    ;;
    esac
@@ -1417,12 +1489,16 @@ dump_filter() {
 		;;
 	esac

-	$command $filter
+	eval $command $filter $g_pager
    else
 	cat -
    fi
 }

+dump_filter_wrapper() {
+    eval dump_filter $g_pager
+}
+
 #
 # Dump Command Executor
 #
@@ -1633,14 +1709,14 @@ do_dump_command() {

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }

 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }

 #
@@ -3700,6 +3776,23 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+     fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -4040,6 +4133,7 @@ shorewall_cli() {
    g_counters=
    g_loopback=
    g_compiled=
+    g_pager=

    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	udp	162
+SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
@@ -0,0 +1,9 @@
+#
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+#
+# This macro handles SNMP traps.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	162
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #

 use constant {
-	      LEGACY      => 0,
-	      PREROUTING  => 1,
-	      INPUT       => 2,
-	      OUTPUT      => 3,
-	      FORWARD     => 4,
-	      POSTROUTING => 5
+	      LEGACY_SECTION      => 0,
+	      PREROUTING_SECTION  => 1,
+	      INPUT_SECTION       => 2,
+	      OUTPUT_SECTION      => 3,
+	      FORWARD_SECTION     => 4,
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT,
-		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
+		   INPUT       => INPUT_SECTION,
+		   FORWARD     => FORWARD_SECTION,
+		   OUTPUT      => OUTPUT_SECTION,
+		   POSTROUTING => POSTROUTING_SECTION
 		 );

 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    $jumpchainref = 0;

-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;

    our $disposition = '';

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,6 +138,17 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

+				       PREROUTING
+				       INPUT
+				       FORWARD
+				       OUTPUT
+				       POSTROUTING
+				       ALLCHAINS
+				       STICKY
+				       STICKO
+				       REALPREROUTING
+				       ACTIONCHAIN
+
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -188,6 +199,7 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
+				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -264,6 +276,7 @@ our %EXPORT_TAGS = (
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
+				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -324,6 +337,10 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
+#                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
+#                                               allowedchains
+#                                                            => Mangle action chains only -- specifies the set of builtin chains where
+#                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -455,6 +472,22 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
+#
+# Mangle Table allowed chains enumeration
+#
+use constant {
+    PREROUTING     => 1,        #Actually tcpre
+    INPUT          => 2,        #Actually tcin
+    FORWARD        => 4,        #Actually tcfor
+    OUTPUT         => 8,        #Actually tcout
+    POSTROUTING    => 16,       #Actually tcpost
+    ALLCHAINS      => 31,
+    STICKY         => 32,
+    STICKO         => 64,
+    REALPREROUTING => 128,
+    ACTIONCHAIN    => 256,
+};
+
 #
 # Possible IPSET options
 #
@@ -614,7 +647,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd
+#                                the cmd member
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -903,7 +936,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first while 
+	    # the first one.
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1525,8 +1558,7 @@ sub create_irule( $$$;@ ) {
 }

 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
-# reference and the old.
+# Clone an existing rule.
 #
 sub clone_irule( $ ) {
    my $oldruleref = $_[0];
@@ -2325,6 +2357,7 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
+		     restriction    => NO_RESTRICT,
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2738,6 +2771,13 @@ sub new_standard_chain($) {
    $chainref;
 }

+sub new_action_chain($$) {
+    my $chainref = &new_chain( @_ );
+    $chainref->{referenced} = 1;
+    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
+    $chainref;
+}
+
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2868,40 +2908,42 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
+		    'ADD'             => STANDARD + SET,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'DROP'            => STANDARD,
-		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'REJECT'          => STANDARD + OPTIONS,
-		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE  + OPTIONS,
-		    'DNAT-'           => NATRULE  + NATONLY,
-		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
-		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'NONAT'           => STANDARD + NONAT  + NATONLY,
+		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'QUEUE'           => STANDARD + OPTIONS,
-		    'QUEUE!'          => STANDARD,
-		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
-		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD,
+		    'DNAT'            => NATRULE  + OPTIONS,
+		    'DNAT-'           => NATRULE  + NATONLY,
+		    'DROP'            => STANDARD,
+		    'DROP!'           => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'MARK'            => STANDARD + OPTIONS,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
+		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'QUEUE'           => STANDARD + OPTIONS,
+		    'QUEUE!'          => STANDARD,
+		    'REJECT'          => STANDARD + OPTIONS,
+		    'REJECT!'         => STANDARD + OPTIONS,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
+		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'WHITELIST'       => STANDARD,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3001,9 +3043,16 @@ sub initialize_chain_table($) {
 	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
+
+	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
+	$mangle_table->{INPUT}{chainnumber}         = INPUT;
+	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
+	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
+	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }

-    if ( $config{DOCKER} ) {
+    if ( my $docker = $config{DOCKER} ) {
+	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
@@ -3011,6 +3060,9 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }

    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -4465,7 +4517,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;

-    if ( $state eq 'ALL' ) {
+    if ( $state eq 'ALL' || $state eq '-' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6778,14 +6830,12 @@ sub get_interface_gateway ( $;$ ) {
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );

-    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
-
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7489,7 +7539,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7536,7 +7586,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )

    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparms{chain} || $chainref->{name};
+    my  $chain = $actparams{chain} || $chainref->{name};
    my $table = $chainref->{table};
    my ( $jump, $mac,  $targetref, $basictarget );
    our @ends = ();
@@ -7698,7 +7748,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $matches );
+			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -7710,22 +7760,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $matches
+				       $prerule . $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparms{disposition} || $disposition,
+				       $actparams{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $matches );
+				       $prerule . $matches );

 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7742,10 +7792,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparms{disposition} || $disposition,
+						     $actparams{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $matches );
+					   $prerule . $matches );
 		    }

 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8063,16 +8113,29 @@ sub emitr1( $$ ) {
 sub save_docker_rules($) {
    my $tool = $_[0];

-    emit( qq(),
-	  qq(if [ -n "\$g_docker" ]; then),
-	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
-	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
-	  qq(else),
-	  qq(    rm -f \$VARDIR/.nat_DOCKER),
-	  qq(    rm -f \$VARDIR/.nat_POSTROUTING),
-	  qq(    rm -f \$VARDIR/.filter_DOCKER),
-	  qq(fi)
+    emit( qq(if [ -n "\$g_docker" ]; then),
+	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
+	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
+	);
+
+    if ( known_interface( 'docker0' ) ) {
+	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
+    } else {
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+    }
+
+    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
+	  q(else),
+	  q(    rm -f ${VARDIR}/.nat_DOCKER),
+	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
+	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+	  q(    rm -f ${VARDIR}/.filter_FORWARD),
+	  q(fi)
 	)
 }

@@ -8109,7 +8172,15 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
-	save_docker_rules( $tool ) if $config{DOCKER};
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
+fi
+EOF
+	}
    } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8130,6 +8201,15 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
+fi
+EOF
+	}
    }

    pop_indent;
@@ -8139,28 +8219,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
-EOF
-
-    if ( have_capability 'IPTABLES_S' ) {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
-	save_docker_rules( $tool ) if $config{DOCKER};
-    } else {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
-    }
-
-emit <<"EOF";
-    fi
-fi
 EOF

    pop_indent;

    emit ( 'fi' ,
 	   '' );
+    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }

 sub ensure_ipset( $ ) {
@@ -8452,7 +8517,7 @@ sub create_netfilter_load( $ ) {

 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8470,12 +8535,19 @@ sub create_netfilter_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
-		    enter_cmd_mode;
-		    emit( 'if [ -n "$g_docker" ]; then',
-			  '    echo ":DOCKER - [0:0]" >&3',
-			  'fi' );
-		    enter_cat_mode;
+
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8567,14 +8639,22 @@ sub preview_netfilter_load() {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
-		    enter_cmd_mode;
-		    emit( 'if [ -n "$g_docker" ]; then',
-			  '    echo ":DOCKER - [0:0]" >&3',
-			  'fi' );
-		    enter_cat_mode;
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode1;
+			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			print "\n";
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
+		    } else {		    
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( ":$name - [0:0]\n" );
+		    }
 		} else {
-		    emit_unindented ":$name - [0:0]";
+		    print( ":$name - [0:0]\n" );
 		}

 		push @chains, $chainref;
@@ -8797,12 +8877,18 @@ sub create_stop_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
-		    enter_cmd_mode;
-		    emit( 'if [ -n "$g_docker" ]; then',
-			  '    echo ":DOCKER - [0:0]" >&3',
-			  'fi' );
-		    enter_cat_mode;
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}

