Use an address variable rather than find_first_interface_address()

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -922,23 +922,10 @@ show_events() {
 }
 
 show_actions() {
-    echo "A_ACCEPT                        # Audit and accept the connection"
-    echo "A_DROP                          # Audit and drop the connection"
-    echo "A_REJECT                        # Audit and reject the connection "
-    echo "allowBcast                      # Silently Allow Broadcast/multicast"
-    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
-    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
-    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-    echo "dropBcast                       # Silently Drop Broadcast/multicast"
-    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
-    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
-    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
-    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
-
     if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
     else
-	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
     fi
 }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -647,7 +647,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd
+#                                the cmd member
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -2908,40 +2908,42 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
+		    'ADD'             => STANDARD + SET,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'DROP'            => STANDARD,
-		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'REJECT'          => STANDARD + OPTIONS,
-		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE  + OPTIONS,
+		    'NONAT'           => STANDARD + NONAT  + NATONLY,
-		    'DNAT-'           => NATRULE  + NATONLY,
+		    'CONNMARK'        => STANDARD + OPTIONS,
-		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
-		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'QUEUE'           => STANDARD + OPTIONS,
-		    'QUEUE!'          => STANDARD,
-		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
-		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD,
+		    'DNAT'            => NATRULE  + OPTIONS,
+		    'DNAT-'           => NATRULE  + NATONLY,
+		    'DROP'            => STANDARD,
+		    'DROP!'           => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'MARK'            => STANDARD + OPTIONS,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
+		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'QUEUE'           => STANDARD + OPTIONS,
+		    'QUEUE!'          => STANDARD,
+		    'REJECT'          => STANDARD + OPTIONS,
+		    'REJECT!'         => STANDARD + OPTIONS,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
+		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'WHITELIST'       => STANDARD,
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -7537,7 +7539,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7584,7 +7586,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 
     my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
        ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparms{chain} || $chainref->{name};
+    my  $chain = $actparams{chain} || $chainref->{name};
     my $table = $chainref->{table};
     my ( $jump, $mac,  $targetref, $basictarget );
     our @ends = ();
@@ -7758,22 +7760,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $matches
+				       $prerule . $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparms{disposition} || $disposition,
+				       $actparams{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $matches );
+				       $prerule . $matches );
 
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7790,10 +7792,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparms{disposition} || $disposition,
+						     $actparams{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $matches );
+					   $prerule . $matches );
 		    }
 
 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8621,18 +8623,20 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			enter_cmd_mode1;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
+			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
+			enter_cmd_mode1 unless $mode = CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
-			print( ":$name - [0:0]" );
+			enter_cmd_mode1 unless $mode = CMD_MODE;
+			print( ":$name - [0:0]\n" );
 		    }
 		} else {
-		    print( ":$name - [0:0]" );
+		    print( ":$name - [0:0]\n" );
 		}
 
 		push @chains, $chainref;

Shorewall/Perl/Shorewall/Config.pm

@@ -139,6 +139,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
+                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -185,7 +186,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases
 
-				       %actparms
+				       %actparams
 
                                        PARMSMODIFIED
                                        USEDCALLER
@@ -552,7 +553,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparms;
+our %actparams;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -670,6 +671,13 @@ our %variables; # Symbol table for expanding shell variables
 
 our $section_function; #Function Reference for handling ?section
 
+our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
+
+#
+# Files located via find_file()
+#
+our %filecache;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -1061,7 +1069,7 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
     $parmsmodified = 0;
     $usedcaller    = 0;
 
@@ -1469,9 +1477,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];
 
-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
     $val;
 }
 
@@ -1900,6 +1908,10 @@ sub find_file($)
 
     return $filename if $filename =~ '/';
 
+    my $file = $filecache{$filename};
+
+    return $file if $file;
+
     for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2150,6 +2162,12 @@ sub supplied( $ ) {
     defined $val && $val ne '';
 }
 
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Pre-process a line from a configuration file.
 
@@ -2505,6 +2523,21 @@ sub join_parts( $$$ ) {
     join( '', $first, $val, $rest );
 }
 
+#
+# Declare passed() in Shorewall::User
+#
+sub declare_passed() {
+    my $result = ( eval q(package Shorewall::User;
+                          use strict;
+                          sub passed( $ ) {
+                              my $val = shift;
+                              defined $val && $val ne '' && $val ne '-';
+                          }
+
+                          1;) );
+    assert( $result, $@ );
+}
+
 #
 # Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
 #
@@ -2512,14 +2545,28 @@ sub evaluate_expression( $$$$ ) {
     my ( $expression , $filename , $linenumber, $just_expand ) = @_;
     my $val;
     my $count = 0;
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
+
+    #                     $1                   $2
+    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
+	my $val = passed($actparams{$2});
+
+	return $1 ? ! $val : $val unless $debug;
+
+	$val = $1 ? ! $val : $val;
+
+	print "EXPR=> '$val'\n" if $debug;
+
+	return $val;
+    }
+
     #                         $1      $2   $3                     -     $4
     while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2534,7 +2581,7 @@ sub evaluate_expression( $$$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparms{$var} : $chain;
+	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2571,7 +2618,13 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
+	declare_passed unless $evals++;
+
+	$val = eval qq(package Shorewall::User;
+                       use strict;
+                       # line $linenumber "$filename"
+                       $expression);
 
 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2668,8 +2721,8 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
-		      my $val = $actparms{$var} = evaluate_expression ( $expression,
+		      my $val = $actparams{$var} = evaluate_expression ( $expression,
 									$filename,
 									$linenumber,
 									0  );
@@ -2702,12 +2755,12 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
-		      if ( exists $actparms{$var} ) {
+		      if ( exists $actparams{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparms{$var} = '';
+			      $actparams{$var} = '';
 			  } else {
-			      delete $actparms{$var}
+			      delete $actparams{$var}
 			  }
 		      } else {
 			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
@@ -3135,7 +3188,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     $directive_callback->( 'PERL', $currentline ) if $directive_callback;
 
