Avoid compiler crash when LOAD_HELPERS_ONLY=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -235,7 +235,8 @@ for on in \
     SPARSE \
     ANNOTATED \
     VARLIB \
-    VARDIR
+    VARDIR \
+    DEFAULT_PAGER
 do
     echo "$on=${options[${on}]}"
     echo "$on=${options[${on}]}" >> shorewallrc

Shorewall-core/configure.pl

@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
+          DEFAULT_PAGER / ) {
 
     my $val = $options{$_} || '';
 

Shorewall-core/lib.cli

@@ -191,6 +191,8 @@ setup_logread() {
 	else
 	    g_logread="logread"
 	fi
+    elif [ "$LOGFILE" = "systemd" ]; then
+	g_logread="journalctl -r"
     elif [ -r $LOGFILE ]; then
 	if qt mywhich tac; then
 	    g_logread="tac $LOGFILE"
@@ -339,7 +341,15 @@ show_classifiers() {
 #
 # Display blacklist chains
 #
+blacklist_filter() {
+    awk \
+	'BEGIN          { prnt=0; }; \
+        /^Members:/     { print "Dynamic:"; prnt=1; next; }; \
+                        { if (prnt == 1) print; };'
+}
+
 show_bl() {
+    [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset | blacklist_filter && echo
     $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
             /^$/             {if (prnt == 1) print ""; prnt=0; };
@@ -456,7 +466,8 @@ do_save() {
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
+	    chmod 700 $g_restorepath
+	    chmod 600 ${g_restorepath}-iptables
 	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
@@ -477,6 +488,7 @@ do_save() {
 		if ${arptables}-save > ${VARDIR}/restore-$$; then
 		    if grep -q '^-A' ${VARDIR}/restore-$$; then
 			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			chmod 600 ${g_restorepath}-arptables
 		    else
 			rm -f ${VARDIR}/restore-$$
 		    fi
@@ -523,7 +535,7 @@ do_save() {
 			#
 			# Don't save an 'empty' file
 			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets && chmod 600 ${g_restorepath}-ipsets
 		    fi
 		fi
 		;;
@@ -723,12 +735,29 @@ list_zone() {
     done
 }
 
+option_error() {
+    fatal_error "The $COMMAND command does not accept this option: -$1"
+}
+
+too_many_arguments() {
+    fatal_error "Too many arguments: $1"
+}
+
+missing_argument() {
+    fatal_error "Missing argument"
+}
+
+missing_option_value() {
+    fatal_error "The $1 option requires a value"
+}
+
 version_command() {
     local finished
     finished=0
     local all
     all=
     local product
+    local compiletime
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -747,7 +776,7 @@ version_command() {
 			    option=${option#a}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -759,7 +788,7 @@ version_command() {
 	esac
     done
 
-    [ $# -gt 0 ] && usage 1
+    [ $# -gt 0 ] && too_many_arguments
 
     if [ -n "$all" ]; then
 	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -771,8 +800,16 @@ version_command() {
 	done
 
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
-	    $g_firewall version
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
+
+	    case $compiletime in
+		compiled\ *)
+		    echo "$g_firewall was $compiletime"
+		    ;;
+		*)
+		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
+		    ;;
+	    esac
 	fi
     else
 	echo $SHOREWALL_VERSION
@@ -1057,7 +1094,7 @@ show_connections() {
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
@@ -1070,7 +1107,7 @@ show_connections() {
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
     else
-	[ $# -gt 1 ] && usage 1
+	[ $# -gt 1 ] && too_many_arguments
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1191,7 +1228,7 @@ show_command() {
 			    option=${option#f}
 			    ;;
 			t)
-			    [ $# -eq 1 ] && usage 1
+			    [ $# -eq 1 ] && missing_option_value -t
 
 			    case $2 in
 				mangle|nat|filter|raw|rawpost)
@@ -1219,7 +1256,7 @@ show_command() {
 			    option=${option#b}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1241,37 +1278,37 @@ show_command() {
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
@@ -1294,7 +1331,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
@@ -1304,11 +1341,11 @@ show_command() {
 	    fi
 	    ;;
 	ip)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_routing_command $g_pager
 	    ;;
 	config)
@@ -1337,26 +1374,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    [ $g_family -eq 4 ] || usage 1
-	    [ $# -gt 1 ] && usage 1
+	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1365,22 +1402,22 @@ show_command() {
 	    fi
 	    ;;
 	event)
-	    [ $# -gt 1 ] || usage 1
+	    [ $# -gt 1 ] || too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_events $@
 	    ;;
 	events)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1396,12 +1433,12 @@ show_command() {
 	    	*)
 		    case $1 in
 			actions)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -ne 2 ] && usage 1
+			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
 				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1413,7 +1450,7 @@ show_command() {
 			    return
 			    ;;
 			macros)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_macros $g_pager
 			    return
 			    ;;
@@ -1424,7 +1461,7 @@ show_command() {
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
-		    [ $# -eq 1 ] || usage 1
+		    [ $# -eq 1 ] || too_many_arguments $2
 		    list_zone $1
 		    return;
                 fi
@@ -1499,6 +1536,49 @@ dump_filter_wrapper() {
     eval dump_filter $g_pager
 }
 
+show_status() {
+    local compiletime
+    local state
+
+    if product_is_started ; then
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
+	status=0
+    else
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
+	status=4
+    fi
+
+    if [ -f ${VARDIR}/state ]; then
+	state="$(cat ${VARDIR}/state)"
+	case $state in
+	    Stopped*|Closed*|Clear*)
+		status=3
+		;;
+	esac
+    else
+	state=Unknown
+    fi
+
+    if [ $VERBOSITY -ge 1 ]; then 
+	if [ -f $g_firewall ]; then
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
+
+	    case $compiletime in
+		compiled\ *)
+		    state="$state ($g_firewall $compiletime)"
+		    ;;
+		*)
+		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
+		    ;;
+	    esac
+	fi
+
+	echo "State:$state"
+	echo
+    fi
+
+}
+
 #
 # Dump Command Executor
 #
@@ -1538,7 +1618,7 @@ do_dump_command() {
 			    option=${option#c}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1557,7 +1637,7 @@ do_dump_command() {
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
 
     [ -n "$g_debugging" ] && set -x
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
     clear_term
     echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
     echo
@@ -1752,7 +1832,7 @@ restore_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error
 			    ;;
 		    esac
 		done
@@ -1772,7 +1852,7 @@ restore_command() {
 	validate_restorefile '<restore file>'
 	;;
     *)
-	usage 1
+	too_many_arguments $2
 	;;
     esac
 
@@ -2378,7 +2458,7 @@ hits_command() {
 			    option=${option#t}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2390,7 +2470,7 @@ hits_command() {
 	esac
     done
 
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
 
     clear_term
     echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2446,21 +2526,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
+
     [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && usage 1
+    [ $# -eq 1 ] && missing_argument
+
     if product_is_started ; then
+	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
+	local dynexists
 
-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
+
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
+	fi
+
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 
 	[ -n "$g_nolock" ] || mutex_on
+
 	while [ $# -gt 1 ]; do
 	    shift
+
+	    allowed=''
+
 	    case $1 in
 		from)
 		    which='-s'
@@ -2473,29 +2578,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 		*)
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
 	done
+
 	[ -n "$g_nolock" ] || mutex_off
     else
 	error_message "ERROR: $g_product is not started"
@@ -2517,8 +2641,6 @@ logwatch_command() {
 	    -*)
 		option=${option#-}
 
-		[ -z "$option" ] && usage 1
-
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -2538,7 +2660,7 @@ logwatch_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2557,7 +2679,7 @@ logwatch_command() {
     elif [ $# -eq 0 ]; then
 	logwatch 30
     else
-	usage 1
+	too_many_arguments $2
     fi
 }
 
@@ -3301,36 +3423,6 @@ report_capabilities1() {
     report_capabilities_unsorted1 | sort
 }
 
-show_status() {
-    if product_is_started ; then
-	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
-	status=0
-    else
-	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
-	status=4
-    fi
-
-    if [ -f ${VARDIR}/state ]; then
-	state="$(cat ${VARDIR}/state)"
-	case $state in
-	    Stopped*|Closed*|Clear*)
-		status=3
-		;;
-	esac
-    else
-	state=Unknown
-    fi
-
-    if [ $VERBOSITY -ge 1 ]; then 
-	if [ -f $g_firewall ]; then
-	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
-	fi
-	echo "State:$state"
-	echo
-    fi
-
-}
-
 interface_status() {
     case $(cat $1) in
 	0)
@@ -3384,7 +3476,7 @@ status_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3396,7 +3488,7 @@ status_command() {
 	esac
     done
 