    }
@@ -263,10 +263,13 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	);

-    emit( '',
-	  'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
-	  ''
-	) if $config{DOCKER};
+    if ( $config{DOCKER} ) {
+	emit( '',
+	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
+	    );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
+    }

    pop_indent;

--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -139,6 +139,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
+                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -185,7 +186,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases

-				       %actparms
+				       %actparams

                                       PARMSMODIFIED
                                       USEDCALLER
@@ -552,7 +553,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparms;
+our %actparams;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -670,6 +671,13 @@ our %variables; # Symbol table for expanding shell variables

 our $section_function; #Function Reference for handling ?section

+our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
+
+#
+# Files located via find_file()
+#
+our %filecache;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -876,6 +884,8 @@ sub initialize( $;$$) {
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
 	  DOCKER => undef ,
+	  PAGER => undef ,
+	  MINIUPNPD => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1060,7 +1070,7 @@ sub initialize( $;$$) {

    %compiler_params = ();

-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;

@@ -1468,9 +1478,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];

-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
    $val;
 }

@@ -1899,6 +1909,10 @@ sub find_file($)

    return $filename if $filename =~ '/';

+    my $file = $filecache{$filename};
+
+    return $file if $file;
+
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2149,6 +2163,12 @@ sub supplied( $ ) {
    defined $val && $val ne '';
 }

+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Pre-process a line from a configuration file.

@@ -2505,20 +2525,49 @@ sub join_parts( $$$ ) {
 }

 #
-# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
+# Declare passed() in Shorewall::User
 #
-sub evaluate_expression( $$$ ) {
-    my ( $expression , $filename , $linenumber ) = @_;
+sub declare_passed() {
+    my $result = ( eval q(package Shorewall::User;
+                          use strict;
+                          sub passed( $ ) {
+                              my $val = shift;
+                              defined $val && $val ne '' && $val ne '-';
+                          }
+
+                          1;) );
+    assert( $result, $@ );
+}
+
+#
+# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
+#
+sub evaluate_expression( $$$$ ) {
+    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
+
+    #                     $1                   $2
+    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
+	my $val = passed($actparams{$2});
+
+	return $1 ? ! $val : $val unless $debug;
+
+	$val = $1 ? ! $val : $val;
+
+	print "EXPR=> '$val'\n" if $debug;
+
+	return $val;
+    }
+
    #                         $1      $2   $3                     -     $4
    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);

 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2533,7 +2582,7 @@ sub evaluate_expression( $$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparms{$var} : $chain;
+	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2564,13 +2613,19 @@ sub evaluate_expression( $$$ ) {

    print "EXPR=> $expression\n" if $debug;

-    if ( $expression =~ /^\d+$/ ) {
+    if ( $just_expand || $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
+	declare_passed unless $evals++;
+
+	$val = eval qq(package Shorewall::User;
+                       use strict;
+                       # line $linenumber "$filename"
+                       $expression);

 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2601,7 +2656,7 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -2619,7 +2674,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2631,7 +2686,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2667,15 +2722,17 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      my $val = $actparms{$var} = evaluate_expression ( $expression,
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      my $val = $actparams{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber );
+									$linenumber,
+									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber );
+							    $linenumber,
+							    0 );
 		  }
 	      }
 	  } ,
@@ -2699,12 +2756,12 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      if ( exists $actparms{$var} ) {
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      if ( exists $actparams{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparms{$var} = '';
+			      $actparams{$var} = '';
 			  } else {
-			      delete $actparms{$var}
+			      delete $actparams{$var}
 			  }
 		      } else {
 			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
@@ -2735,8 +2792,16 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  }
+	  } ,

+	  ERROR => sub() {
+	      directive_error( evaluate_expression( $expression ,
+						    $filename ,
+						    $linenumber ,
+						    1 ) ,
+			       $filename ,
+			       $linenumber ) unless $omitting;
+	  }
 	);

    if ( my $function = $directives{$keyword} ) {
@@ -2792,6 +2857,11 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
+
+		if ( $debug ) {
+		    s/\n/\nGS-----> /g;
+		    print "GS-----> $_\n";
+		}
 	    }
 	}

@@ -3119,7 +3189,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;

-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );

    $directive_callback->( 'PERL', $currentline ) if $directive_callback;

@@ -3146,6 +3216,8 @@ sub embedded_perl( $ ) {

    $embedded++;

+    declare_passed unless $evals++;
+
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3206,32 +3278,32 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );

-    $actparms{modified}   = $parmsmodified;
-    $actparms{usedcaller} = $usedcaller;
+    $actparams{modified}   = $parmsmodified;
+    $actparams{usedcaller} = $usedcaller;

-    my %oldparms = %actparms;
+    my %oldparms = %actparams;

    $parmsmodified = 0;
    $usedcaller    = 0;

-    %actparms = ();
+    %actparams = ();

    for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];

-	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
    }

-    $actparms{0}           = $chainref;
-    $actparms{action}      = $action;
-    $actparms{loglevel}    = $loglevel;
-    $actparms{logtag}      = $logtag;
-    $actparms{caller}      = $caller;
-    $actparms{disposition} = '' if $chainref->{action};
+    $actparams{0}           = $chainref;
+    $actparams{action}      = $action;
+    $actparams{loglevel}    = $loglevel;
+    $actparams{logtag}      = $logtag;
+    $actparams{caller}      = $caller;
+    $actparams{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has the non-word charaters removed
    #
-    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;

    \%oldparms;
 }
@@ -3244,10 +3316,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
-    %actparms          = %$oldparms;
+    %actparams          = %$oldparms;
    my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparms{modified}   || 0;
-    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
+    ( $parmsmodified ) = delete $actparams{modified}   || 0;
+    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
    $return;
 }

@@ -3257,11 +3329,11 @@ sub default_action_params {

    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparms{$i};
-	$actparms{$i} = $val unless supplied( $curval );
+	my $curval = $actparams{$i};
+	$actparams{$i} = $val unless supplied( $curval );
    }

-    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }

 sub get_action_params( $ ) {
@@ -3272,53 +3344,65 @@ sub get_action_params( $ ) {
    my @return;

    for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparms{$i};
+	my $val = $actparams{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
    }

    @return;
 }

+sub setup_audit_action( $ ) {
+    my ( $action ) = @_;
+
+    my ( $target, $audit ) = get_action_params( 2 );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
+	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
+	$actparams{1} = "A_$target" unless $target =~ /^A_/;
+    }
+}
+
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparms{ 'loglevel', 'logtag' };
+    @actparams{ 'loglevel', 'logtag' };
 }

 sub get_action_chain() {
-    $actparms{0};
+    $actparams{0};
 }

 sub get_action_chain_name() {
-    $actparms{chain};
+    $actparams{chain};
 }

 sub set_action_name_to_caller() {
-    $actparms{chain} = $actparms{caller};
+    $actparams{chain} = $actparams{caller};
 }

 sub get_action_disposition() {
-    $actparms{disposition};
+    $actparams{disposition};
 }

 sub set_action_disposition($) {
-    $actparms{disposition} = $_[0];
+    $actparams{disposition} = $_[0];
 }

 sub set_action_param( $$ ) {
    my $i = shift;

    fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparms{$i} = shift;
+    $actparams{$i} = shift;
 }

 #
-# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
    #                         $1      $2   $3                   -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {

@@ -3332,16 +3416,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }

-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparms{$var} ) { 
-	    $val = $actparms{$var};
+	} elsif ( exists $actparams{$var} ) { 
+	    $val = $actparams{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3360,7 +3444,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3420,17 +3504,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];

+  LINE:
    while ( $currentfile ) {
-
 	$currentline = '';
 	$currentlinenumber = 0;