@@ -3162,6 +3215,8 @@ sub embedded_perl( $ ) {
 
     $embedded++;
 
+    declare_passed unless $evals++;
+
     unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3222,32 +3277,32 @@ sub push_action_params( $$$$$$ ) {
     my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
     my @parms = ( undef , split_list3( $parms , 'parameter' ) );
 
-    $actparms{modified}   = $parmsmodified;
+    $actparams{modified}   = $parmsmodified;
-    $actparms{usedcaller} = $usedcaller;
+    $actparams{usedcaller} = $usedcaller;
 
-    my %oldparms = %actparms;
+    my %oldparms = %actparams;
 
     $parmsmodified = 0;
     $usedcaller    = 0;
 
-    %actparms = ();
+    %actparams = ();
 
     for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];
 
-	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
     }
 
-    $actparms{0}           = $chainref;
+    $actparams{0}           = $chainref;
-    $actparms{action}      = $action;
+    $actparams{action}      = $action;
-    $actparms{loglevel}    = $loglevel;
+    $actparams{loglevel}    = $loglevel;
-    $actparms{logtag}      = $logtag;
+    $actparams{logtag}      = $logtag;
-    $actparms{caller}      = $caller;
+    $actparams{caller}      = $caller;
-    $actparms{disposition} = '' if $chainref->{action};
+    $actparams{disposition} = '' if $chainref->{action};
     #
     # The Shorewall variable '@chain' has the non-word charaters removed
     #
-    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
 
     \%oldparms;
 }
@@ -3260,10 +3315,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
-    %actparms          = %$oldparms;
+    %actparams          = %$oldparms;
     my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparms{modified}   || 0;
+    ( $parmsmodified ) = delete $actparams{modified}   || 0;
-    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
+    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
     $return;
 }
 
@@ -3273,11 +3328,11 @@ sub default_action_params {
 
     for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparms{$i};
+	my $curval = $actparams{$i};
-	$actparms{$i} = $val unless supplied( $curval );
+	$actparams{$i} = $val unless supplied( $curval );
     }
 
-    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }
 
 sub get_action_params( $ ) {
@@ -3288,53 +3343,65 @@ sub get_action_params( $ ) {
     my @return;
 
     for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparms{$i};
+	my $val = $actparams{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
     }
 
     @return;
 }
 
+sub setup_audit_action( $ ) {
+    my ( $action ) = @_;
+
+    my ( $target, $audit ) = get_action_params( 2 );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
+	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
+	$actparams{1} = "A_$target" unless $target =~ /^A_/;
+    }
+}
+
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparms{ 'loglevel', 'logtag' };
+    @actparams{ 'loglevel', 'logtag' };
 }
 
 sub get_action_chain() {
-    $actparms{0};
+    $actparams{0};
 }
 
 sub get_action_chain_name() {
-    $actparms{chain};
+    $actparams{chain};
 }
 
 sub set_action_name_to_caller() {
-    $actparms{chain} = $actparms{caller};
+    $actparams{chain} = $actparams{caller};
 }
 
 sub get_action_disposition() {
-    $actparms{disposition};
+    $actparams{disposition};
 }
 
 sub set_action_disposition($) {
-    $actparms{disposition} = $_[0];
+    $actparams{disposition} = $_[0];
 }
 
 sub set_action_param( $$ ) {
     my $i = shift;
 
     fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparms{$i} = shift;
+    $actparams{$i} = shift;
 }
 
 #
-# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
     #                         $1      $2   $3                   -     $4
     while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 
@@ -3348,16 +3415,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }
 
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparms{$var} ) { 
+	} elsif ( exists $actparams{$var} ) { 
-	    $val = $actparms{$var};
+	    $val = $actparams{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3376,7 +3443,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3507,7 +3574,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparms
+	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
 
@@ -6039,7 +6106,7 @@ sub get_configuration( $$$$ ) {
 
     default_log_level 'SFILTER_LOG_LEVEL', 'info';
 
-    if ( $val = $config{SFILTER_DISPOSITION} ) {
+    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
     } else {
@@ -6048,14 +6115,14 @@ sub get_configuration( $$$$ ) {
 
     default_log_level 'RPFILTER_LOG_LEVEL', 'info';
 
-    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
     } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
     }
 
-    if ( $val = $config{MACLIST_DISPOSITION} ) {
+    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6074,7 +6141,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
     }
 
-    if ( $val = $config{RELATED_DISPOSITION} ) {
+    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6093,7 +6160,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
     }
 
-    if ( $val = $config{INVALID_DISPOSITION} ) {
+    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6112,7 +6179,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
     }
 
-    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6131,7 +6198,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
     }
 
-    if ( $val = $config{MACLIST_TABLE} ) {
+    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6141,7 +6208,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
     }
 
-    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
+    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
     } else {
@@ -6172,7 +6239,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
     }
 
-    if ( $val = $config{TC_PRIOMAP} ) {
+    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6191,12 +6258,13 @@ sub get_configuration( $$$$ ) {
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
-    default 'OPTIMIZE'              , 0;
 
     for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
+    default 'OPTIMIZE' , 0;
+
     if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
     } elsif ( $val =~ /^none$/i ) {
@@ -6531,6 +6599,7 @@ sub report_used_capabilities() {
 }
 