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || missing_argument
 
     [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
@@ -3444,6 +3536,59 @@ reject_command() {
     fi
 }
 
+blacklist_command() {
+    local family
+
+    [ $# -gt 0 ] || fatal_error "Missing address"
+
+    [ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
+
+    case ${IPSET:=ipset} in
+	*/*)
+	    if [ ! -x "$IPSET" ]; then
+		fatal_error "IPSET=$IPSET does not exist or is not executable"
+	    fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+	    ;;
+    esac
+
+    if $IPSET -A $g_blacklistipset $@ -exist; then
+	local message
+
+	progress_message2 "$1 Blacklisted"
+
+	if [ -n "$g_disconnect" ]; then
+	    message="$(conntrack -D -s $1 2>&1)"
+	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		if [ $VERBOSITY -gt 1 ]; then
+		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
+		else
+		    echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
+		fi
+	    fi
+
+	    if [ $g_disconnect = src-dst ]; then
+		message="$(conntrack -D -d $1 2>&1)"
+		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		    if [ $VERBOSITY -gt 1 ]; then
+			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
+		    else
+			echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
+		    fi
+		fi
+	    fi
+	fi
+    else
+	error_message "ERROR: Address $1 not blacklisted"
+	return 1
+    fi
+
+    return 0
+}
+
 save_command() {
     local finished
     finished=0
@@ -3467,7 +3612,7 @@ save_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3487,7 +3632,7 @@ save_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
 	esac
 
@@ -3506,6 +3651,9 @@ save_command() {
 
 forget_command() {
     case $# in
+	0)
+	    missing_argument
+	    ;;
 	1)
 	    ;;
 	2)
@@ -3513,7 +3661,7 @@ forget_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -3535,7 +3683,7 @@ ipcalc_command() {
     local address
     local vlsm
 
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
 
     if [ $# -eq 2 ]; then
 	address=${2%/*}
@@ -3543,13 +3691,15 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
+    elif [ $# -eq 0 ]; then
+	missing_argument
     else
-	usage 1
+	too_many_arguments $4
     fi
 
     valid_address $address || fatal_error "Invalid IP address: $address"
-    [ -z "$vlsm" ] && usage 2
-    [ "x$address" = "x$vlsm" ] && usage 2
+    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm
@@ -3563,7 +3713,7 @@ ipcalc_command() {
 iprange_command() {
     local range
 
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
 
     range=''
 
@@ -3581,15 +3731,19 @@ iprange_command() {
 	    ip_range $range
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid ip range: $range"
 	    ;;
     esac
 }
 
 ipdecimal_command() {
-    [ $# -eq 2 ] || usage 1
+    if [ $# eq 1 ]; then
+	missing_argument
+    else
+	[ $# -eq 2 ] || too_many_arguments $3
+    fi
 
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
 
     case $2 in
 	*.*.*.*)
@@ -3637,6 +3791,68 @@ verify_firewall_script() {
     fi
 }
 
+setup_dbl() {
+    local original
+
+    original=$DYNAMIC_BLACKLIST
+
+    case $DYNAMIC_BLACKLIST in
+	*:*,)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+	ipset*,disconnect*)
+	    if qt mywhich conntrack; then
+		g_disconnect=src
+		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
+	    else
+		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
+	    fi
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,src-dst*)
+	    #
+	    # This utility doesn't need to know about 'src-dst'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
+
+	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,timeout*)
+	    #
+	    # This utility doesn't need to know about 'timeout=nnn'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	[Nn]o)
+	    DYNAMIC_BLACKLIST='';
+	    ;;
+	[Yy]es)
+	    ;;
+	ipset|ipset::*|ipset-only|ipset-only::*)
+	    g_blacklistipset=SW_DBL$g_family
+	    ;;
+	ipset:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	ipset-only:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	*)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+    esac
+}
+
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3776,6 +3992,8 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
     if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -3783,7 +4001,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
@@ -3793,6 +4011,10 @@ get_config() {
 	g_pager="| $g_pager"
      fi
 
+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	setup_dbl
+    fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib
@@ -3819,7 +4041,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:$g_product start failed"
+	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
 
@@ -3865,7 +4087,7 @@ start_command() {
 			    option=${option%p}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3881,7 +4103,7 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
     esac
 
@@ -3925,7 +4147,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3941,7 +4163,7 @@ restart_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
     esac
 
@@ -3952,7 +4174,7 @@ restart_command() {
 	rc=$?
     else
 	error_message "${VARDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
 
@@ -3983,6 +4205,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
+    echo "   blacklist <address> [ <option> ... ]"
     ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
     echo "   clear"
     ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
@@ -4134,6 +4357,8 @@ shorewall_cli() {
     g_loopback=
     g_compiled=
     g_pager=
+    g_blacklistipset=
+    g_disconnect=
 
     VERBOSE=
     VERBOSITY=1
@@ -4155,7 +4380,8 @@ shorewall_cli() {
 		while [ -n "$option" ]; do
 		    case $option in
 			c)
-			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1
+			    [ $# -eq 1 ]     && missing_option_value -c
+			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
 
 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
@@ -4170,7 +4396,7 @@ shorewall_cli() {
 			    shift
 			    ;;
 			e*)
-			    [ -n "$g_lite" ] && usage 1
+			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
 			    g_export=Yes
 			    option=${option#e}
 			    ;;
@@ -4232,7 +4458,7 @@ shorewall_cli() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -4297,7 +4523,7 @@ shorewall_cli() {
 	    start_command $@
 	    ;;
 	stop|clear)
-	    [ $# -ne 1 ] && usage 1
+	    [ $# -ne 1 ] && too_many_arguments $2
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4325,6 +4551,13 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	blacklist)
+	    get_config Yes
+	    shift
+	    [ -n "$g_nolock" ] || mutex_on
+	    blacklist_command $@
+	    [ -n "$g_nolock" ] || mutex_off
+	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
@@ -4347,7 +4580,7 @@ shorewall_cli() {
     	    dump_command $@
 	    ;;
 	hits)
-	    [ $g_family -eq 6 ] && usage 1
+	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4365,19 +4598,19 @@ shorewall_cli() {
 	drop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
@@ -4442,6 +4675,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
+		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
+		    #
+		    # It's a shell function -- call it
+		    #
+		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
@@ -4450,7 +4688,7 @@ shorewall_cli() {
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
-		usage 1
+		missing_argument
 	    fi
 	    ;;
 	help)
@@ -4468,7 +4706,7 @@ shorewall_cli() {
 	    noiptrace_command $@
 	    ;;
 	savesets)
-	    [ $# -eq 1 ] || usage 1
+	    [ $# -eq 1 ] || too_many_arguments $2
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
@@ -4477,7 +4715,7 @@ shorewall_cli() {
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
 	    else
-		usage 1
+		fatal_error "Invalid command: $COMMAND"
 	    fi
 	    ;;
     esac

Shorewall-core/lib.common

@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
+#
+# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
+#
+mylogger() {
+    local level
+
+    level=$1
+    shift
+
+    if [ -n "$SW_LOGGERTAG" ]; then
+	logger -p $level -t "$SW_LOGGERTAG" $*
+    else
+	logger -p $level $*
+    fi
+}
+
 #
 # Issue a message and stop
 #
@@ -33,24 +49,24 @@ startup_error() # $* = Error Message
     echo "   ERROR: $@: Firewall state not changed" >&2
 
     if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
         echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
     fi
 
     case $COMMAND in
         start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
     esac
 
     if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
 
 	case $COMMAND in
 	    start)
@@ -696,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
     if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
     else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
     fi
 }
 
@@ -760,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                 return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -772,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u+w ${lockf}
-            echo $$ > ${lockf}
-            chmod u-w ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -797,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 

Shorewall-core/shorewallrc.apple

@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.archlinux

@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.cygwin

@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
+DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.debian.systemd

@@ -21,3 +21,4 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.debian.sysvinit

@@ -21,3 +21,4 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.default

@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.openwrt

@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.redhat

@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.slackware

@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
+DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.suse

@@ -7,17 +7,18 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
+DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf

Shorewall-core/uninstall.sh

@@ -117,6 +117,7 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"
 
 rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc
 
 echo "Shorewall Core Uninstalled"
 

Shorewall-init/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/init.debian.sh

@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network

Shorewall-init/install.sh

@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
+		/etc/init.d/$PRODUCT enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
     fi
 else
     if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

Shorewall-lite/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-lite stable 4.4 branch of Git.