 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle conditionals
+	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3444,7 +3528,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
+	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3455,19 +3539,20 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
+	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
-		    handle_first_entry if $first_entry;
-		    embedded_shell( $1 );
-		    next;
-		}
-
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
-		    next;
+		    next LINE;
+		}
+
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		    handle_first_entry if $first_entry;
+		    embedded_shell( $1 );
+		    next LINE;
 		}
 	    }
 	    #
@@ -3479,7 +3564,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		next LINE if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3490,7 +3575,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparms
+	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;

@@ -3510,18 +3595,16 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
 		}

-		$currentline = '';
-            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-                my $sectionname = $1;
-                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-                fatal_error "This file does not allow ?SECTION" unless $section_function;
-                $section_function->($sectionname);
-                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-                $currentline = '';
+		next LINE;
+	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+		my $sectionname = $1;
+		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+		fatal_error "This file does not allow ?SECTION" unless $section_function;
+		$section_function->($sectionname);
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -4912,6 +4995,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
+    update_default( 'PAGER',          '' );

    my $fn;

@@ -5919,8 +6003,9 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
+    default_yes_no 'MINIUPNPD'                  , 'No';

-    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
+    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

@@ -6023,7 +6108,7 @@ sub get_configuration( $$$$ ) {

    default_log_level 'SFILTER_LOG_LEVEL', 'info';

-    if ( $val = $config{SFILTER_DISPOSITION} ) {
+    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6032,14 +6117,14 @@ sub get_configuration( $$$$ ) {

    default_log_level 'RPFILTER_LOG_LEVEL', 'info';

-    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
    } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
    }

-    if ( $val = $config{MACLIST_DISPOSITION} ) {
+    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6058,7 +6143,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }

-    if ( $val = $config{RELATED_DISPOSITION} ) {
+    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6077,7 +6162,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }

-    if ( $val = $config{INVALID_DISPOSITION} ) {
+    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6096,7 +6181,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
    }

-    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6115,7 +6200,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
    }

-    if ( $val = $config{MACLIST_TABLE} ) {
+    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6125,7 +6210,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
    }

-    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
+    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6156,7 +6241,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }

-    if ( $val = $config{TC_PRIOMAP} ) {
+    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6175,12 +6260,13 @@ sub get_configuration( $$$$ ) {
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    default 'OPTIMIZE'              , 0;

    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }

+    default 'OPTIMIZE' , 0;
+
    if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
    } elsif ( $val =~ /^none$/i ) {
@@ -6438,7 +6524,7 @@ sub generate_aux_config() {

    if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;
@@ -6515,6 +6601,7 @@ sub report_used_capabilities() {
 }

 END {
+    print "eval() called $evals times\n" if $debug;
    cleanup;
 }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }

 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -629,38 +629,24 @@ sub process_stoppedrules() {
 }

 sub create_docker_rules() {
-    my $chainref = $nat_table->{PREROUTING};
+    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );

-    add_commands( $chainref , 'if [ -n "$g_docker" ]; then' );
-    incr_cmd_level( $chainref );
-    add_ijump( $chainref, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
-    decr_cmd_level( $chainref );
-    add_commands( $chainref, 'fi' );
+    my $chainref = $filter_table->{FORWARD};

-    add_commands( $chainref = $nat_table->{OUTPUT} , 'if [ -n "$g_docker" ]; then' );
-    incr_cmd_level( $chainref );
-    add_ijump( $nat_table->{OUTPUT}, j => 'DOCKER', d => '! 127.0.0.0/8', addrtype => '--dst-type LOCAL' );
-    decr_cmd_level( $chainref );
-    add_commands( $chainref, 'fi' );
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );

-    add_commands( $chainref = $filter_table->{FORWARD}, 'if [ -n "$g_docker" ]; then' );
-    incr_cmd_level( $chainref );
-    add_ijump_extended( $chainref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
-
-    unless ( known_interface('docker0') ) {
-	#
-	# Emulate the Docker-generated rules
-	#
-	add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
-	#
-	# Docker creates two ACCEPT rules for traffic forwarded from docker0 -- one for routeback and one for the rest
-	# We combine them into a single rule
-	#
-	add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0' );
+    if ( my $dockerref = known_interface('docker0') ) {
+	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
+	incr_cmd_level( $chainref );
+	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
+	decr_cmd_level( $chainref );
+	add_commands( $chainref, 'fi' );
    }

-    decr_cmd_level( $chainref );
-    add_commands( $chainref, 'fi' );
+    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
 }

 sub setup_mss();
@@ -1109,10 +1095,18 @@ sub add_common_rules ( $ ) {

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

+	    my $chainref1;
+
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
 	    $announced = 1;

 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,  j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}

@@ -2493,9 +2487,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
-
 EOF

+    if ( $config{DOCKER} ) {
+	push_indent;
+	emit( 'if [ $COMMAND = stop ]; then' );
+	push_indent;
+	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
+	pop_indent;
+	emit( "fi\n");
+	pop_indent;
+    }
+
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
+    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
+    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -165,7 +173,9 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
+	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -336,7 +346,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -449,7 +459,9 @@ sub do_one_nat( $$$$$ )

    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
+	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -551,7 +563,9 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;

-		    unless ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -828,12 +828,12 @@ sub add_a_provider( $$ ) {

 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -993,12 +993,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
-		emit( "run_ip rule add from $address pref 20000 table $id" ,
-		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		if ( $persistent ) {
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    run_ip rule add from $address pref 20000 table $id),
+			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
+			  qq(fi) );
+		} else {
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit( "run_ip rule add from $address pref 20000 table $id" ,
+			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1283,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";

    if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -126,6 +126,7 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockernetwork=

 initialize

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -186,6 +192,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -197,6 +203,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -194,6 +200,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -197,6 +203,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -30,44 +30,32 @@

 DEFAULTS DROP,-

+?if __ADDRTYPE
+@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+?else
 ?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;

-my ( $action, $audit ) = get_action_params( 2 );
-
-fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
+my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
-
 my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );

-if ( have_capability( 'ADDRTYPE' ) ) {
-    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
+incr_cmd_level $chainref;
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+add_jump $chainref, $action, 0, "-d \$address ";
+decr_cmd_level $chainref;
+add_commands $chainref, 'done';

-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
-} else {
-    add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
-}
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';

 1;

 ?end perl;
+?endif
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -30,4 +30,4 @@

 DEFAULTS DROP

-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -28,30 +28,16 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,-,DROP,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -61,7 +47,7 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -30,19 +30,6 @@

 DEFAULTS ACCEPT

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'ESTABLISHED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -11,20 +11,11 @@

 DEFAULTS 2,0

-?begin perl
-
-use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Chains;
-use Shorewall::Rules;
-use strict;
-
-my ( $bricks, $ib ) = get_action_params( 2 );
-
-fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
-fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
-
-?end perl
-
+?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
+    ?error Invalid value for Bricks (@1)
+?elsif @2 !~ /^[01]$/
+    ?error Invalid value for IB (@2)
+?endif

 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -30,24 +30,6 @@

 DEFAULTS DROP,-

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
-     $action = "A_$action";
-}
-
-if ( my $check = check_state( 'INVALID' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
+#
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+#   New[([<action>])]
 #
 #       Default action is ACCEPT
 #
@@ -30,19 +30,6 @@

 DEFAULTS ACCEPT

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'NEW' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -30,23 +30,4 @@

 DEFAULTS DROP,-

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
-     $action = "A_$action";
-}    
-
-perl_action_tcp_helper( $action, '-p 6 ! --syn' );
-
-1;
-
-?end perl;
+@1	 -	-	;;+  -p 6 ! --syn
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -30,21 +30,4 @@

 DEFAULTS DROP,-

-?begin perl;
-
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
-     $action = "A_$action";
-}    
-
-perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
-
-1;
-
-?end perl;
+@1	 -	-	;;+ -p 6 --tcp-flags RST RST
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -27,30 +27,16 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO
 #
@@ -60,7 +46,7 @@ COUNT
 #
 # Special handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -30,20 +30,6 @@

 DEFAULTS DROP

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'RELATED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -12,11 +12,6 @@
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,src