 END {
+    print "eval() called $evals times\n" if $debug;
     cleanup;
 }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -641,6 +641,7 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -186,10 +186,6 @@ our %active;
 #
 our %actions;
 #
-#  Inline Action Table
-#
-our %inlines;
-#
 # Contains an entry for each used <action>:<level>:[<tag>]:[<calling chain>]:[<params>] that maps to the associated chain.
 # See normalize_action().
 #
@@ -209,10 +205,6 @@ our %auditpolicies = ( ACCEPT => 1,
 #
 our @columns;
 #
-# Used to handle recursive inline invocations.
-#
-our @columnstack;
-#
 # Hidden return from perl_action_[tcp_]helper that indicates that a rule was generated
 #
 our $actionresult;
@@ -224,6 +216,33 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
+
+#
+# Action/Inline options
+#
+use constant { INLINE_OPT           => 1 ,
+	       NOINLINE_OPT         => 2 ,
+	       NOLOG_OPT            => 4 ,
+	       BUILTIN_OPT          => 8 ,
+	       RAW_OPT              => 16 ,
+	       MANGLE_OPT           => 32 ,
+	       FILTER_OPT           => 64 ,
+	       NAT_OPT              => 128 ,
+	       TERMINATING_OPT      => 256 ,
+	       AUDIT_OPT            => 512 ,
+};
+
+our %options = ( inline      => INLINE_OPT ,
+		 noinline    => NOINLINE_OPT ,
+		 nolog       => NOLOG_OPT ,
+		 builtin     => BUILTIN_OPT ,
+		 raw         => RAW_OPT ,
+		 mangle      => MANGLE_OPT ,
+		 filter      => FILTER_OPT ,
+		 nat         => NAT_OPT ,
+		 terminating => TERMINATING_OPT ,
+		 audit       => AUDIT_OPT ,
+    );
 ################################################################################
 #   Declarations moved from the Tc module in 5.0.7                             #
 ################################################################################
@@ -326,16 +345,11 @@ sub initialize( $ ) {
     #
     %actions           = ();
     #
-    # Inline Actions -- value is file.
-    #
-    %inlines           = ();
-    #
     # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
 
     @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
-    @columnstack       = ();
 
     if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
@@ -509,20 +523,20 @@ sub process_default_action( $$$$ ) {
 	    }
 
 	    $default = 'none';
-	} elsif ( $actions{$def} ) {
+	} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
 	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
 		       $level eq 'none' ? normalize_action_name $def :
 		       normalize_action( $def, $level, '' );
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
+	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
 
-	$default = join( ':', $default, $level ) if $level ne 'none';
     } else {
 	$default = $default_actions{$policy} || 'none';
     }
@@ -1294,13 +1308,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$ ) {
+sub new_action( $$$$$ ) {
 
-    my ( $action , $type, $noinline, $nolog ) = @_;
+    my ( $action , $type, $options , $actionfile , $state ) = @_;
 
     fatal_error "Invalid action name($action)" if reserved_name( $action );
 
-    $actions{$action} = { actchain => '' , noinline => $noinline, nolog => $nolog } if $type & ACTION;
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
 
     $targets{$action} = $type;
 }
@@ -1768,6 +1782,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
+sub perl_action_helper( $$;$$ );
 
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1782,6 +1797,7 @@ sub process_action(\$\$$) {
     my $chainref    = ${$chainrefref};
     my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
     my $type = $targets{$action};
+    my $actionref = $actions{$action};
 
     if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1795,17 +1811,17 @@ sub process_action(\$\$$) {
 	fatal_error "Action $action may not be used in the mangle file"  if $chainref->{table} eq 'mangle';
     }
 
-    my $actionfile = find_file "action.$action";
+    my $actionfile = $actionref->{file};
-
-    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
     progress_message2 "$doing $actionfile for chain $chainref->{name}...";
 
     push_open $actionfile, 2, 1, undef, 2;
 
     my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
+    my $options = $actionref->{options};
+    my $nolog = $options & NOLOG_OPT;
 
-    my $nolog = $actions{$action}{nolog};
+    setup_audit_action( $action ) if $options & AUDIT_OPT;
 
     $active{$action}++;
     push @actionstack, $wholeaction;
@@ -1912,14 +1928,23 @@ sub process_action(\$\$$) {
 	    fatal_error 'TARGET must be specified' if $target eq '-';
 
 	    if ( $target eq 'DEFAULTS' ) {
-		default_action_params( $action, split_list $source, 'defaults' ), next if $file_format == 2;
+		default_action_params( $action, split_list $source, 'defaults' );
-		fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
+
+		if ( my $state = $actionref->{state} ) {
+		    my ( $action ) = get_action_params( 1 );
+
+		    if ( my $check = check_state( $state ) ) {
+			perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
+		    }
+		}
+
+		next;
 	    }
 
 	    process_rule( $chainref,
 			  '',
 			  '',
-			  $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
+			  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
 			  '',
 			  $source,
 			  $dest,
@@ -2007,7 +2032,7 @@ sub process_actions() {
     #
     # Add built-in actions to the target table and create those actions
     #
-    $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1, 0 ) for @builtins;
+    $targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file( $file, 2 );
@@ -2021,30 +2046,10 @@ sub process_actions() {
 
 	    my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
 
-	    use constant { INLINE_OPT           => 1 ,
-			   NOINLINE_OPT         => 2 ,
-			   NOLOG_OPT            => 4 ,
-			   BUILTIN_OPT          => 8 ,
-			   RAW_OPT              => 16 ,
-			   MANGLE_OPT           => 32 ,
-			   FILTER_OPT           => 64 ,
-			   NAT_OPT              => 128 ,
-			   TERMINATING_OPT      => 256 ,
-		       };
-
-	    my %options = ( inline      => INLINE_OPT ,
-			    noinline    => NOINLINE_OPT ,
-			    nolog       => NOLOG_OPT ,
-			    builtin     => BUILTIN_OPT ,
-			    raw         => RAW_OPT ,
-			    mangle      => MANGLE_OPT ,
-			    filter      => FILTER_OPT ,
-			    nat         => NAT_OPT ,
-			    terminating => TERMINATING_OPT ,
-			  );
-
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 
+	    my $state = '';
+
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
@@ -2054,8 +2059,16 @@ sub process_actions() {
 