Shorewall-lite/init.debian.sh

@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,10 +92,11 @@ shorewall_start () {
 
 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall-lite/install.sh

@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #
 
-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
     cd manpages
 
     mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     fi
 
     install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ ${SHAREDIR} != /usr/share ]; then

Shorewall-lite/manpages/shorewall-lite.xml

@@ -47,6 +47,19 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -689,7 +702,45 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1553,6 +1604,34 @@
     started.</para>
   </refsect1>
 
+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall/Macros/macro.RedisCluster

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisCluster
+#
+# This macro handles Redis Cluster traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	16379

Shorewall/Macros/macro.RedisSentinel

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisSentinel
+#
+# This macro handles Redis Sentinel traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	26379

Shorewall/Perl/Shorewall/ARP.pm

@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
 
     emit "exec 3>\${VARDIR}/.arptables-input";
 
-    my $date = localtime;
+    my $date = compiletime;
 
     unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
 
-    my $date = localtime;
+    my $date = compiletime;
 
     print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -279,6 +279,7 @@ our %EXPORT_TAGS = (
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
+				       create_load_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -286,6 +287,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
+				       terminating
 				       %targets
 				       %builtin_target
 				       %dscpmap
@@ -335,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the chain end of the chain
+#                                                               Suppresses adding additional rules to the end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -619,7 +621,7 @@ our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
 			RAWDNAT     => STANDARD                                           + RAW_TABLE,
 			RAWSNAT     => STANDARD                                           + RAW_TABLE,
 			REDIRECT    => STANDARD                + NAT_TABLE,
-			REJECT      => STANDARD + FILTER_TABLE,
+			REJECT      => STANDARD + FILTER_TABLE + OPTIONS,
 			RETURN      => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
 			SAME        => STANDARD,
 			SECMARK     => STANDARD                            + MANGLE_TABLE,
@@ -808,14 +810,13 @@ sub initialize( $$$ ) {
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
-		     REDIRECT     => 1,
 		     RAWDNAT      => 1,
+		     REDIRECT     => 1,
 		     RAWSNAT      => 1,
 		     REJECT       => 1,
 		     SAME         => 1,
 		     SNAT         => 1,
 		     TPROXY       => 1,
-		     reject       => 1,
 		   );
     #
     # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -842,6 +843,24 @@ sub make_terminating( $ ) {
     $terminating{$_[0]} = 1;
 }
 
+#
+# Determine if a chain is terminating
+#
+sub terminating( $ ) {
+    my ( $chainref ) = @_;
+
+    return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
+}
+
+sub is_terminating( $$ ) {
+    my ( $table, $target ) = @_;
+
+    if ( my $chainref = $chain_table{$table}{$target} ) {
+	terminating( $chainref );
+    } else {
+	$terminating{$target};
+    }
+}
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1309,6 +1328,8 @@ sub push_rule( $$ ) {
     my $complete = 0;
     my $ruleref  = transform_rule( $_[1], $complete );
 
+    fatal_error "Chain $chainref->{name} jumps to itself" if ( $ruleref->{target} || '' ) eq $chainref->{name};
+
     set_irule_comment( $chainref, $ruleref );
 
     $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
@@ -1316,7 +1337,14 @@ sub push_rule( $$ ) {
     push @{$chainref->{rules}}, $ruleref;
     $chainref->{referenced} = 1;
     $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
+
+    if ( $debug ) {
+	if ( $ruleref->{comment} ) {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
+	} else {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
+	}
+    }
 
     $chainref->{complete} = 1 if $complete;
 
@@ -1539,6 +1567,7 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
 	$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
+	$chainref->{complete} ||= ( ! @matches && ( $jump eq 'g' || is_terminating( $chainref->{table}, $target ) ) );
 	$ruleref->{targetopts} = $targetopts if $targetopts;
     } else {
 	$ruleref->{target} = '';
@@ -2030,7 +2059,7 @@ sub chain_base( $ ) {
 sub forward_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
 }
 
 #
@@ -2085,7 +2114,7 @@ sub use_forward_chain($$) {
 #
 sub input_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
 }
 
 #
@@ -2093,7 +2122,7 @@ sub input_option_chain($) {
 #
 sub output_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
 }
 
 #
@@ -2101,7 +2130,7 @@ sub output_option_chain($) {
 #
 sub forward_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
 }
 
 #
@@ -2110,7 +2139,7 @@ sub forward_option_chain($) {
 sub input_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
 }
 
 #
@@ -2173,7 +2202,7 @@ sub use_input_chain($$) {
 sub output_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
 }
 
 #
@@ -2182,7 +2211,7 @@ sub output_chain($)
 sub prerouting_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
 }
 
 #
@@ -2191,7 +2220,7 @@ sub prerouting_chain($)
 sub postrouting_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
 }
 
 #
@@ -2244,7 +2273,7 @@ sub use_output_chain($$) {
 sub masq_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
 }
 
 #
@@ -2260,7 +2289,7 @@ sub syn_flood_chain ( $ ) {
 sub mac_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
 }
 
 sub macrecent_target($)
@@ -2297,7 +2326,7 @@ sub load_chain( $ ) {
 sub snat_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
 }
 
 #
@@ -2306,7 +2335,7 @@ sub snat_chain( $ )
 sub ecn_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
 }
 
 #
@@ -2485,7 +2514,7 @@ sub add_ijump_internal( $$$$$;@ ) {
     }
 
     if ( $ruleref->{simple} ) {
-	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
+	$fromref->{complete} = 1 if $jump eq 'g' || ( $toref ? terminating( $toref ) : $terminating{$to} );
     }
 
     $ruleref->{origin} = $origin if $origin;
@@ -2906,17 +2935,15 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
 		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
@@ -2974,21 +3001,19 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'NONAT'           => STANDARD + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
@@ -3161,17 +3186,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
     my $chainref = shift;
-    my $digest = '';
+    my $rules = '';
 
     for ( @{$chainref->{rules}} ) {
-	if ( $digest ) {
-	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+	if ( $rules ) {
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $digest = format_rule( $chainref, $_, 1 );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
     }
 
-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1_hex $rules;
 }
 
 #
@@ -3460,7 +3485,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain for
+				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3468,7 +3493,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1 $chainref, $firstrule;
+				$progress = 1 if replace_references1( $chainref, $firstrule );
 			    }
 			}
 		    } else {
@@ -3514,7 +3539,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
+				trace( $chainref, 'P', undef, $target ) if $debug;
 				$count++;
 			    }
 
@@ -3668,7 +3693,12 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
+		    replace_references( $chainref1,
+					$chainref->{name},
+					undef,   # Target Opts
+					'',      # Comment
+					'',      # Origin
+					1 );     # Recalculate digests of modified chains
 
 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -3994,7 +4024,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;
 
-	if ( $baseref->{mode} == CAT_MODE ) {
+	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -5160,7 +5190,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -5202,6 +5232,8 @@ sub do_user( $ ) {
 
     if ( supplied $2 ) {
 	$user  = $2;
+	$user =~ s/:$//;
+
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -6335,7 +6367,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
     my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
 
     my $prefix = '';
-    my $chain            = get_action_chain_name  || $chn;
+    my $chain            = get_action_chain_name  ||  $chn;
     my $disposition      = get_action_disposition || $dispo;
     my $original_matches = $matches;
     my $ruleref;
@@ -6435,7 +6467,7 @@ sub log_irule_limit( $$$$$$$$@ ) {
 
     my $prefix = '';
     my %matches;
-    my $chain       = get_action_chain_name  || $chn;
+    my $chain       = get_action_chain_name  ||  $chn;
     my $disposition = get_action_disposition || $dispo;
     my $original_matches = @matches;
 
@@ -7748,7 +7780,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
+			    add_expanded_jump( $chainref ,
+					       $targetref ,
+					       terminating( $targetref ) ,
+					       $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -8172,6 +8207,15 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
+fi
+EOF
+	}
     } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8192,6 +8236,15 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
+fi
+EOF
+	}
     }
 
     pop_indent;
@@ -8210,26 +8263,67 @@ EOF
     emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
 
-sub ensure_ipset( $ ) {
-    my $set = shift;
+sub ensure_ipsets( @ ) {
+    my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $family == F_IPV4 ) {
-	if ( have_capability 'IPSET_V5' ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-		   qq(        \$IPSET -N $set hash:ip family inet) ,
-		   qq(    fi) );
+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+	shift;
+
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+
+	push_indent;
+
+	if ( $family == F_IPV4 ) {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-		   qq(        \$IPSET -N $set iphash) ,
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+	}
+
+	pop_indent;
+
+	emit( qq(    fi\n) );
+
+    }
+
+    if ( @_ ) {
+	if ( @_ > 1 ) {
+	    push_indent;
+	    emit( "for set in @_; do" );
+	    $set = '$set';
+	} else {
+	    $set = $_[0];
+	}
+
+	if ( $family == F_IPV4 ) {
+	    if ( have_capability 'IPSET_V5' ) {
+		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
+		       qq(    fi) );
+	    } else {
+		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		       qq(        \$IPSET -N $set iphash) ,
+		       qq(    fi) );
+	    }
+	} else {
+	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
-    } else {
-	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-	       qq(        \$IPSET -N $set hash:ip family inet6) ,
-	       qq(    fi) );
+
+	if ( @_ > 1 ) {
+	    emit 'done';
+	    pop_indent;
+	}
     }
 }
 