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -12,30 +12,18 @@

 DEFAULTS -

-?begin perl;
-use strict;
-use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
-perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
-
-?end perl;
-
-
-
-
+?if passed(@1)
+    ?if @1 eq 'audit'
+        ?set tcpflags_action 'A_DROP'
+    ?else
+	?error The parameter to TCPFlags must be 'audit' or '-'
+    ?endif
+?else
+    ?set tcpflags_action 'DROP'
+?endif

+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -29,19 +29,6 @@
 ##########################################################################################
 DEFAULTS DROP

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'UNTRACKED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -28,25 +28,12 @@

 DEFAULTS -

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'ACCEPT';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
-     $action = "A_ACCEPT";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;
+?if passed(@1)
+    ?if @1 eq 'audit'
+Invalid(A_ACCEPT)
+    ?else
+        ?error The first parameter to allowInvalid must be 'audit' or '-'
+    ?endif
+?else
+Invalid(ACCEPT)
+?endif
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -28,25 +28,14 @@

 DEFAULTS -

-?begin perl;
+DEFAULTS -

-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;
+?if passed(@1)
+    ?if @1 eq 'audit'
+Invalid(A_DROP)
+    ?else
+        ?error The first parameter to dropInvalid must be 'audit' or '-'
+    ?endif
+?else
+Invalid(DROP)
+?endif
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall version 5 - Mangle Action Template
+#
+# /etc/shorewall/action.mangletemplate
+#
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+#	To define a new action:
+#
+#	1. Add the <action name> to /etc/shorewall/actions with the mangle option
+#	2. Copy this file to /etc/shorewall/action.<action name>
+#	3. Add the desired rules to that file.
+#
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
+# Columns are the same as in /etc/shorewall/mangle.
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,21 +8,18 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
-#    A_DROP             # Audits then drops a connection request
-#    A_REJECT		# Audits then drops a connection request
-#    allowBcast		# Silently Allow Broadcast/multicast
-#    dropBcast		# Silently Drop Broadcast/multicast
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
-#                       # work with kernel 2.6.14 and later).
-#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-#    forwardUPnP	# Allow traffic that upnpd has redirected from
-#			# 'upnp' interfaces.
-#    Limit              # Limit the rate of connections from each individual
-#                       # IP address
-#
+?if 0
+A_ACCEPT                        # Audits then accepts a connection request
+A_DROP                          # Audits then drops a connection request
+A_REJECT		        # Audits then drops a connection request
+allowBcast		        # Silently Allow Broadcast/multicast
+dropBcast		        # Silently Drop Broadcast/multicast
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit                           # Limit the rate of connections from each individual IP address
+?endif
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
@@ -30,21 +27,25 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline             # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
-NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID      #
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline             # Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED    #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -188,6 +194,8 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX=ko

 MULTICAST=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,23 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -453,11 +470,15 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
+    #
+    # Only use the pager if 'trace' or -r was specified and -d was not
+    #
+    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
+	eval $PERL $debugflags $pc $options $@ $g_pager
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
    fi

    status=$?
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -53,7 +53,19 @@

          <variablelist>
            <varlistentry>
-              <term>builtin</term>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>builtin</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -86,7 +98,7 @@
            </varlistentry>

            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>

              <listitem>
                <para>Causes the action body (defined in
@@ -102,10 +114,10 @@
                  way:</para>

                  <simplelist>
-                    <member>Broadcast</member>
-
                    <member>DropSmurfs</member>

+                    <member>IfEvent</member>
+
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -119,7 +131,19 @@
            </varlistentry>

            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -128,7 +152,7 @@
            </varlistentry>

            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -142,7 +166,16 @@
            </varlistentry>

            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,8 +68,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator </replaceable>indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -111,10 +112,14 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -123,6 +128,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -339,6 +359,18 @@ DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">ECN</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.6 as an alternative to entries in
+                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                supplied, TCP is assumed. This action causes all ECN bits in
+                the TCP header to be cleared.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -358,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -708,33 +740,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
-
-          <orderedlist numeration="arabic">
-            <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.4.24.</para>
-
-              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
-              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. Beginning with Shorewall
-              4.5.7.s, it may be optionally followed by <emphasis
-              role="bold">:P</emphasis>, in which case the rule is added to
-              the PREROUTING chain.</para>
-
-              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              matching the rule will have their TTL incremented by
-              <replaceable>number</replaceable>. Similarly, if <emphasis
-              role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
-              neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
-              is set to <replaceable>number</replaceable>. The valid range of
-              values for <replaceable>number</replaceable> is 1-255.</para>
-            </listitem>
-          </orderedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -328,6 +328,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -546,6 +558,35 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1400,7 +1441,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -738,11 +738,15 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>Added in Shorewall 5.0.6. When set to Yes, the generated
-          script will save Docker-generated rules before and restore them
-          after executing the start, reload and restart commands. If set to No
+          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
+          the generated script will save Docker-generated rules before and
+          restore them after executing the <command>start</command>,
+          <command>stop</command>, <command>reload</command> and
+          <command>restart</command> commands. If set to <option>No</option>
          (the default), the generated script will delete any Docker-generated
-          rules when executing those commands.</para>
+          rules when executing those commands. See<ulink url="/Docker.html">
+          http://www.shorewall.net/Docker.html</ulink> for additional
+          information.</para>
        </listitem>
      </varlistentry>

@@ -994,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1544,6 +1548,18 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1632,7 +1648,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1643,6 +1659,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '4'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
        </listitem>
      </varlistentry>

@@ -1948,6 +1968,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2748,6 +2781,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
        </listitem>
      </varlistentry>

--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -19,6 +19,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -31,37 +31,24 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed($1)
+    ?if $1 eq 'audit'
+DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
+?if passed($2)
 Auth($2)
+?endif
 #
 # ACCEPT critical ICMP types
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -27,37 +27,24 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
+?if passed($2)
 Auth($2)
+?endif
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall version 5 - Mangle Action Template
+#
+# /etc/shorewall6/action.mangletemplate
+#
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+#	To define a new action:
+#
+#	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
+#	2. Copy this file to /etc/shorewall6/action.<action name>
+#	3. Add the desired rules to that file.
+#
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
+# Columns are the same as in /etc/shorewall6/mangle.
+#
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,11 +8,12 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
-#    dropBcasts         # Silently Drop multicast and anycast packets
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#
+?if 0
+allowBcasts                     # Accept multicast and anycast packets
+dropBcasts                      # Silently Drop multicast and anycast packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -26,15 +27,19 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline		# Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -53,6 +53,18 @@
          <para>Added in Shorewall 4.5.10. Available options are:</para>

          <variablelist>
+            <varlistentry>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>builtin</term>

@@ -87,7 +99,7 @@
            </varlistentry>

            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>

              <listitem>
                <para>Causes the action body (defined in
@@ -103,10 +115,10 @@
                  way:</para>

                  <simplelist>
-                    <member>Broadcast</member>
-
                    <member>DropSmurfs</member>

+                    <member>IfEvent</member>
+
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -120,7 +132,19 @@
            </varlistentry>

            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
+                rather than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -129,7 +153,7 @@
            </varlistentry>

            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -143,7 +167,16 @@
            </varlistentry>

            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,8 +69,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator</replaceable> indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -112,10 +113,14 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -124,6 +129,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -381,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -303,6 +303,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -523,6 +535,35 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1265,7 +1306,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1436,7 +1436,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1447,6 +1447,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '6'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
        </listitem>
      </varlistentry>

@@ -1691,6 +1695,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2406,6 +2423,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
        </listitem>
      </varlistentry>

--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -32,6 +32,8 @@

      <year>2013</year>

+      <year>2015-2016</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -397,6 +399,27 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      url="configuration_file_basics.htm#ActionVariables">Action Variables
      section</ulink> of the Configuration Basics article.</para>
    </section>
+
+    <section>
+      <title>Mangle Actions</title>
+
+      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
+      <ulink
+      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
+      Because the rules and mangle files have different column layouts,
+      actions can be defined to be used in one file or the other but not in
+      both. To designate an action to be used in the mangle file, specify the
+      <option>mangle</option> option in the action's entry in <ulink
+      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
+      <ulink
+      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+
+      <para>To create a mangle action, follow the steps in the preceding
+      section, but use the
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
+      </para>
+    </section>
  </section>