 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    fatal_error "Invalid option ($_)" unless $options{$_};
+		    if ( /^state=(NEW|ESTABLISHED|RELATED|INVALID|UNTRACKED)$/ ) {
-		    $opts |= $options{$_};
+			if ( $file eq 'actions.std' ) {
+			    $state = $1;
+			} else {
+			    fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
+			}
+		    } else {
+			fatal_error "Invalid option ($_)" unless $options{$_};
+			$opts |= $options{$_};
+		    }
 		}
 
 		unless ( $type & INLINE ) {
@@ -2067,11 +2080,11 @@ sub process_actions() {
 
 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
-		    if ( $actions{$action}->{noinline} ) {
+		    if ( $actions{$action}{options} & NOINLINE_OPT ) {
 			warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
 			next;
 		    }
-		    
+
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2104,13 +2117,11 @@ sub process_actions() {
 
 		$type |= MANGLE_TABLE if $opts & MANGLE_OPT;
 
-		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;
-
 		my $actionfile = find_file( "action.$action" );
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type & INLINE;
+		new_action ( $action, $type, $opts, $actionfile , $state );
 	    }
 	}
     }
@@ -2322,8 +2333,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 					 $chainref->{name} ,
 				       );
 
-    my $inlinefile = $inlines{$inline}{file};
+    my $actionref  = $actions{$inline};
-    my $nolog      = $inlines{$inline}{nolog};
+    my $inlinefile = $actionref->{file};
+    my $options    = $actionref->{options};
+    my $nolog      = $options & NOLOG_OPT;
+
+    setup_audit_action( $inline ) if $options & AUDIT_OPT;
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -2357,10 +2372,19 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 
 	if ( $mtarget eq 'DEFAULTS' ) {
 	    default_action_params( $chainref, split_list( $msource, 'defaults' ) );
+
+	    if ( my $state = $actionref->{state} ) {
+		my ( $action ) = get_action_params( 1 );
+
+		if ( my $check = check_state( $state ) ) {
+		    perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
+		}
+	    }
+
 	    next;
 	}
 
-	$mtarget = merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $mtarget ) unless $nolog;
+	$mtarget = merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $mtarget ) unless $nolog;
 
 	my $action = isolate_basic_target $mtarget;
 
@@ -2488,6 +2512,44 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $exceptionrule = '';
     my $usergenerated;
     my $prerule = '';
+    #
+    # Subroutine for handling MARK and CONNMARK.
+    #
+    sub handle_mark( $$$ ) {
+	my ( $target, $param, $marktype ) = @_;
+	my $and_or = $param =~ s/^([|&])// ? $1 : '';
+
+	require_capability( 'MARK_ANYWHERE', "The $target action", 's' );
+
+	fatal_error "Mark Ranges are not supported in the rules file" if $param =~ /-/;
+	#
+	# A Single Mark
+	#
+	my $mark = $param;
+	my $val;
+
+	if ( supplied $mark ) {
+	    if ( $marktype == SMALLMARK ) {
+		$val = verify_small_mark( $mark );
+	    } else {
+		$val = validate_mark( $mark );
+	    }
+	} else {
+	    $val = numeric_value( $mark = $globals{TC_MASK} );
+	}
+
+	$target = join( ' ', $target, $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
+
+	( $mark, my $mask ) = split '/', $mark;
+
+	if ( supplied $mask ) {
+	    $target = join( ' ', $target , join( '/', $mark , $mask ) );
+	} else {
+	    $target = join( ' ', $target , $mark );
+	}
+
+	$target;
+    };
 
     if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2573,7 +2635,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $action   = 'LOG';
 	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
 	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
-	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS;
 	}
     }
     #
@@ -2619,6 +2681,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		  $action = "AUDIT --type $param";
 	      } ,
 
+	      CONNMARK => sub() {
+		  $action = handle_mark( 'CONNMARK', $param, HIGHMARK );
+	      } ,
+
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
@@ -2686,6 +2752,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		  }
 	      },
 
+	      MARK => sub() {
+		  $action = handle_mark( 'MARK', $param, HIGHMARK );
+	      } ,
+
 	      TARPIT => sub {
 		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
 
@@ -2935,13 +3005,13 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$action = $basictarget; # Remove params, if any, from $action.
     } elsif ( $actiontype & INLINE ) {
 	#
-	# process_inline() will call process_rule() recursively for each rule in the macro body
+	# process_inline() will call process_rule() recursively for each rule in the action body
 	#
 	fatal_error "Macro/Inline invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 	#
 	# Push the current column array onto the column stack
 	#
-	push @columnstack, [ ( $actionresult, @columns ) ];
+        my $savecolumns = [ ( $actionresult, @columns ) ];
 	#
 	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper
 	#
@@ -2951,7 +3021,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	my $generated = process_inline( $basictarget,
 					$chainref,
-					$rule . $raw_matches,
+					$prerule . $rule . $raw_matches,
 					$matches1,
 					$loglevel,
 					$target,
@@ -2972,7 +3042,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 					$helper,
 					$wildcard ) || $actionresult;
 
-	( $actionresult, @columns ) = @{pop @columnstack};
+	( $actionresult, @columns ) = @$savecolumns;;
 
 	$macro_nest_level--;
 
@@ -3184,7 +3254,7 @@ sub check_state( $ ) {
 	return 0;
     }
 
-    my $chainref   = $actparms{0};
+    my $chainref   = $actparams{0};
     my $name       = $chainref->{name};
     my $statechainref;
 