@@ -8239,22 +8333,26 @@ sub ensure_ipset( $ ) {
 sub create_save_ipsets() {
     my @ipsets = all_ipsets;
 
-    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
 	  'save_ipsets() {' );
 
     if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
+	      '    local set' ,
 	      '',
 	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 
 	if ( @ipsets ) {
 	    emit '';
-	    ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
 	}
 
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		#
+		# Requires V5 or later
+		#
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 
 		emit( '' ,
@@ -8263,11 +8361,6 @@ sub create_save_ipsets() {
 		      '    local set' ,
 		    );
 
-		if ( @ipsets ) {
-		    emit '';
-		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
-		}
-
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
@@ -8275,6 +8368,9 @@ sub create_save_ipsets() {
 		      '',
 		    );
 	    } else {
+		#
+		# Saving all ipsets (IPv4 and IPv6, if any )
+		# 
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@@ -8283,28 +8379,48 @@ sub create_save_ipsets() {
 	    }
 
 	    emit( "    return 0",
-		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    #
+	    # Requires V5 or later
+	    #
+	    my %ipsets;
+	    #
+	    # Requires V
+	    #
+	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
+
+	    my @sets = sort keys %ipsets;
+
 	    emit( '' ,
+		  '    rm -f $file' ,
+		  '    touch $file' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
 
-	    if ( @ipsets ) {
-		emit '';
-		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    if ( @sets > 1 ) {
+		emit( '' ,
+		      "    for set in @sets; do" , 
+		      '        if qt $IPSET list $set; then' ,
+		      '            $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
+		      '        else' ,
+		      '            error_message "ipset $set not saved (not found)"' ,
+		      '        fi' ,
+		      '    done' );
+	    } else {
+		my $set = $sets[0];
+
+		emit( '' ,
+		      "    if qt \$IPSET list $set; then" ,
+		      "        \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
+		      '    else' ,
+		      "        error_message 'ipset $set not saved (not found)'" ,
+		      '    fi' );
 	    }
 
 	    emit( '' ,
-		  "    if qt \$IPSET list $_; then" ,
-		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
-		  '    else' ,
-		  "        error_message 'ipset $_ not saved (not found)'" ,
-		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-
-	    emit( '' ,
-		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  "    grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
@@ -8320,13 +8436,58 @@ sub create_save_ipsets() {
     }
 }
 
-sub load_ipsets() {
+sub create_load_ipsets() {
 
-    my @ipsets = all_ipsets;
+    my @ipsets = all_ipsets; #Dynamic Zone IPSETS
 
-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit ( '', );
-	emit ( '',
+    my $setting = $config{SAVE_IPSETS};
+
+    my $havesets =  @ipsets || @{$globals{SAVED_IPSETS}} || ( $setting && have_ipset_rules );
+
+    #
+    # Generate a function that flushes and destroys sets prior to restoring them
+    #
+    if ( $havesets ) {
+	my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+	emit ( "#\n#Flush and Destroy the sets that we will subsequently attempt to restore\n#",
+	       'zap_ipsets() {',
+	       '    local set',
+	       '' );
+
+	if ( $family == F_IPV6 || $setting !~ /yes/i ) {
+	    #
+	    # Requires V5 or later
+	    #
+	    emit( '' ,
+		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '        $IPSET flush $set' ,
+		  '        $IPSET destroy $set' ,
+		  "    done" ,
+		  '',
+		);
+	} else {
+	    #
+	    # Restoring all ipsets (IPv4 and IPv6, if any)
+	    #
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '    fi' );
+	};
+
+	emit( '}' );
+    }
+    #
+    # Now generate load_ipsets()
+    
+    emit ( "#\n#Flush and Destroy the sets then load fresh copy from a saved ipset file\n#",
+	   'load_ipsets() {' );
+
+    push_indent;
+
+    if ( $havesets ) {
+	emit(  '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8337,86 +8498,67 @@ sub load_ipsets() {
 	       '        ;;',
 	       'esac' ,
 	       '' ,
-	       'if [ "$COMMAND" = start ]; then' );
+	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
 
-	if ( $config{SAVE_IPSETS} ) {
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-		   '    fi' );
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
 
-	    if ( @ipsets ) {
-		emit ( '' );
-		ensure_ipset( $_ ) for @ipsets;
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	    }
-	} else {
-	    ensure_ipset( $_ ) for @ipsets;
-
-	    if ( @{$globals{SAVED_IPSETS}} ) {
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+	    if ( my $set = $globals{DBL_IPSET} ) {
+		emit( '        #',
+		      '        # Update the dynamic blacklisting ipset timeout value',
+		      '        #',
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      '        zap_ipsets',
+		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
+		      '    fi' );
+	    } else {
+		emit( '        zap_ipsets',
+		      '        $IPSET -R < ${VARDIR}/ipsets.save',
+		      '    fi' );
 	    }
 	}
 
-	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
+	if ( @ipsets ) {
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
+	}
 
-	if ( $config{SAVE_IPSETS} ) {
+	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); ### Restore Command #################
+
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
 	    emit( '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		  '        if chain_exists shorewall; then' ,
 		  '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		  '        else' ,
-		  '            $IPSET -F' ,
-		  '            $IPSET -X' ,
+		  '            zap_ipsets' ,
 		  '            $IPSET -R < $(my_pathname)-ipsets' ,
 		  '        fi' ,
 		  '    fi' ,
 		);
-
-	    if ( @ipsets ) {
-		emit ( '' );
-		ensure_ipset( $_ ) for @ipsets;
-		emit ( '' );
-	    }
-	} else {
-	    ensure_ipset( $_ ) for @ipsets;
-
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET flush' ,
-		   '        $IPSET destroy' ,
-		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 
 	if ( @ipsets ) {
-	    emit ( 'elif [ "$COMMAND" = reload ]; then' );
-	    ensure_ipset( $_ ) for @ipsets;
-	}
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
 
-	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-	      '   save_ipsets'
-	    );
+	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
+	    ensure_ipsets( @ipsets );
 
-	if ( @ipsets ) {
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
-	    ensure_ipset( $_ ) for @ipsets;
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
+	    emit ( '' );
 	};
 
 	emit ( 'fi' ,
 	       '' );
+    } else {
+	emit 'true';
     }
+
+    pop_indent;
+
+    emit '}';	    
 }
 
 #
@@ -8486,7 +8628,7 @@ sub create_netfilter_load( $ ) {
 
     enter_cat_mode;
 
-    my $date = localtime;
+    my $date = compiletime;
 
     unless ( $test ) {
 	emit_unindented '#';
@@ -8594,7 +8736,7 @@ sub preview_netfilter_load() {
 
     enter_cat_mode1;
 
-    my $date = localtime;
+    my $date = compiletime;
 
     print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
 
@@ -8627,12 +8769,12 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
@@ -8830,7 +8972,7 @@ sub create_stop_load( $ ) {
     enter_cat_mode;
 
     unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';

Shorewall/Perl/Shorewall/Compiler.pm

@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy lib.runtime and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
 
     }
@@ -368,6 +368,7 @@ sub generate_script_3($) {
     create_arptables_load( $test ) if $have_arptables;
     create_chainlist_reload( $_[0] );
     create_save_ipsets;
+    create_load_ipsets;
 
     emit "#\n# Start/Reload the Firewall\n#";
 
@@ -406,7 +407,9 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );
 
-    load_ipsets;
+    emit( 'load_ipsets' ,
+	  '' );
+
     create_nfobjects;
     verify_address_variables;
     save_dynamic_chains;
@@ -573,16 +576,16 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        logger -p kern.info "$g_product started"
+        mylogger kern.info "$g_product started"
         ;;
-    reloaded)
-        logger -p kern.info "$g_product reloaded"
+    reload)
+        mylogger kern.info "$g_product reloaded"
         ;;
     refresh)
-        logger -p kern.info "$g_product refreshed"
+        mylogger kern.info "$g_product refreshed"
         ;;
     restore)
-        logger -p kern.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
         ;;
 esac
 EOF
@@ -593,6 +596,21 @@ EOF
 