  <section id="Logging">
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Docker Support</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2016</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Shorewall 5.0.5 and Earlier</title>
+
+    <para>Both Docker and Shorewall assume that they 'own' the iptables
+    configuration. This leads to problems when Shorewall is restarted or
+    reloaded, because it drops all of the rules added by Docker. Fortunately,
+    the extensibility features in Shorewall allow users to <ulink
+    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
+    their own solution</ulink> for saving the Docker-generated rules before
+    these operations and restoring them afterwards.</para>
+  </section>
+
+  <section>
+    <title>Shorewall 5.0.6 and Later</title>
+
+    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
+    simple Docker configurations. This support is enabled by setting
+    DOCKER=Yes in shorewall.conf. With this setting, the generated script
+    saves the Docker-created ruleset before executing a
+    <command>stop</command>, <command>start</command>,
+    <command>restart</command> or <command>reload</command> operation and
+    restores those rules along with the Shorewall-generated ruleset.</para>
+
+    <para>This support assumes that the default Docker bridge (docker0) is
+    being used. It is recommended that this bridge be defined to Shorewall in
+    <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
+    As shown below, you can control inter-container communication using the
+    <option>bridge</option> and <option>routeback</option> options. If docker0
+    is not defined to Shorewall, then Shorewall will save and restore the
+    FORWARD chain rules involving that interface.</para>
+
+    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
+
+    <programlisting>DOCKER=Yes</programlisting>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE         TYPE        OPTIONS
+dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
+
+    <para><filename>/etc/shorewall/policy</filename>:</para>
+
+    <programlisting>#SOURCE        DEST        POLICY         LEVEL
+dock           $FW         REJECT
+dock           all         ACCEPT</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
+
+    <para>or</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
+  </section>
+</article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -265,7 +265,7 @@
          </row>

          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>

            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
          </row>

          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
-            subnet</ulink></entry>
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>

            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@@ -285,7 +284,8 @@
          </row>

          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
+            subnet</ulink></entry>

            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
          </row>

          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            Scripts (User Exits)</ulink></entry>
+            <entry><ulink url="Events.html">Events</ulink></entry>

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

@@ -304,8 +303,8 @@
          </row>

          <row>
-            <entry><ulink
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            Scripts (User Exits)</ulink></entry>

            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
          </row>

          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
+            url="fallback.htm">Fallback/Uninstall</ulink></entry>

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

@@ -324,8 +324,7 @@
          </row>

          <row>
-            <entry><ulink
-            url="shorewall_features.htm">Features</ulink></entry>
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>

            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
          </row>

          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
-            Same Interface</ulink></entry>
+            <entry><ulink
+            url="shorewall_features.htm">Features</ulink></entry>

            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
          </row>

          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            Same Interface</ulink></entry>

            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+
+            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>

-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            Guides</ulink></entry>

            <entry/>
          </row>
@@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>

-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
-            Guides</ulink></entry>
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>

            <entry/>
          </row>
@@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>

-            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
-
-            <entry/>
-          </row>
-
-          <row>
-            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
-
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

@@ -389,7 +389,7 @@
          </row>

          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>

            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
          </row>

          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -407,18 +407,27 @@
          </row>

          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>

            <entry><ulink url="samba.htm">Samba</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+
+            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>

-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>

            <entry/>
          </row>
@@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            Lite</ulink></entry>

            <entry/>
          </row>
@@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>

-            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Lite</ulink></entry>
+            <entry/>

            <entry/>
          </row>
--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
          </tgroup>
        </table></para>
    </example>
+
+    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
+    ECN flags through use of the ECN action in <ulink
+    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
  </section>

  <lot/>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2938,6 +2938,29 @@ else
    </section>
  </section>

+  <section>
+    <title>Wifidog</title>
+
+    <section>
+      <title id="faq105">(FAQ 105) Can Shorewall work with Wifidog?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: Yes, with a couple of
+      restrictions:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Wifidog must be started after Shorewall. If Shorewall is
+          restarted/reloaded, then wifidog must be restarted.</para>
+        </listitem>
+
+        <listitem>
+          <para>FORWARD_CLEAR_MARK must be set to <option>No</option> in
+          shorewall.conf.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
  <section id="Misc">
    <title>Miscellaneous</title>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -213,6 +213,29 @@
      example.</para>
    </section>

+    <section>
+      <title>USE_DEFAULT_RT</title>
+
+      <para>The behavior and configuration of Multiple ISP support is
+      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
+
+      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
+      routing table <emphasis>which does not contain a default
+      route</emphasis>. Packets which fail to be routed by an entry in the
+      main table are then passed to shorewall-defined routing tables based on
+      your Multi-ISP configuration. The advantage of this approach is that
+      dynamic changes to the ip configuration, such as VPNs going up and down,
+      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
+      default and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
+      routing tables. As a consequence, the main routing table must be copied
+      into each of those tables and must be recopied when there is a change to
+      the main table. This can only be accomplished via a
+      <command>shorewall[6] reload</command> or <command>restart</command>
+      command.</para>
+    </section>
+
    <section id="providers">
      <title>/etc/shorewall/providers File</title>

@@ -672,7 +695,7 @@ fi</programlisting>
      interfaces should be routed through the main table using entries in
      <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
      linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link>.</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>

      <para>In addition:</para>

@@ -902,6 +925,43 @@ eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>

+    <section id="Example2">
+      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+
+      <para>This section shows the differences in configuring the above
+      example with USE_DEFAULT_RT=Yes. The changes are confined to the
+      DUPLICATE and COPY columns of the providers file.</para>
+
+      <para>The configuration in the figure at the top of this section would
+      be specified in <filename>/etc/shorewall/providers</filename> as
+      follows.</para>
+
+      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
+ISP1    1       1       <emphasis role="bold">- </emphasis>              eth0            206.124.146.254 track,balance    <emphasis
+          role="bold">-</emphasis>
+ISP2    2       2       <emphasis role="bold">-</emphasis>               eth1            130.252.99.254  track,balance    <emphasis
+          role="bold">-</emphasis></programlisting>
+
+      <para>Other configuration files go something like this:</para>
+
+      <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+net      eth0         detect          …          
+net      eth1         detect          …</programlisting>
+
+      <para><filename>/etc/shorewall/policy</filename>:</para>
+
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
+net        net            DROP</programlisting>
+
+      <para><filename>/etc/shorewall/masq</filename>:</para>
+
+      <programlisting>#INTERFACE       SOURCE            ADDRESS
+eth0             0.0.0.0/0         206.124.146.176
+eth1             0.0.0.0/0         130.252.99.27</programlisting>
+    </section>
+
    <section id="Applications">
      <title>Routing a Particular Application Through a Specific
      Interface</title>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -175,20 +175,23 @@

        <listitem>
          <para><filename>/etc/shorewall/init</filename> - commands that you
-          wish to execute at the beginning of a <quote>shorewall start</quote>
-          or <quote>shorewall restart</quote>.</para>
+          wish to execute at the beginning of a <quote>shorewall
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote>.</para>
        </listitem>

        <listitem>
          <para><filename>/etc/shorewall/start</filename> - commands that you
          wish to execute near the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
        </listitem>

        <listitem>
          <para><filename>/etc/shorewall/started</filename> - commands that
          you wish to execute after the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
        </listitem>

        <listitem>
@@ -1779,6 +1782,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>

+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
      <listitem>
        <para><ulink
        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -1985,6 +1992,33 @@ SSH(ACCEPT)    net:$MYIP      $FW
    @disposition are used to generated the --log-prefix in logging rules. When
    either is empty, the historical value is used to generate the
    --log-prefix.</para>
+
+    <para>Within an action body, if a parameter is omitted in a DEFAULTS
+    statement, then the value of the corresponding action and Shorewall
+    variables is '-', while if the parameter is specified as '-' in the
+    parameter list, the value of the action/Shorewall variable is '', if it is
+    expanded before the DEFAULTS statement.</para>
+
+    <para>Additionally, when an expression is evaluated, the value 0 evaluates
+    as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed
+    with value zero. To make testing of the presense of parameters more
+    efficient and uniform, an new function has been added in Shorewall 5.0.7
+    for use in ?IF and ?ELSEIF:</para>
+
+    <simplelist>
+      <member>?IF [!] passed(&lt;variable&gt;)</member>
+    </simplelist>
+
+    <para>where &lt;variable&gt; is an action or Shorewall variable.</para>
+
+    <para>'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
+    is not empty and its contents are other than '-'. If '!' is present, the
+    result is inverted.</para>
+
+    <para>In this simple form, the expression is evaluated by the compiler
+    without having to invoke the (expensive) Perl exec() function. The
+    'passed' function may also be used in more complex expressions, but exec()
+    will be invoked to evaluate those expressions.</para>
  </section>

  <section id="Conditional">
@@ -2168,6 +2202,31 @@ SSH(ACCEPT)    net:$MYIP      $FW
 &lt;lines to be included if all three expressions evaluate to false.