@@ -3257,7 +3327,7 @@ sub check_state( $ ) {
 sub merge_target( $$ ) {
     my ( $ref, $target ) = @_;
 
-    $ref->{inline} ? $target : merge_levels( join( ':', @actparms{'chain','loglevel','logtag'}), $target );
+    merge_levels( join( ':', @actparams{'chain','loglevel','logtag'}), $target );
 }
 
 #
@@ -3265,8 +3335,8 @@ sub merge_target( $$ ) {
 #
 sub perl_action_helper($$;$$) {
     my ( $target, $matches, $isstatematch , $matches1 ) = @_;
-    my $action   = $actparms{action};
+    my $action   = $actparams{action};
-    my $chainref = $actparms{0};
+    my $chainref = $actparams{0};
     my $result;
 
     assert( $chainref );
@@ -3299,7 +3369,11 @@ sub perl_action_helper($$;$$) {
 	}
     }
 
-    if ( my $ref = $inlines{$action} ) {
+    my $ref = $actions{$action};
+
+    assert( $ref, $action );
+
+    if ( $ref->{type} & INLINE ) {
 	$result = &process_rule( $chainref,
 				 $matches,
 				 $matches1,
@@ -3307,8 +3381,6 @@ sub perl_action_helper($$;$$) {
 				 '',                              # CurrentParam
 				 @columns );
     } else {
-	assert $actions{$action};
-
 	$result = process_rule( $chainref,
 				$matches,
 				$matches1,
@@ -3345,8 +3417,8 @@ sub perl_action_helper($$;$$) {
 #
 sub perl_action_tcp_helper($$) {
     my ( $target, $proto ) = @_;
-    my $action   = $actparms{action};
+    my $action   = $actparams{action};
-    my $chainref = $actparms{0};
+    my $chainref = $actparams{0};
     my $result;
     my $passedproto = $columns[2];
 
@@ -3360,7 +3432,11 @@ sub perl_action_tcp_helper($$) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
 	#
-	if ( my $ref = $inlines{$action} ) {
+	my $ref = $actions{$action};
+
+	assert( $ref, $action );
+
+	if ( $ref->{type} & INLINE ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
 				     '',
@@ -3710,7 +3786,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 					 '' ,
 					 $chainref->{name} );
 
-    my $inlinefile = $inlines{$inline}{file};
+    my $inlinefile = $actions{$inline}{file};
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -4063,7 +4139,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		$target = 'CONNMARK';
-		$handle_mark_param->('--set-mark' , HIGHMARK );
+		$handle_mark_param->('' , HIGHMARK );
 	    },
 	},
 
@@ -4463,14 +4539,14 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		#
 		# Capture the name of the action chain
 		#
-		$target = $ref->{name};
 	    } else {
 		#
 		# We've seen this tuple before
 		#
-		$target = $usedactions{$normalized_target}->{name};
+		$ref = $usedactions{$normalized_target};
 	    }
 
+	    $target = $ref->{name};
 	    $commandref->{allowedchains} = $ref->{allowedchains};
 	}
     };
@@ -4526,7 +4602,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
     # Function Body
     #
     if ( $inchain ) {
-	( $inaction, undef, undef, undef ) = split /:/, $chainref->{action}, 4 if $chainref->{action};
+	( $inaction ) = split /:/, $chainref->{action} if $chainref->{action};
 	#
 	# Set chain type
 	#

Shorewall/Perl/Shorewall/Tc.pm

@@ -213,23 +213,23 @@ sub process_in_bandwidth( $ ) {
     [ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
 }
 
-sub handle_in_bandwidth( $$ ) {
+sub handle_in_bandwidth( $$$ ) {
-    my ($physical, $arrayref ) = @_;
+    my ($physical, $stab, $arrayref ) = @_;
 
     return 1 unless $arrayref;
 
     my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;
 
-    emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
+    emit ( "run_tc qdisc add dev $physical handle ffff: ${stab}ingress" );
 
     if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst action drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit action drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
     } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -302,7 +302,7 @@ sub process_simple_device() {
 	   "qt \$TC qdisc del dev $physical ingress\n"
 	 );
 
-    handle_in_bandwidth( $physical, $in_rate );
+    handle_in_bandwidth( $physical, '', $in_rate );
 
     if ( $out_part ne '-' ) {
 	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
@@ -1856,7 +1856,7 @@ sub process_traffic_shaping() {
 		      qq(fi) );
 	    }
 
-	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
+	    handle_in_bandwidth( $device, $stab, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );

Shorewall/action.Broadcast

@@ -30,44 +30,32 @@
 
 DEFAULTS DROP,-
 
+?if __ADDRTYPE
+@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+?else
 ?begin perl;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 
-my ( $action, $audit ) = get_action_params( 2 );
+my ( $action )         = get_action_params( 1 );
-
-fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
 my $chainref           = get_action_chain;
-
 my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );
 
-if ( have_capability( 'ADDRTYPE' ) ) {
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    if ( $level ne '' ) {
+incr_cmd_level $chainref;
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+add_jump $chainref, $action, 0, "-d \$address ";
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+decr_cmd_level $chainref;
-    }
+add_commands $chainref, 'done';
 
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
-} else {
-    add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
-}
 
 1;
 
 ?end perl;
+?endif

Shorewall/action.Drop

@@ -29,7 +29,7 @@
 #
 ###############################################################################
 
-?if @1 ne '' && @1 ne '-'
+?if passed(@1)
     ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
     ?else
@@ -47,7 +47,7 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #

Shorewall/action.Established

@@ -30,19 +30,6 @@
 
 DEFAULTS ACCEPT
 
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'ESTABLISHED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
-}
-
-1;
-
-?end perl;