 }
 
+#
+# Generate info_command()
+#
+sub compile_info_command() {
+    my $date = compiletime;
+
+    emit( "\n",
+	  "#",
+	  "# Echo the date and time when this script was compiled along with the Shorewall version",
+	  "#",
+	  "info_command() {" ,
+	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
+	  "}\n" );
+}   
+
 #
 #  The Compiler.
 #
@@ -867,10 +885,6 @@ sub compiler {
     #
     complete_policy_chains;
     #
-    # Reject Action
-    #
-    process_reject_action if $config{REJECT_ACTION};
-    #
     # Accounting.
     #
     setup_accounting if $config{ACCOUNTING};
@@ -923,6 +937,10 @@ sub compiler {
 	#
 	compile_updown;
 	#
+	# Echo the compilation time and date
+	#
+	compile_info_command unless $test;
+	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

Shorewall/Perl/Shorewall/Config.pm

@@ -84,6 +84,8 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
+
+                 compiletime
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -161,6 +163,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                        set_section_function
                                        clear_section_function
                                        directive_callback
+		                       add_ipset
+		                       all_ipsets
+                                       transfer_permissions
 
 				       $product
 				       $Product
@@ -344,7 +349,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                                  => 'Ipset Match nomatch',
 		 IPSET_MATCH_COUNTERS
                                  => 'Ipset Match counters',
-		 IPSET_V5        => 'Version 5 ipsets',
+		 IPSET_V5        => 'Version 5 or later ipset',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -572,6 +577,7 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
+our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -673,11 +679,14 @@ our $section_function; #Function Reference for handling ?section
 
 our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
 
+our %ipsets; # All required IPsets
 #
 # Files located via find_file()
 #
 our %filecache;
 
+our $compiletime;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -723,6 +732,7 @@ sub initialize( $;$$) {
     # Contents of last COMMENT line.
     #
     $comment       = '';
+    $sr_comment    = '';
     $warningcount  = 0;
     #
     # Misc Globals
@@ -734,7 +744,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -744,6 +754,8 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    DBL_IPSET               => '',
+		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
     #
@@ -885,6 +897,10 @@ sub initialize( $;$$) {
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
+	  MINIUPNPD => undef ,
+	  VERBOSE_MESSAGES => undef ,
+	  ZERO_MARKS => undef ,
+	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1072,6 +1088,7 @@ sub initialize( $;$$) {
     %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
     $parmsmodified = 0;
     $usedcaller    = 0;
+    %ipsets = ();
 
     %helpers_enabled = (
 			amanda       => 1,
@@ -1166,10 +1183,28 @@ sub initialize( $;$$) {
     %shorewallrc1 = %shorewallrc unless $shorewallrc1;
 
     add_variables %shorewallrc1;
+
+    $compiletime = `date`;
+
+    chomp $compiletime;
+
+    $compiletime =~ s/ +/ /g;
 }
 
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 
+sub add_ipset( $ ) {
+    $ipsets{$_[0]} = 1;
+}
+
+sub all_ipsets() {
+    sort keys %ipsets;
+}
+
+sub compiletime() {
+    $compiletime;
+}
+
 #
 # Create 'currentlineinfo'
 #
@@ -1243,6 +1278,34 @@ sub shortlineinfo( $ ) {
 
 sub handle_first_entry();
 
+#
+# Issue a Information Message
+#
+sub info_message
+{
+    my $currentlineinfo = currentlineinfo;
+    our @localtime;
+
+    handle_first_entry if $first_entry;
+
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
+
+    if ( $log ) {
+	@localtime = localtime;
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+    }
+
+    if ( $confess ) {
+	print STDERR longmess( "   INFO: @_$currentlineinfo" );
+	print $log   longmess( "   INFO: @_$currentlineinfo\n" ) if $log;
+    } else {
+	print STDERR "   INFO: @_$currentlineinfo\n";
+	print $log   "   INFO: @_$currentlineinfo\n" if $log;
+    }
+
+    $| = 0; #Re-allow output buffering
+}
+
 #
 # Issue a Warning Message
 #
@@ -1672,7 +1735,7 @@ sub progress_message {
 
 	    @localtime = localtime unless $havelocaltime;
 
-	    printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
     }
@@ -1691,7 +1754,7 @@ sub progress_message_nocompress {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1712,7 +1775,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1733,7 +1796,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -2099,6 +2162,47 @@ sub split_list3( $$ ) {
     @list2;
 }
 
+#
+# This version spits a list on white-space with optional leading comma. It prevents double-quoted
+# strings from being split.
+#
+sub split_list4( $ ) {
+    my ($list ) = @_;
+    my @list1 = split( /,?\s+/, $list );
+    my @list2;
+    my $element   = '';
+    my $opencount = 0;
+
+    return @list1 unless $list =~ /"/;
+
+    @list1 = split( /(,?\s+)/, $list );
+
+    for ( my $i = 0; $i < @list1; $i += 2 ) {
+	my $e = $list1[$i];
+
+	if ( $e =~ /[^\\]"/ ) {
+	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
+		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
+		push @list2, $e;
+	    } elsif ( $element ne '' ) {
+		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
+		push @list2, join( $list1[$i - 1], $element, $e );
+		$element = '';
+	    } else {
+		$element = $e;
+	    }
+	} elsif ( $element ne '' ) {
+	    $element = join( $list1[$i - 1], $element, $e );
+	} else {
+	    push @list2, $e;
+	}
+    }
+
+    fatal_error "Mismatched_quotes ($list)" if $element ne '';
+
+    @list2;
+}
+
 #
 # Splits the columns of a config file record
 #
@@ -2168,6 +2272,8 @@ sub passed( $ ) {
     defined $val && $val ne '' && $val ne '-';
 }
 
+sub clear_comment();
+
 #
 # Pre-process a line from a configuration file.
 
@@ -2191,6 +2297,8 @@ sub split_line2( $$;$$$ ) {
     }
 
     $inline_matches = '';
+
+    clear_comment if $sr_comment;
     #
     # First, see if there are double semicolons on the line; what follows will be raw iptables input
     #
@@ -2297,18 +2405,37 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;
 
-	my @pairs = split( /,?\s+/, $pairs );
+	my @pairs = split_list4( $pairs );
 
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-	    $column = $columnsref->{$column};
-	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-	    $value = $1 if $value =~ /^"([^"]+)"$/;
-	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
-	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-	    $line[$column] = $value;
+
+	    if ( $value =~ /"$/ ) {
+		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
+		$value = $1;
+	    }
+
+	    if ( $column eq 'comment' ) {
+		if ( $comments_allowed ) {
+		    if ( have_capability( 'COMMENTS' ) ) {
+			$comment = $value;
+			$sr_comment = 1;
+		    } else {
+			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
+		    }
+		} else {
+		    fatal_error '"comment" is not allowed in this file';
+		}
+	    } else {
+		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+		$column = $columnsref->{$column};
+		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+		$value = $1 if $value =~ /^"([^"]+)"$/;
+		$value =~ s/\\"/"/g;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		$line[$column] = $value;
+	    }
 	}
     }
 
@@ -2338,6 +2465,7 @@ sub no_comment() {
 sub clear_comment() {
     $comment   = '';
     $nocomment = 0;
+    $sr_comment = '';
 }
 
 #
@@ -2433,7 +2561,8 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function ];
+			  $section_function,
+			  $sr_comment ];
 }
 
 #
@@ -2457,7 +2586,8 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function ) = @$arrayref;
+	  $section_function,
+	  $sr_comment ) = @$arrayref;
     } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2502,11 +2632,54 @@ sub directive_error( $$$ ) {
     fatal_error $_[0];
 }
 
-sub directive_warning( $$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
-    warning_message $warning;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+sub directive_warning( $$$$ ) {
+    if ( shift ) {
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+	( my $warning, $currentfilename, $currentlinenumber ) = @_;
+	warning_message $warning;
+	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+    } else {
+	our @localtime;
+
+	handle_first_entry if $first_entry;
+
+	$| = 1; #Reset output buffering (flush any partially filled buffers).
+
+	if ( $log ) {
+	    @localtime = localtime;
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    print $log  "   WARNING: $_[0]\n";
+	}
+
+	print STDERR "   WARNING: $_[0]\n";
+
+	$| = 0; #Re-allow output buffering
+    }
+}
+
+sub directive_info( $$$$ ) {
+    if ( shift ) {
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+	( my $info, $currentfilename, $currentlinenumber ) = @_;
+	info_message $info;
+	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+    } else {
+	our @localtime;
+
+	handle_first_entry if $first_entry;
+
+	$| = 1; #Reset output buffering (flush any partially filled buffers).
+
+	if ( $log ) {
+	    @localtime = localtime;
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    print $log  "   INFO: $_[0]\n";
+	}
+
+	print STDERR "   INFO: $_[0]\n";
+
+	$| = 0; #Re-allow output buffering
+    }
 }
 