 ?ENDIF</programlisting>
+
+    <para>Beginning in Shorewall 5.0.7, an error can be raised using the
+    ?ERROR directive:</para>
+
+    <programlisting>?ERROR <replaceable>message</replaceable></programlisting>
+
+    <para>Variables in the message are evaluated and the result appears in a
+    standard Shorewall ERROR: message.</para>
+
+    <para>Example from the 5.0.7 action.GlusterFS:</para>
+
+    <programlisting>?if @1 !~ /^\d+/ || ! @1 || @1 &gt; 1024
+    ?error Invalid value for Bricks (@1)
+?elsif @2 !~ /^[01]$/
+    ?error Invalid value for IB (@2)
+?endif
+</programlisting>
+
+    <para>The above code insures that the first action paramater is a non-zero
+    number &lt;= 1024 and that the second parameter is either 0 or 1. If 2000
+    is passed for the first parameter, the following error message is
+    generated:</para>
+
+    <programlisting>   ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
+      from /etc/shorewall/rules (line 45)</programlisting>
  </section>

  <section id="Embedded">
@@ -2518,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities:
    "!tcp").</para>
  </section>

+  <section id="Ranges">
+    <title>Port Ranges</title>
+
+    <para>If you need to specify a range of ports, the proper syntax is
+    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
+    to forward the range of tcp ports 4000 through 4100 to local host
+    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
+
+    <para>If you omit the low port number, a value of zero is assumed; if you
+    omit the high port number, a value of 65535 is assumed.</para>
+
+    <para>Also, unless otherwise documented, a port range can be preceded by
+    '!' to specify "All ports except those in this range" (e.g.,
+    "!4000:4100").</para>
+  </section>
+
+  <section id="Portlists">
+    <title>Port Lists</title>
+
+    <para>In most cases where a port or port range may appear, a
+    comma-separated list of ports or port ranges may also be entered.
+    Shorewall requires the Netfilter <emphasis
+    role="bold">multiport</emphasis> match capability if ports lists are used
+    (see the output of "<emphasis role="bold">shorewall show
+    capabilities</emphasis>").</para>
+
+    <para>Also, unless otherwise documented, a port list can be preceded by
+    '!' to specify "All ports except these" (e.g., "!80,443").</para>
+
+    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
+  </section>
+
  <section id="ICMP">
    <title>ICMP and ICMP6 Types and Codes</title>

@@ -2594,44 +2691,6 @@ redirect                      =&gt; 137</programlisting>
    Shorewall 4.4.19.</para>
  </section>

-  <section id="Ranges">
-    <title>Port Ranges</title>
-
-    <para>If you need to specify a range of ports, the proper syntax is
-    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
-    to forward the range of tcp ports 4000 through 4100 to local host
-    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
-
-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
-DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
-
-    <para>If you omit the low port number, a value of zero is assumed; if you
-    omit the high port number, a value of 65535 is assumed.</para>
-
-    <para>Also, unless otherwise documented, a port range can be preceded by
-    '!' to specify "All ports except those in this range" (e.g.,
-    "!4000:4100").</para>
-  </section>
-
-  <section id="Portlists">
-    <title>Port Lists</title>
-
-    <para>In most cases where a port or port range may appear, a
-    comma-separated list of ports or port ranges may also be entered.
-    Shorewall requires the Netfilter <emphasis
-    role="bold">multiport</emphasis> match capability if ports lists are used
-    (see the output of "<emphasis role="bold">shorewall show
-    capabilities</emphasis>").</para>
-
-    <para>Also, unless otherwise documented, a port list can be preceded by
-    '!' to specify "All ports except these" (e.g., "!80,443").</para>
-
-    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-    (5) file may specify no more than 15 ports; port ranges appearing in a
-    list count as two ports each.</para>
-  </section>
-
  <section id="MAC">
    <title>Using MAC Addresses</title>

@@ -2684,9 +2743,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>

    <simplelist>
-      <member>LOGRATE=10/minute</member>
-
-      <member>LOGBURST=5</member>
+      <member>LOGLIMIT=10/minute:5</member>
    </simplelist>

    <para>For each logging rule, the first time the rule is reached, the
@@ -2698,11 +2755,6 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    30 seconds, the burst will be fully recharged; back where we
    started.</para>

-    <note>
-      <para>The LOGRATE and LOGBURST options are deprecated in favor of
-      LOGLIMIT.</para>
-    </note>
-
    <para>Shorewall also supports per-IP rate limiting.</para>

    <para>Another example from <ulink
@@ -2736,8 +2788,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    <firstterm>Condition Match Support</firstterm> and you must be running
    Shorewall 4.4.24 or later. See the output of <command>shorewall show
    capabilities</command> and <command>shorewall version</command> to
-    determine if you can use this feature. As of this writing, Condition Match
-    Support requires that you install xtables-addons.</para>
+    determine if you can use this feature.</para>

    <para>The SWITCH column contains the name of a
    <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
@@ -2901,8 +2952,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
        <para>If <emphasis role="bold">detect</emphasis> is specified in the
        ADDRESS column of an entry in <ulink
        url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
-        firewall still start if the optional interface in the INTERFACE column
-        does not have an IP address.</para>
+        firewall still startS if the optional interface in the INTERFACE
+        column does not have an IP address.</para>
      </listitem>
    </itemizedlist>

@@ -2920,7 +2971,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>

    <para>Shorewall allows you to have configuration directories other than
    <filename class="directory">/etc/shorewall</filename>. The shorewall
-    check, start and restart commands allow you to specify an alternate
+    <command>check</command>, <command>start</command> and
+    <command>restart</command> commands allow you to specify an alternate
    configuration directory and Shorewall will use the files in the alternate
    directory rather than the corresponding files in /etc/shorewall. The
    alternate directory need not contain a complete configuration; those files
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Shorewall 4.4/4.5/4.6 Features</title>
+    <title>Shorewall 5.0 Features</title>

    <author>
      <firstname>Tom</firstname>
@@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2014</year>
+      <year>2001-2016</year>

      <holder>Thomas M Eastep</holder>
    </copyright>
@@ -32,13 +32,6 @@
    </legalnotice>
  </articleinfo>

-  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
-    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
-    release.</emphasis></para>
-  </caution>
-
  <section id="Features">
    <title>Features</title>

@@ -278,6 +271,10 @@
          <listitem>
            <para><ulink url="LXC.html">LXC</ulink></para>
          </listitem>
+
+          <listitem>
+            <para>Docker (Shorewall 5.0.6 and later)</para>
+          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -321,6 +321,27 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis
          role="bold">log levels</emphasis>, just like info, debug, etc. even
          though they are not defined by syslog.</para>
        </important></para>
+
+      <para>Here is a copy of a ulogd.conf file that logs to
+      /var/log/firewall. It was contributed by a Shorewall user on IRC:</para>
+
+      <programlisting>[global]
+user="ulogd"
+logfile="/var/log/ulogd/ulogd.log"
+loglevel=7
+
+plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
+plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
+plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
+
+stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
+
+[firewall]
+file="/var/log/firewall"
+sync=1</programlisting>
    </section>
  </section>