Shorewall/action.GlusterFS

@@ -12,9 +12,9 @@
 DEFAULTS 2,0
 
 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-?error Invalid value for Bricks (@1)
+    ?error Invalid value for Bricks (@1)
 ?elsif @2 !~ /^[01]$/
-?error Invalid value for IB (@2)
+    ?error Invalid value for IB (@2)
 ?endif
 
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER

Shorewall/action.Invalid

@@ -30,24 +30,6 @@
 
 DEFAULTS DROP,-
 
-?begin perl;
+#
-
+# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
-use Shorewall::IPAddrs;
+#
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
-     $action = "A_$action";
-}
-
-if ( my $check = check_state( 'INVALID' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
-}
-
-1;
-
-?end perl;

Shorewall/action.New

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+#   New[([<action>])]
 #
 #       Default action is ACCEPT
 #
@@ -30,19 +30,6 @@
 
 DEFAULTS ACCEPT
 
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'NEW' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
-}
-
-1;
-
-?end perl;

Shorewall/action.NotSyn

@@ -30,23 +30,4 @@
 
 DEFAULTS DROP,-
 
-?begin perl;
+@1	 -	-	;;+  -p 6 ! --syn
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
-     $action = "A_$action";
-}
-
-perl_action_tcp_helper( $action, '-p 6 ! --syn' );
-
-1;
-
-?end perl;

Shorewall/action.RST

@@ -30,21 +30,4 @@
 
 DEFAULTS DROP,-
 
-?begin perl;
+@1	 -	-	;;+ -p 6 --tcp-flags RST RST
-
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
-     $action = "A_$action";
-}
-
-perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
-
-1;
-
-?end perl;

Shorewall/action.Reject

@@ -28,7 +28,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 
-?if @1 ne '' && @1 ne '-'
+?if passed(@1)
     ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
     ?else
@@ -46,7 +46,7 @@ COUNT
 #
 # Special handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
@@ -72,7 +72,7 @@ DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(-,@1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.

Shorewall/action.Related

@@ -30,20 +30,6 @@
 
 DEFAULTS DROP
 
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use strict;
+#
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'RELATED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
-}
-
-1;
-
-?end perl;

Shorewall/action.TCPFlags

@@ -12,7 +12,7 @@
 
 DEFAULTS -
 
-?if @1 ne '' && @1 ne '-'
+?if passed(@1)
     ?if @1 eq 'audit'
         ?set tcpflags_action 'A_DROP'
     ?else
@@ -27,8 +27,3 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
 $tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
-
-
-
-
-

Shorewall/action.Untracked

@@ -29,19 +29,6 @@
 ##########################################################################################
 DEFAULTS DROP
 
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'UNTRACKED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
-}
-
-1;
-
-?end perl;

Shorewall/action.allowInvalid

@@ -28,25 +28,12 @@
 
 DEFAULTS -
 
-?begin perl;
+?if passed(@1)
-
+    ?if @1 eq 'audit'
-use strict;
+Invalid(A_ACCEPT)
-use Shorewall::IPAddrs;
+    ?else
-use Shorewall::Config;
+        ?error The first parameter to allowInvalid must be 'audit' or '-'
-use Shorewall::Chains;
+    ?endif
-use Shorewall::Rules;
+?else
-
+Invalid(ACCEPT)
-my $action = 'ACCEPT';
+?endif
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
-     $action = "A_ACCEPT";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;

Shorewall/action.dropInvalid

@@ -28,25 +28,14 @@
 
 DEFAULTS -
 
-?begin perl;
+DEFAULTS -
 
-use strict;
+?if passed(@1)
-use Shorewall::IPAddrs;
+    ?if @1 eq 'audit'
-use Shorewall::Config;
+Invalid(A_DROP)
-use Shorewall::Chains;
+    ?else
-use Shorewall::Rules;
+        ?error The first parameter to dropInvalid must be 'audit' or '-'
-
+    ?endif
-my $action = 'DROP';
+?else
-
+Invalid(DROP)
-my ( $audit ) = get_action_params( 1 );
+?endif
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;

Shorewall/actions.std

@@ -8,21 +8,18 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
+?if 0
-#    A_DROP             # Audits then drops a connection request
+A_ACCEPT                        # Audits then accepts a connection request
-#    A_REJECT		# Audits then drops a connection request
+A_DROP                          # Audits then drops a connection request
-#    allowBcast		# Silently Allow Broadcast/multicast
+A_REJECT		        # Audits then drops a connection request
-#    dropBcast		# Silently Drop Broadcast/multicast
+allowBcast		        # Silently Allow Broadcast/multicast
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
+dropBcast		        # Silently Drop Broadcast/multicast
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
+rejNotSyn		        # Silently Reject Non-syn TCP packets
-#                       # work with kernel 2.6.14 and later).
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-#    forwardUPnP	# Allow traffic that upnpd has redirected from
+Limit                           # Limit the rate of connections from each individual IP address
-#			# 'upnp' interfaces.
+?endif
-#    Limit              # Limit the rate of connections from each individual
-#                       # IP address
-#
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
@@ -30,21 +27,25 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline             # Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+             state=INVALID      #
-NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline             # Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED    #

Shorewall/manpages/shorewall-actions.xml

@@ -53,7 +53,19 @@
 
           <variablelist>
             <varlistentry>
-              <term>builtin</term>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>builtin</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -86,7 +98,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>
 
               <listitem>
                 <para>Causes the action body (defined in
@@ -102,10 +114,10 @@
                   way:</para>
 
                   <simplelist>
-                    <member>Broadcast</member>
-
                     <member>DropSmurfs</member>
 
+                    <member>IfEvent</member>
+
                     <member>Invalid (Prior to Shorewall 4.5.13)</member>
 