 #
@@ -2655,7 +2828,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2763,14 +2936,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2783,8 +2956,9 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
+			      $sr_comment = '';
 			  } else {
-			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -2800,7 +2974,48 @@ sub process_compiler_directive( $$$$ ) {
 						    1 ) ,
 			       $filename ,
 			       $linenumber ) unless $omitting;
-	  }
+	  } ,
+
+	  WARNING => sub() {
+	      directive_warning( $config{VERBOSE_MESSAGES} ,
+		                 evaluate_expression( $expression ,
+						      $filename ,
+						      $linenumber ,
+						      1 ),
+				 $filename ,
+				 $linenumber ) unless $omitting;
+	  } ,
+
+	  INFO => sub() {
+	      directive_info( $config{VERBOSE_MESSAGES} ,
+			      evaluate_expression( $expression ,
+						   $filename ,
+						   $linenumber ,
+						   1 ),
+			      $filename ,
+			      $linenumber ) unless $omitting;
+	  } ,
+
+	  'WARNING!' => sub() {
+	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
+		                 evaluate_expression( $expression ,
+						      $filename ,
+						      $linenumber ,
+						      1 ),
+				 $filename ,
+				 $linenumber ) unless $omitting;
+	  } ,
+
+	  'INFO!' => sub() {
+	      directive_info( ! $config{VERBOSE_MESSAGES} ,
+			      evaluate_expression( $expression ,
+						   $filename ,
+						   $linenumber ,
+						   1 ),
+			      $filename ,
+			      $linenumber ) unless $omitting;
+	  } ,
+
 	);
 
     if ( my $function = $directives{$keyword} ) {
@@ -3095,6 +3310,7 @@ sub push_open( $;$$$$ ) {
     push @openstack, \@a;
     @includestack = ();
     $currentfile = undef;
+    $sr_comment = '';
     open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }
 
@@ -3188,7 +3404,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     $directive_callback->( 'PERL', $currentline ) if $directive_callback;
 
@@ -3300,9 +3516,9 @@ sub push_action_params( $$$$$$ ) {
     $actparams{caller}      = $caller;
     $actparams{disposition} = '' if $chainref->{action};
     #
-    # The Shorewall variable '@chain' has the non-word charaters removed
+    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
     #
-    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w-]//g;
 
     \%oldparms;
 }
@@ -3513,7 +3729,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3641,8 +3857,10 @@ sub process_shorewallrc( $$ ) {
 	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
 	}
     } elsif ( supplied $shorewallrc{VARLIB} ) {
-	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
     }
+
+    $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
 }
 
 #
@@ -3754,9 +3972,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 
 sub validate_level( $;$ ) {
     my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;
 
-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
+	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -4325,11 +4544,11 @@ sub IPSet_Match() {
 }
 
 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {
@@ -4893,8 +5112,16 @@ sub ensure_config_path() {
 
     @config_path = split /:/, $config{CONFIG_PATH};
 
+    #
+    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
+    # clash on a case-insensitive filesystem.
+    #
+    push @config_path, $globals{SHAREDIR}    . "/deprecated";
+    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
+
     for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
+        s|//|/|g;
     }
 
     if ( $shorewall_dir ) {
@@ -4940,6 +5167,19 @@ sub update_default($$) {
     $config{$var} = $val unless defined $config{$var};
 }
 
+#
+# Transfer the permissions from an old .bak file to a newly-created file
+#
+sub transfer_permissions( $$ ) {
+    my ( $old, $new ) = @_;
+
+    my @stat = stat $old;
+
+    if ( @stat ) {
+	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
+    }
+}
+
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -4994,7 +5234,7 @@ sub update_config_file( $ ) {
     update_default( 'USE_DEFAULT_RT', 'No' );
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          '' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
 
     my $fn;
 
@@ -5089,6 +5329,7 @@ EOF
 
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
+	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5410,7 +5651,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -5603,6 +5844,24 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
     }
 
+    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
+
+    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
+
+    close_file;
+
+    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+
+    if ( $family == F_IPV6 ) {
+	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
+
+	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
+
+	close_file;
+
+	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+    }
+
     my $have_capabilities;
 
     if ( $export || $> != 0 ) {
@@ -5850,16 +6109,21 @@ sub get_configuration( $$$$ ) {
     unsupported_yes_no         'BRIDGING';
     unsupported_yes_no_warning 'RFC1918_STRICT';
 
+    $val = $config{SAVE_IPSETS};
+
     unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
-	$val = $config{SAVE_IPSETS};
-	unless ( $val eq 'ipv4' ) {
+	if ( $val eq 'ipv4' ) {
+	    fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
+	} else {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
-	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
+
+	require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
     }
 
+
     default_yes_no 'SAVE_ARPTABLES'             , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5942,7 +6206,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                      , '';
+    default_yes_no 'DOCKER'                     , '';
 
     if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
@@ -5990,7 +6254,53 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
-    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
+    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
+	if ( $val =~ /^ipset/ ) {
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+
+	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
+
+	    ( $key , my @options ) = split_list( $key, 'option' );
+
+	    my $options = '';
+
+	    for ( @options ) {
+		if ( $simple_options{$_} ) {
+		    $options = join( ',' , $options, $_ );
+		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+		    $globals{DBL_TIMEOUT} = $1;
+		} else {
+		    fatal_error "Invalid ipset option ($_)";
+		}
+	    }
+
+	    $globals{DBL_OPTIONS} = $options;
+
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
+
+	    if ( supplied( $set ) ) {
+		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
+	    } else {
+		$set = 'SW_DBL' . $family;
+	    }
+
+	    add_ipset( $globals{DBL_IPSET} = $set );
+	    
+	    $level = validate_level( $level );
+
+	    $tag = '' unless defined $tag;
+
+	    $config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
+
+	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
+
+	} else {
+	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
+	}
+    } else {
+	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
+    }
+
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6002,8 +6312,11 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
     default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
+    default_yes_no 'MINIUPNPD'                  , '';
+    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
+    default_yes_no 'ZERO_MARKS'                 , '';
 
-    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
+    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
     require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
@@ -6501,7 +6814,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
 
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
 
@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
     my ( $proto, $list ) = @_;
     my @list   = split_list( $list, 'port' );
 
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -89,6 +89,7 @@ sub setup_ecn()
 {
     my %interfaces;
     my @hosts;
+    my $interfaceref;
 
     if ( my $fn = open_file 'ecn' ) {
 
@@ -105,7 +106,13 @@ sub setup_ecn()
 						    2 );
 
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
+
+	    if ( $interfaceref->{root} ) {
+		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	    } else {
+		$interface = $interfaceref->{name};
+	    }
 
 	    my $lineinfo = shortlineinfo( '' );
 
@@ -193,6 +200,7 @@ sub remove_blacklist( $ ) {
     if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
+	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
     }
 }
@@ -295,12 +303,13 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -386,7 +395,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
 	my $seq  = 0;
-	my $date = localtime;
+	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
 
@@ -394,6 +403,7 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -414,7 +424,7 @@ EOF
 
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -639,11 +649,18 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
-	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
+
+	my $outputref;
+	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
+	incr_cmd_level( $outputref );
+	add_ijump( $outputref, j => 'DOCKER' );
+	decr_cmd_level( $outputref );
+	add_commands( $outputref, 'fi' );
     }
 
     add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -667,16 +684,123 @@ sub add_common_rules ( $ ) {
     my $level     = $config{BLACKLIST_LOG_LEVEL};
     my $tag       = $globals{BLACKLIST_LOG_TAG};
     my $rejectref = $filter_table->{reject};
+    my $dbl_type;
+    my $dbl_ipset;
+    my $dbl_level;
+    my $dbl_tag;
+    my $dbl_src_target;
+    my $dbl_dst_target;
+
+    if ( $config{REJECT_ACTION} ) {
+	process_reject_action;
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+    } else {
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
+	    }
+
+	    incr_cmd_level $rejectref;
+	    add_ijump $rejectref, j => 'DROP', d => '$address';
+	    decr_cmd_level $rejectref;
+	    add_commands $rejectref, 'done';
+	}
+
+	if ( $family == F_IPV4 ) {
+	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
+	} else {
+	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
+	}
+
+	add_ijump $rejectref , j => 'DROP', p => 2;
+	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+
+	if ( have_capability( 'ENHANCED_REJECT' ) ) {
+	    add_ijump $rejectref , j => 'REJECT', p => 17;
+
+	    if ( $family == F_IPV4 ) {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
+	    } else {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
+	    }
+	} else {
+	    add_ijump $rejectref , j => 'REJECT';
+	}
+    }
+
     #
     # Insure that Docker jumps are early in the builtin chains
     #
     create_docker_rules if $config{DOCKER};
 