--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -854,22 +854,16 @@ DNAT      net       dmz:10.10.11.2:80   tcp        5000</programlisting></para>
            with:<programlisting>#ACTION   SOURCE    DEST            PROTO  DPORT         SPORT    ORIGDEST
 DNAT      loc       dmz:10.10.11.2  tcp    80            -        <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
            you have a dynamic IP then you must ensure that your external
-            interface is up before starting Shorewall and you must take steps
-            as follows (assume that your external interface is <filename
-            class="devicefile">eth0</filename>):<orderedlist>
-                <listitem>
-                  <para>Include the following in /etc/shorewall/params:</para>
+            interface is up before starting Shorewall and you must code the
+            rule as follows (assume that your external interface is <filename
+            class="devicefile">eth0</filename>):</para>

-                  <para><command>ETH0_IP=$(find_interface_address
-                  eth0)</command></para>
-                </listitem>
+            <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
+DNAT      loc       dmz:10.10.11.2   tcp     80            -        &amp;eth0</programlisting>

-                <listitem>
-                  <para>Make your <literal>loc-&gt;dmz</literal> rule:
-                  <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
-DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</programlisting></para>
-                </listitem>
-              </orderedlist></para>
+            <para>'&amp;eth0' expands to the IP address of eth0 (see <ulink
+            url="configuration_file_basics.htm#AddressVariables">this
+            article</ulink>).</para>
          </listitem>