                     <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -119,7 +131,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>mangle</term>
+              <term><option>mangle</option></term>
 
               <listitem>
                 <para>Added in Shorewall 5.0.7. Specifies that this action is
@@ -131,7 +143,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>noinline</term>
+              <term><option>noinline</option></term>
 
               <listitem>
                 <para>Causes any later <option>inline</option> option for the
@@ -140,7 +152,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.11. When this option is
@@ -154,7 +166,16 @@
             </varlistentry>
 
             <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with

Shorewall/manpages/shorewall-rules.xml

@@ -328,6 +328,18 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">CONTINUE</emphasis></term>
 
@@ -546,6 +558,35 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>

Shorewall6/action.Drop

@@ -31,37 +31,24 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;
 
+?if passed($1)
+    ?if $1 eq 'audit'
+DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+?endif
 
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
+?if passed($2)
 Auth($2)
+?endif
 #
 # ACCEPT critical ICMP types
 #

Shorewall6/action.Reject

@@ -27,37 +27,24 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;
 
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+?endif
 
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
+?if passed($2)
 Auth($2)
+?endif
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).

Shorewall6/actions.std

@@ -8,11 +8,12 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
+?if 0
-#    dropBcasts         # Silently Drop multicast and anycast packets
+allowBcasts                     # Accept multicast and anycast packets
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
+dropBcasts                      # Silently Drop multicast and anycast packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-#
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -26,15 +27,19 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline		# Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+             state=INVALID
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED

Shorewall6/manpages/shorewall6-actions.xml

@@ -53,6 +53,18 @@
           <para>Added in Shorewall 4.5.10. Available options are:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>builtin</term>
 
@@ -87,7 +99,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>
 
               <listitem>
                 <para>Causes the action body (defined in
@@ -103,10 +115,10 @@
                   way:</para>
 
                   <simplelist>
-                    <member>Broadcast</member>
-
                     <member>DropSmurfs</member>
 
+                    <member>IfEvent</member>
+
                     <member>Invalid (Prior to Shorewall 4.5.13)</member>
 
                     <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -120,7 +132,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>mangle</term>
+              <term><option>mangle</option></term>
 
               <listitem>
                 <para>Added in Shorewall 5.0.7. Specifies that this action is
@@ -132,7 +144,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>noinline</term>
+              <term><option>noinline</option></term>
 
               <listitem>
                 <para>Causes any later <option>inline</option> option for the
@@ -141,7 +153,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.11. When this option is
@@ -155,7 +167,16 @@
             </varlistentry>
 
             <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with

Shorewall6/manpages/shorewall6-rules.xml

@@ -303,6 +303,18 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">CONTINUE</emphasis></term>
 
@@ -523,6 +535,35 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>

docs/configuration_file_basics.xml

@@ -175,20 +175,23 @@
 
         <listitem>
           <para><filename>/etc/shorewall/init</filename> - commands that you
-          wish to execute at the beginning of a <quote>shorewall start</quote>
+          wish to execute at the beginning of a <quote>shorewall
-          or <quote>shorewall restart</quote>.</para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote>.</para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/start</filename> - commands that you
           wish to execute near the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/started</filename> - commands that
           you wish to execute after the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
         </listitem>
 
         <listitem>
@@ -1779,6 +1782,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
         <para><ulink url="Macros.html">Macro</ulink> files</para>
       </listitem>
 
+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
       <listitem>
         <para><ulink
         url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -1985,6 +1992,33 @@ SSH(ACCEPT)    net:$MYIP      $FW
     @disposition are used to generated the --log-prefix in logging rules. When
     either is empty, the historical value is used to generate the
     --log-prefix.</para>
+
+    <para>Within an action body, if a parameter is omitted in a DEFAULTS
+    statement, then the value of the corresponding action and Shorewall
+    variables is '-', while if the parameter is specified as '-' in the
+    parameter list, the value of the action/Shorewall variable is '', if it is
+    expanded before the DEFAULTS statement.</para>
+
+    <para>Additionally, when an expression is evaluated, the value 0 evaluates
+    as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed
+    with value zero. To make testing of the presense of parameters more
+    efficient and uniform, an new function has been added in Shorewall 5.0.7
+    for use in ?IF and ?ELSEIF:</para>
+
+    <simplelist>
+      <member>?IF [!] passed(&lt;variable&gt;)</member>
+    </simplelist>
+
+    <para>where &lt;variable&gt; is an action or Shorewall variable.</para>
+
+    <para>'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
+    is not empty and its contents are other than '-'. If '!' is present, the
+    result is inverted.</para>
+
+    <para>In this simple form, the expression is evaluated by the compiler
+    without having to invoke the (expensive) Perl exec() function. The
+    'passed' function may also be used in more complex expressions, but exec()
+    will be invoked to evaluate those expressions.</para>
   </section>
 
   <section id="Conditional">
@@ -2175,7 +2209,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
     <programlisting>?ERROR <replaceable>message</replaceable></programlisting>
 
     <para>Variables in the message are evaluated and the result appears in a
-    standard Shorewall ERROR: message. </para>
+    standard Shorewall ERROR: message.</para>
 
     <para>Example from the 5.0.7 action.GlusterFS:</para>
 
@@ -2543,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities:
     "!tcp").</para>
   </section>
 