-    if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
-	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
-	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
-	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
+    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
+	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
+
+	unless ( $dbl_type =~ /^ipset-only/ ) {
+	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
+	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
+	}
+
+	if ( $dbl_ipset ) {
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+		if ( $dbl_src_target eq 'dbl_src' ) {
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		    log_rule_limit( $dbl_level,
+				    $chainref,
+				    'dbl_log',
+				    'DROP',
+				    $globals{LOGLIMIT},
+				    $dbl_tag,
+				    'add',
+				    '',
+				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+		} else {
+		    $dbl_dst_target = $dbl_src_target;
+		}		    
+	    } elsif ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+	    } else {
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
+	    }
+	}
     }
 
     setup_mss;
@@ -780,8 +904,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 
+	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+
+		my ( $in, $out ) = split /:/, $setting;
+
+		if ( $in  == 1 ) {
+		    #
+		    # src
+		    #
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		} elsif ( $in == 2 ) {
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
+
+		if ( $out == 2 ) {
+		    #
+		    # dst
+		    #
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
+	    }
+	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -940,46 +1086,6 @@ sub add_common_rules ( $ ) {
 	}
     }
 
-    unless ( $config{REJECT_ACTION} ) {
-	if ( have_capability( 'ADDRTYPE' ) ) {
-	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
-	} else {
-	    if ( $family == F_IPV4 ) {
-		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
-	    } else {
-		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
-	    }
-
-	    incr_cmd_level $rejectref;
-	    add_ijump $rejectref, j => 'DROP', d => '$address';
-	    decr_cmd_level $rejectref;
-	    add_commands $rejectref, 'done';
-	}
-
-	if ( $family == F_IPV4 ) {
-	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
-	} else {
-	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
-	}
-
-	add_ijump $rejectref , j => 'DROP', p => 2;
-	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
-
-	if ( have_capability( 'ENHANCED_REJECT' ) ) {
-	    add_ijump $rejectref , j => 'REJECT', p => 17;
-
-	    if ( $family == F_IPV4 ) {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
-	    } else {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
-	    }
-	} else {
-	    add_ijump $rejectref , j => 'REJECT';
-	}
-    }
-
     $list = find_interfaces_by_option 'dhcp';
 
     if ( @$list ) {
@@ -1095,10 +1201,18 @@ sub add_common_rules ( $ ) {
 
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
+	    my $chainref1;
+
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
 	    $announced = 1;
 
 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
 
@@ -1786,12 +1900,14 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
+    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
+	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1808,7 +1924,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the input interface
+	    # Not a bridge -- match the output interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2418,16 +2534,16 @@ EOF
     emit <<'EOF';
             case $COMMAND in
 	        start)
-	            logger -p kern.err "ERROR:$g_product start failed"
+	            mylogger kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            logger -p kern.err "ERROR:$g_product reload failed"
+	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            logger -p kern.err "ERROR:$g_product refresh failed"
+	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                 enable)
-                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
             esac
 
@@ -2636,7 +2752,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    logger -p kern.info "$g_product Stopped"
+    mylogger kern.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Nat.pm

@@ -173,7 +173,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
+	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -457,7 +459,9 @@ sub do_one_nat( $$$$$ )
 
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
+	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -559,7 +563,9 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;
 
-		    unless ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};

Shorewall/Perl/Shorewall/Providers.pm

@@ -125,6 +125,13 @@ sub setup_route_marking() {
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    #
+    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
+    #
+
+    if ( $config{ZERO_MARKS} ) {
+	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+    }
 
     if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -302,27 +309,14 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_default_route = 0;
     } else {
-	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -339,27 +333,14 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_fallback_route = 0;
     } else {
-	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -392,7 +373,7 @@ sub start_provider( $$$$$ ) {
 }
 
 #
-# Look up a provider and return it's number. If unknown provider, 0 is returned
+# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
 #
 sub lookup_provider( $ ) {
     my $provider    = $_[0];
@@ -408,7 +389,7 @@ sub lookup_provider( $ ) {
 	}
     }
 
-    $providerref ? $providerref->{number} : 0;
+    $providerref;
 }
 
 #
@@ -535,7 +516,6 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -558,7 +538,6 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -666,7 +645,9 @@ sub process_a_provider( $ ) {
     if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
+	my $n = $p ? $p->{number} : 0;
+	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
+	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
     } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -684,6 +665,7 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
+			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -799,6 +781,10 @@ sub add_a_provider( $$ ) {
 
 	push_indent;
 
+	emit( "if interface_is_up $physical; then" );
+
+	push_indent;
+
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -813,17 +799,14 @@ sub add_a_provider( $$ ) {
 	    emit( qq([ -z "$address" ] && return\n) );
 
 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		} else {
-		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-		}
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -852,8 +835,10 @@ sub add_a_provider( $$ ) {
 	    }
 	}
 
-	emit( qq(\n),
-	      qq(rm -f \${VARDIR}/${physical}_enabled) );
+	pop_indent;
+
+	emit( qq(fi\n),
+	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
 
 	pop_indent;
@@ -938,14 +923,8 @@ CEOF
 	$address = get_interface_address $interface unless $address;
 
 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-	    }
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -959,13 +938,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    }
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1041,23 +1015,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;
 
-	    if ( $family == F_IPV4 ) {
-		if ( $gateway ) {
-		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
-		}
+	    if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 	    } else {
-		#
-		# IPv6 doesn't support multi-hop routes
-		#
-		if ( $gateway ) {
-		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
-		}
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}
 
@@ -1067,7 +1030,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
@@ -1075,7 +1038,7 @@ CEOF
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}
 
@@ -1094,7 +1057,7 @@ CEOF
 
     if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "persistent_${what}_${table}\n" );
+	    emit( "do_persistent_${what}_${table}\n" );
 	}
 
 	if ( $shared ) {
@@ -1147,7 +1110,7 @@ CEOF
 		$via = "dev $physical";
 	    }
 
-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1169,7 +1132,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    rm -f \${VARDIR}/${physical}_enabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1496,12 +1459,7 @@ sub finish_providers() {
 
     if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
-	}
+	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1554,12 +1512,7 @@ sub finish_providers() {
 
     if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
-	} else {
-	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
-	}
+	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -1674,7 +1627,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1725,7 +1678,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2111,9 +2064,31 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
 
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my @interfaces;
+    my $wildcards;
 
-    if ( @$interfaces ) {
+    #
+    # First do the provider interfacess. Those that are real providers will never have wildcard physical
+    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
+    # wildcard physical names are also included in the providers table.
+    #
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+	push @interfaces, $providerref->{interface};
+	$wildcards ||= $providerref->{wildcard};
+    }
+
+    #
+    # Now do the optional wild interfaces
+    #
+    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
+	push@interfaces, $interface;
+	unless ( $wildcards ) {
+	    my $interfaceref = find_interface($interface);
+	    $wildcards = 1 if $interfaceref->{wildcard};
+	}
+    }
+
+    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
 
@@ -2124,7 +2099,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
 
 	if ( $wildcards ) {
 	    #
@@ -2141,74 +2116,76 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
 
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $providerref = $providers{$provider};
+	for my $interface ( @interfaces ) {
+	    if ( my $provider = $provider_interfaces{ $interface } ) {
+		my $physical     = get_physical $interface;
+		my $base         = uc var_base( $physical );
+		my $providerref  = $providers{$provider};
+		my $interfaceref = known_interface( $interface );
+		my $wildbase     = uc $interfaceref->{base};
 
-	    emit( "$physical)" ), push_indent if $wildcards;
+		emit( "$physical)" ), push_indent if $wildcards;
 
-	    if ( $provider eq $physical ) {
-		#
-		# Just an optional interface, or provider and interface are the same
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
-		#
-		# Provider
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
+		if ( $provider eq $physical ) {
+		    #
+		    # Just an optional interface, or provider and interface are the same
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		} else {
+		    #
+		    # Provider
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		}
 
-	    push_indent;
-	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-	    } else {
-		emit qq(if interface_is_usable $physical; then);
-	    }
-
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'fi' );
-
-	    pop_indent;
-
-	    emit( "fi\n" );
-
-	    emit( ';;' ), pop_indent if $wildcards;
-	}
-
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
 		push_indent;
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		} else {
+		    emit qq(if interface_is_usable $physical; then);
+		}
 
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+		emit( "    SW_${base}_IS_USABLE=Yes" );
+		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
+		emit( 'fi' );
+
+		pop_indent;
+
+		emit( "fi\n" );
+
+		emit( ';;' ), pop_indent if $wildcards;
+	    } else {
+		my $physical    = get_physical $interface;
+		my $base        = uc var_base( $physical );
+		my $case        = $physical;
+		my $wild        = $case =~ s/\+$/*/;
+
+		if ( $wildcards ) {
+		    emit( "$case)" );
 		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+
+		    if ( $wild ) {
+			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+			push_indent;
+			emit ( 'if interface_is_usable $interface; then' );
+		    } else {
+			emit ( "if interface_is_usable $physical; then" );
+		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }
 