          <listitem>
Author	SHA1	Message	Date
Tom Eastep	3cbfdadb32	Merge branch '5.0.7'	2016-04-01 09:46:53 -07:00
Tom Eastep	81d76e3817	Document + in the MODULESDIR setting. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-01 09:43:06 -07:00
Tom Eastep	df1b1f6768	Add MINIUPNPD option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-01 08:57:08 -07:00
Tom Eastep	3881b38e02	Fix similar INTERFACE column issue in the nat and netmap files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-31 14:16:43 -07:00
Tom Eastep	8a8f3b6f59	Merge branch '5.0.7'	2016-03-31 12:55:16 -07:00
Tom Eastep	b9bed00123	Correct handling of a physical name in a masq rule Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-31 12:52:30 -07:00
Tom Eastep	38aa7797c4	Allow protocol and user lists in actions and macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-30 08:34:42 -07:00
Tom Eastep	404540ffe1	Merge branch '5.0.7'	2016-03-30 08:17:19 -07:00
Tom Eastep	dd3c0daa08	Handle inline matches correctly in the mangle file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-29 13:33:47 -07:00
Tom Eastep	4fddfcfba0	More complete fix for inline matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-29 13:15:01 -07:00
Tom Eastep	421d5f6043	Move Raw matches to last. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-29 09:31:27 -07:00
Tom Eastep	382ab380a2	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-03-29 07:36:49 -07:00
Tuomo Soini	2342c7cd9c	Perl/Shorewall/Chains.pm: Fix warning with older perl	2016-03-29 09:58:33 +03:00
Tom Eastep	66ae4975b2	Allow :R with DIVERT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-28 15:52:49 -07:00
Tom Eastep	5b7a9db170	Correct clearing of inline matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-28 15:48:59 -07:00
Roberto C. Sánchez	899a317c95	Fix typos	2016-03-26 22:25:30 -04:00
Tom Eastep	89adc3ea68	Use an address variable rather than find_first_interface_address() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-26 13:13:15 -07:00
Tom Eastep	ad87d94e33	Small efficiency change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-26 13:12:33 -07:00
Tom Eastep	8a6941707a	Updates to the config basics article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-26 09:01:02 -07:00
Tom Eastep	0b049a55e0	Correct Three-interface doc. - find_interface_address -> find_first_interface_address	2016-03-25 09:34:49 -07:00
Tom Eastep	f86abf9552	Eliminate @columnstack -- simple save the columns array on the call stack. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-22 10:49:40 -07:00
Tom Eastep	9fe1a34412	Tighten up editing of configuration options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-21 12:03:45 -07:00
Tom Eastep	abe533b6e3	Correct the action on ingress filters Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-19 13:45:33 -07:00
Tom Eastep	1c3140789c	Add stab to ingress qdiscs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-19 13:25:39 -07:00
Tom Eastep	0399a346d0	Replace a silly line of code. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-19 12:05:45 -07:00
Tom Eastep	6ed3861d76	Correct Mangle Action Handling for second visit to the same action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 15:25:52 -07:00
Tom Eastep	7a18847c14	Correct handling of log level in a _DEFAULT setting. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 15:25:14 -07:00
Tom Eastep	273c89a753	Implement MARK and CONNMARK in the rules file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 11:42:58 -07:00
Tom Eastep	2bebf1c95a	Make '&' and '\|' work with CONNMARK Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 11:30:52 -07:00
Tom Eastep	18573037f9	More 'check -r' fixes around Docker Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 11:09:39 -07:00
Tom Eastep	818628138b	Add MARK and CONNMARK to the %targets table - Also, sort the table entries Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 10:21:35 -07:00
Tom Eastep	2adec0eb65	Implement a filename cache for find_file() - Don't need to search the CONFIG_PATH for re-open of same file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 09:45:41 -07:00
Tom Eastep	6ae94767b7	Correct a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-18 08:31:52 -07:00
Tom Eastep	9f26c010ac	Remove embedded Perl from allowInvalid and dropInvalid Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-17 08:59:29 -07:00
Tom Eastep	9ab2310dc8	Correct an incorrect comment in process_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-17 08:47:33 -07:00
Tom Eastep	0b5d59870b	Remove embedded Perl from Shorewall6 Drop and Reject actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 15:07:59 -07:00
Tom Eastep	c9c5f0174c	Remove trailing blank lines from action.TCPFlags	2016-03-16 14:54:05 -07:00
Tom Eastep	5fc391cb58	Document passed() in the config basics document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-15 15:19:21 -07:00
Tom Eastep	da0653cb2f	Declare passed() in Shorewall::User rather than importing it from Config Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-15 14:16:15 -07:00
Tom Eastep	65ce6ed226	Update modules to use passed() for parameter testing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-15 12:06:32 -07:00
Tom Eastep	eb9dd3e485	Implement passed() in Config.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-15 12:00:56 -07:00
Tom Eastep	796f191d48	Don't re-stat action files in process_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-15 09:03:36 -07:00
Tom Eastep	71c26beab4	Remove dead code (caused by bad test) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 17:56:34 -07:00
Tom Eastep	6f04902963	Make use of 'state=' in actions a fatal error Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 17:55:54 -07:00
Tom Eastep	bd2295c4c3	Avoid embedded Perl in the Broadcast action when ADDRTYPE is available Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 15:57:32 -07:00
Tom Eastep	901c6d34f6	Correct typo in Rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 15:56:57 -07:00
Tom Eastep	741da14789	Ignore 'state' in the actions file with a warning Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 15:46:29 -07:00
Tom Eastep	34c3828b7c	Fix action.Related Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 15:44:16 -07:00
Tom Eastep	eed7692952	Document the state action option. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 15:15:32 -07:00
Tom Eastep	3c544b20e6	Convert the state actions to use the 'state' action option - Also avoid the CLI having to know about builtin actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 14:54:09 -07:00
Tom Eastep	dd547c90a8	Implement the 'state' action option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 14:30:36 -07:00
Tom Eastep	35fac8c2ea	Avoid repeated %actions lookup in process_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 12:37:45 -07:00
Tom Eastep	513b828788	Pass '$prerule' to process_inline() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 10:56:07 -07:00
Tom Eastep	28e0cb5335	Use filename stored in the actions table - Avoid a find_file call on each action invocation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 10:55:39 -07:00
Tom Eastep	c631173310	Eliminate the %inlines table Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-14 10:47:18 -07:00
Tom Eastep	95da427ea8	Update manpages for 'audit' actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 15:53:31 -07:00
Tom Eastep	2c14b7c9e3	Rename %actparms to %actparams Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 15:36:38 -07:00
Tom Eastep	8e7af2e95e	Additional editing of audit action parameters. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 15:28:49 -07:00
Tom Eastep	6be4fd377f	Make RST and NotSyn 'audit' actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 14:40:12 -07:00
Tom Eastep	44c0bffcd3	Add 'audit' option to actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 14:39:46 -07:00
Tom Eastep	2c3644a510	Make Action/Inline binary options into a bitmap Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 14:15:43 -07:00
Tom Eastep	407bc8f8db	More prerule fixes in expand_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 12:57:23 -07:00
Tom Eastep	2743a411ae	Add a jump to DOCKER from OUTPUT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 12:51:36 -07:00
Tom Eastep	1a23e840d7	Restore NotSyn rule in action.Reject Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 12:21:24 -07:00
Tom Eastep	bed747c20b	Restore NotSyn and RST logic using perl_action_tcp_helper() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:49:23 -07:00
Tom Eastep	c2fd48c4c6	Include pre-rule matches when the target is a chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:08:17 -07:00
Tom Eastep	054637880b	Cleanup of Standard Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:06:02 -07:00
Tom Eastep	5f01bc75bd	Better fix for $current_param in the INLINE block of process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 18:28:27 -08:00
Tom Eastep	0e59b82503	Handle '+' in inline matches the mangle and masq files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 17:14:15 -08:00
Tom Eastep	33343aaf17	Modify TCP-specific actions to use + in inline_matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 17:01:52 -08:00
Tom Eastep	90ace544eb	Implement '+' to specify inline matches as "early" Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 16:39:46 -08:00
Tom Eastep	c36cee28fb	Save/Restore $current_param in process_inline() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 16:39:08 -08:00
Tom Eastep	df5f34951c	Correct actions - Restore the TCP-related actions - Correct typo in action.Drop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:09:31 -08:00
Tom Eastep	ec2ebee0e6	Clear inline matches between calls to process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:08:47 -08:00
Tom Eastep	a50c52675b	Correct a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:08:04 -08:00
Tom Eastep	bb7b3123df	Eliminate ?begin perl ... ?end Perl in many actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 12:15:07 -08:00
Tom Eastep	3960fa6e0e	Performance tweak to read_a_line() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 09:05:30 -08:00
Tom Eastep	a7fda02d88	Print lines copied into the generated script when tracing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 15:59:49 -08:00
Tom Eastep	68a324c62c	Small tweaks to read_a_line() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 13:56:03 -08:00
Tom Eastep	d179615fca	'trace' and 'check -r' uses $PAGER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 13:26:23 -08:00
Tom Eastep	6779c8307f	Optimize chain resolution in process_mangle_rule1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 15:26:52 -08:00
Tom Eastep	147c7e284f	Fix a couple of Mangle Action blunders Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:59:29 -08:00
Tom Eastep	8d657775af	Fix 'check -r' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:41:59 -08:00
Tom Eastep	b14bf0e779	Remove unused globals from the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 11:14:51 -08:00
Tom Eastep	dc286c472c	More tidying up of Mangle Actions - Delete an inadvertently-added blank line - Move $convert declaration back to the Tc module - Add comments in the Tc module about key moved declarations Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 15:51:54 -08:00
Tom Eastep	87f63b7160	Allow USE_DEFAULT_RT with NetworkManager Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 14:17:40 -08:00
Tom Eastep	617218f8ea	Merge branch '5.0.6'	2016-03-09 11:36:46 -08:00
Tom Eastep	09c3be0adb	Correct typo that cases restart failure. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 11:18:05 -08:00
Tom Eastep	ec9148637f	Inline mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 10:28:02 -08:00
Tom Eastep	991d8d2d3f	Move convert_tos() back to the Tc module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-08 11:17:14 -08:00
Tom Eastep	301bce5d34	Clean up mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-08 09:27:43 -08:00
Tom Eastep	1add0487f6	Document Mangle Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 14:56:20 -08:00
Tom Eastep	a4aa020a84	Add R chain designator Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 13:51:49 -08:00
Tom Eastep	81c16d2d67	More Mangle Action Changes - Move open_mangle_for_output() back to the Tc module - Eliminate global variables in process_mangle_rule1() - Allow creation of mangle action chains - Minor (but needed) logic changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 13:51:28 -08:00
Tom Eastep	bbbf54f7c3	Merge branch '5.0.6'	2016-03-07 08:59:17 -08:00
Tom Eastep	c37e41ee9c	Avoid duplicate route rules from 'disable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 15:48:33 -08:00
Tom Eastep	ba6dc9c5c0	First cut at mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 12:42:22 -08:00
Tom Eastep	89b2c2fb55	Move mangle processing into the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 08:59:37 -08:00
Tom Eastep	43a81e85f7	Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-05 16:34:01 -08:00
Tom Eastep	c5bb04dcb2	Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-05 14:41:30 -08:00
Tom Eastep	d4e2508a90	Clarify USE_DEFAULT_RT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 14:26:42 -08:00
Tom Eastep	2bb143b28c	Save/restore nat OUTPUT jump to DOCKER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 12:21:45 -08:00
Tom Eastep	99f83da3ab	Avoid duplicate rules after reload Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 11:09:53 -08:00
Tom Eastep	89e3e959dc	Revert bad change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 10:20:55 -08:00
Tom Eastep	9e41264671	Go back to generating docker0 rules when it is defined to Shorewall - Avoids issues after 'stop' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:47 -08:00
Tom Eastep	3fb715740d	Avoid duplicated code blocks in save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:04 -08:00
Tom Eastep	ed6ff96aa0	Replace another $VARDIR instance Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:11:57 -08:00
Tom Eastep	18dac19d86	Remove dead code from save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:09:55 -08:00
Tom Eastep	d5ea876e93	Replace $VARDIR with ${VARDIR} for consistency Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 11:54:14 -08:00
Tom Eastep	f7a6ad1412	Clean up formatting in define_firewall() and stop_firewall() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 09:24:43 -08:00
Tom Eastep	b279869629	Fix DOCKER issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 20:59:44 -08:00
Tom Eastep	62880bdf1b	Don't populate PAGER in the sample config files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 13:04:47 -08:00
Tom Eastep	c56ba534d6	Yet more PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 12:34:39 -08:00
Tom Eastep	90bc894200	More PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:58:26 -08:00
Tom Eastep	90d254f0c3	Add PAGER option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:32:49 -08:00
Tom Eastep	4e9f4742cb	Merge branch 'master' into 5.0.6	2016-03-01 15:13:20 -08:00
Tom Eastep	a95de8d092	Page the output of verbose commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-01 15:12:54 -08:00
Tom Eastep	68cce5ff73	Eliminate some sillyness in normalize_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:17:15 -08:00
Tom Eastep	8a02624f05	Update copyrights in the install and uninstall scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:03:09 -08:00
Tom Eastep	1c1881859f	Delete untrue comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 08:45:47 -08:00
Tom Eastep	5b163e9bc2	Save/restore docker0 rules when it isn't defined to Shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 14:09:29 -08:00
Tom Eastep	71d64ab380	Add DOCKER network support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 13:36:47 -08:00
Tom Eastep	64de3d0e83	Add Docker article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 15:30:39 -08:00
Tom Eastep	36d8518562	Code compaction Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 13:13:56 -08:00
Tom Eastep	6c88eb6916	Add an ECN action to shorewall-mangle(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 09:33:16 -08:00
Tom Eastep	fb03fd0a5c	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:27 -08:00
Tom Eastep	d50ba365fb	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:17 -08:00
Tom Eastep	f265596613	Add sample ulogd.conf file to the logging article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 14:01:37 -08:00
Tom Eastep	6e1cc0f1d0	Correct stop/start Docker handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 13:37:44 -08:00
Tom Eastep	ee5ef07035	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 14:58:10 -08:00
Tom Eastep	3c8696b91d	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 09:35:13 -08:00
Tom Eastep	fd4de0c66a	Create more compact DOCKER conditional rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 14:46:35 -08:00
Tom Eastep	49536562e2	Emit more compact code when conditionally adding DOCKER chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:49:22 -08:00
Tom Eastep	36b6863b02	Update copyright date on lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:48:48 -08:00
Tom Eastep	6a8e280483	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-02-21 12:59:10 -08:00
Tuomo Soini	b39639e1f2	macro.SNMPtrap: fix file name to use common naming Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-02-20 18:45:55 +02:00
Tom Eastep	1f79bfa8dd	Use new column names in action.template Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:26:25 -08:00