+  <section id="Ranges">
+    <title>Port Ranges</title>
+
+    <para>If you need to specify a range of ports, the proper syntax is
+    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
+    to forward the range of tcp ports 4000 through 4100 to local host
+    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
+
+    <para>If you omit the low port number, a value of zero is assumed; if you
+    omit the high port number, a value of 65535 is assumed.</para>
+
+    <para>Also, unless otherwise documented, a port range can be preceded by
+    '!' to specify "All ports except those in this range" (e.g.,
+    "!4000:4100").</para>
+  </section>
+
+  <section id="Portlists">
+    <title>Port Lists</title>
+
+    <para>In most cases where a port or port range may appear, a
+    comma-separated list of ports or port ranges may also be entered.
+    Shorewall requires the Netfilter <emphasis
+    role="bold">multiport</emphasis> match capability if ports lists are used
+    (see the output of "<emphasis role="bold">shorewall show
+    capabilities</emphasis>").</para>
+
+    <para>Also, unless otherwise documented, a port list can be preceded by
+    '!' to specify "All ports except these" (e.g., "!80,443").</para>
+
+    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
+  </section>
+
   <section id="ICMP">
     <title>ICMP and ICMP6 Types and Codes</title>
 
@@ -2619,44 +2691,6 @@ redirect                      =&gt; 137</programlisting>
     Shorewall 4.4.19.</para>
   </section>
 
-  <section id="Ranges">
-    <title>Port Ranges</title>
-
-    <para>If you need to specify a range of ports, the proper syntax is
-    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
-    to forward the range of tcp ports 4000 through 4100 to local host
-    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
-
-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
-DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
-
-    <para>If you omit the low port number, a value of zero is assumed; if you
-    omit the high port number, a value of 65535 is assumed.</para>
-
-    <para>Also, unless otherwise documented, a port range can be preceded by
-    '!' to specify "All ports except those in this range" (e.g.,
-    "!4000:4100").</para>
-  </section>
-
-  <section id="Portlists">
-    <title>Port Lists</title>
-
-    <para>In most cases where a port or port range may appear, a
-    comma-separated list of ports or port ranges may also be entered.
-    Shorewall requires the Netfilter <emphasis
-    role="bold">multiport</emphasis> match capability if ports lists are used
-    (see the output of "<emphasis role="bold">shorewall show
-    capabilities</emphasis>").</para>
-
-    <para>Also, unless otherwise documented, a port list can be preceded by
-    '!' to specify "All ports except these" (e.g., "!80,443").</para>
-
-    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-    (5) file may specify no more than 15 ports; port ranges appearing in a
-    list count as two ports each.</para>
-  </section>
-
   <section id="MAC">
     <title>Using MAC Addresses</title>
 
@@ -2709,9 +2743,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
 
     <simplelist>
-      <member>LOGRATE=10/minute</member>
+      <member>LOGLIMIT=10/minute:5</member>
-
-      <member>LOGBURST=5</member>
     </simplelist>
 
     <para>For each logging rule, the first time the rule is reached, the
@@ -2723,11 +2755,6 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     30 seconds, the burst will be fully recharged; back where we
     started.</para>
 
-    <note>
-      <para>The LOGRATE and LOGBURST options are deprecated in favor of
-      LOGLIMIT.</para>
-    </note>
-
     <para>Shorewall also supports per-IP rate limiting.</para>
 
     <para>Another example from <ulink
@@ -2761,8 +2788,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     <firstterm>Condition Match Support</firstterm> and you must be running
     Shorewall 4.4.24 or later. See the output of <command>shorewall show
     capabilities</command> and <command>shorewall version</command> to
-    determine if you can use this feature. As of this writing, Condition Match
+    determine if you can use this feature.</para>
-    Support requires that you install xtables-addons.</para>
 
     <para>The SWITCH column contains the name of a
     <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
@@ -2926,8 +2952,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
         <para>If <emphasis role="bold">detect</emphasis> is specified in the
         ADDRESS column of an entry in <ulink
         url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
-        firewall still start if the optional interface in the INTERFACE column
+        firewall still startS if the optional interface in the INTERFACE
-        does not have an IP address.</para>
+        column does not have an IP address.</para>
       </listitem>
     </itemizedlist>
 
@@ -2945,7 +2971,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
 
     <para>Shorewall allows you to have configuration directories other than
     <filename class="directory">/etc/shorewall</filename>. The shorewall
-    check, start and restart commands allow you to specify an alternate
+    <command>check</command>, <command>start</command> and
+    <command>restart</command> commands allow you to specify an alternate
     configuration directory and Shorewall will use the files in the alternate
     directory rather than the corresponding files in /etc/shorewall. The
     alternate directory need not contain a complete configuration; those files

docs/three-interface.xml

@@ -854,22 +854,16 @@ DNAT      net       dmz:10.10.11.2:80   tcp        5000</programlisting></para>
             with:<programlisting>#ACTION   SOURCE    DEST            PROTO  DPORT         SPORT    ORIGDEST
 DNAT      loc       dmz:10.10.11.2  tcp    80            -        <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
             you have a dynamic IP then you must ensure that your external
-            interface is up before starting Shorewall and you must take steps
+            interface is up before starting Shorewall and you must code the
-            as follows (assume that your external interface is <filename
+            rule as follows (assume that your external interface is <filename
-            class="devicefile">eth0</filename>):<orderedlist>
+            class="devicefile">eth0</filename>):</para>
-                <listitem>
-                  <para>Include the following in /etc/shorewall/params:</para>
 
-                  <para><command>ETH0_IP=$(find_interface_address
+            <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
-                  eth0)</command></para>
+DNAT      loc       dmz:10.10.11.2   tcp     80            -        &amp;eth0</programlisting>
-                </listitem>
 
-                <listitem>
+            <para>'&amp;eth0' expands to the IP address of eth0 (see <ulink
-                  <para>Make your <literal>loc-&gt;dmz</literal> rule:
+            url="configuration_file_basics.htm#AddressVariables">this
-                  <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
+            article</ulink>).</para>
-DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</programlisting></para>
-                </listitem>
-              </orderedlist></para>
           </listitem>
 
           <listitem>