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
+		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+		emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		       'fi' );
 
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
+		if ( $wildcards ) {
+		    pop_indent, emit( 'fi' ) if $wild;
+		    emit( ';;' );
+		    pop_indent;
+		}
 	    }
 	}
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -368,12 +368,19 @@ sub setup_conntrack($) {
     if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
+	my $fn1 = find_writable_file 'conntrack';
 
-	if ( $fn ) {
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	if ( -f $fn1 ) {
+	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    #
+	    # Transfer permissions from the existing notrack file
+	    #
+	    transfer_permissions( $fn, $fn1 );
 
 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file

Shorewall/Perl/Shorewall/Rules.pm

@@ -230,6 +230,7 @@ use constant { INLINE_OPT           => 1 ,
 	       NAT_OPT              => 128 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
+	       LOGJUMP_OPT          => 1024 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -242,7 +243,10 @@ our %options = ( inline      => INLINE_OPT ,
 		 nat         => NAT_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
+		 logjump     => LOGJUMP_OPT ,
     );
+
+our %reject_options;
 ################################################################################
 #   Declarations moved from the Tc module in 5.0.7                             #
 ################################################################################
@@ -291,7 +295,7 @@ our %validstates = ( NEW                => 0,
 #      known until the compiler has started.
 #
 #   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+#      able to re-initialize the state of its dependent modules.
 #
 sub initialize( $ ) {
     $family            = shift;
@@ -341,11 +345,11 @@ sub initialize( $ ) {
     #
     $macro_nest_level  = 0;
     #
-    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
     #
     %actions           = ();
     #
-    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
+    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
 
@@ -353,8 +357,27 @@ sub initialize( $ ) {
 
     if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	%reject_options = ( 'icmp-net-unreachable'   => 1,
+			    'icmp-host-unreachable'  => 1,
+			    'icmp-port-unreachable'  => 1,
+			    'icmp-proto-unreachable' => 1,
+			    'icmp-net-prohibited'    => 1,
+			    'icmp-host-prohibited'   => 1,
+			    'icmp-admin-prohibited'  => 1,
+			    'icmp-tcp-reset'         => 2,
+	                  );
+			    
     } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	%reject_options = ( 'icmp6-no-route'         => 1,
+			    'no-route'               => 1,
+			    'icmp6-adm-prohibited'   => 1,
+			    'adm-prohibited'         => 1,
+			    'icmp6-addr-unreachable' => 1,
+			    'addr-unreach'           => 1,
+			    'icmp6-port-unreachable' => 1,
+			    'tcp-reset'              => 2,
+	                  );
     }
 
     ############################################################################
@@ -605,29 +628,20 @@ sub handle_nfqueue( $$ ) {
 #
 # Process an entry in the policy file.
 #
-sub process_a_policy() {
+sub process_a_policy1($$$$$$$) {
 
     our %validpolicies;
     our @zonelist;
 
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
-
-    $loglevel  = '' if $loglevel  eq '-';
-    $synparams = '' if $synparams eq '-';
-    $connlimit = '' if $connlimit eq '-';
-
-    fatal_error 'SOURCE must be specified' if $client eq '-';
-    fatal_error 'DEST must be specified'   if $server eq '-';
-    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    my $intrazone  = $clientwild && $1;
+    $intrazone  = $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
     my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone ||= $serverwild && $1;
+    $intrazone   ||= ( $serverwild && $1 );
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -735,6 +749,40 @@ sub process_a_policy() {
     }
 }
 
+sub process_a_policy() {
+
+    our %validpolicies;
+    our @zonelist;
+
+    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+
+    $loglevel  = '' if $loglevel  eq '-';
+    $synparams = '' if $synparams eq '-';
+    $connlimit = '' if $connlimit eq '-';
+
+    my $intrazone;
+
+    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+	$clients =~ s/\+$//;
+    }
+
+    if ( $servers =~ /.*,.*\+$/ ) {
+	$servers =~ s/\+$//;
+	$intrazone = 1;
+    }	
+
+    fatal_error 'SOURCE must be specified' if $clients eq '-';
+    fatal_error 'DEST must be specified'   if $servers eq '-';
+    fatal_error 'POLICY must be specified' if $policy  eq '-';
+
+    for my $client ( split_list( $clients, 'zone' ) ) {
+	for my $server ( split_list( $servers, 'zone' ) ) {
+	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+	}
+    }
+}
+
 #
 # Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
 #
@@ -1257,8 +1305,14 @@ sub normalize_action( $$$ ) {
 
     ( $level, my $tag ) = split ':', $level;
 
-    $level = 'none' unless supplied $level;
-    $tag   = ''     unless defined $tag;
+    if ( $actions{$action}{options} & LOGJUMP_OPT ) {
+	$level = 'none';
+	$tag   = '';
+    } else {
+	$level = 'none' unless supplied $level;
+	$tag   = ''     unless defined $tag;
+    }
+
     $param = ''     unless defined $param;
     $param = ''     if $param eq '-';
 
@@ -1323,7 +1377,7 @@ sub new_action( $$$$$ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variable serves as arguments to the user's
+# the $chain, $level and $tag variables serve as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set $chain to the name of the iptables chain where rules are to be added.
 # Similarly, $level and $tag contain the log level and log tag respectively.
@@ -1504,7 +1558,7 @@ sub find_macro( $ )
 {
     my $macro = $_[0];
 
-    $macro =~ s/^macro.//;
+    $macro =~ s/^macro\.//;
 
     my $macrofile = find_file "macro.$macro";
 
@@ -1798,6 +1852,7 @@ sub process_action(\$\$$) {
     my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
     my $type = $targets{$action};
     my $actionref = $actions{$action};
+    my $matches   = fetch_inline_matches;
 
     if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1819,7 +1874,7 @@ sub process_action(\$\$$) {
 
     my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
     my $options = $actionref->{options};
-    my $nolog = $options & NOLOG_OPT;
+    my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
 
     setup_audit_action( $action ) if $options & AUDIT_OPT;
 
@@ -1910,14 +1965,15 @@ sub process_action(\$\$$) {
 				      $dscp ,
 				      $state,
 				      $time );
+		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
+	    my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
 
 	    if ( $file_format == 1 ) {
 		fatal_error( "FORMAT-1 actions are no longer supported" );
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
+		($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line2( 'action file',
 				   \%rulecolumns,
 				   $action_commands,
@@ -1941,26 +1997,32 @@ sub process_action(\$\$$) {
 		next;
 	    }
 
-	    process_rule( $chainref,
-			  '',
-			  '',
-			  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
-			  '',
-			  $source,
-			  $dest,
-			  $proto,
-			  $ports,
-			  $sports,
-			  $origdest,
-			  $rate,
-			  $user,
-			  $mark,
-			  $connlimit,
-			  $time,
-			  $headers,
-			  $condition,
-			  $helper,
-			  0 );
+	    for my $proto ( split_list( $protos, 'Protocol' ) ) {
+		for my $user ( split_list( $users, 'User/Group' ) ) {
+		    process_rule( $chainref,
+				  '',
+				  '',
+				  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
+				  '',
+				  $source,
+				  $dest,
+				  $proto,
+				  $ports,
+				  $sports,
+				  $origdest,
+				  $rate,
+				  $user,
+				  $mark,
+				  $connlimit,
+				  $time,
+				  $headers,
+				  $condition,
+				  $helper,
+				  0 );
+
+		    set_inline_matches( $matches );
+		}
+	    }
 	}
     }
 
@@ -2055,7 +2117,7 @@ sub process_actions() {
 		$action =~ s/:.*$//;
 	    }
 
-	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
+	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*!?$/;
 
 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
@@ -2156,10 +2218,16 @@ sub use_policy_action( $$ ) {
 sub process_reject_action() {
     my $rejectref = $filter_table->{reject};
     my $action    = $config{REJECT_ACTION};
+    #
+    # This gets called very early in the compilation process so we fake the section
+    #
+    $section = DEFAULTACTION_SECTION;
 
     if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
     } else {
+	progress_message2 "$doing $actions{$action}->{file} for chain reject...";
+
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
@@ -2184,6 +2252,8 @@ sub process_reject_action() {
 			0,            #Wildcard
 	    );
     }
+
+    $section = '';
 }
 
 ################################################################################
@@ -2198,7 +2268,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
     my $generated = 0;
 
 
-    my $macrofile = $macros{$macro};
+    my $macrofile    = $macros{$macro};
+    my $save_matches = fetch_inline_matches;
 
     progress_message "..Expanding Macro $macrofile...";
 
@@ -2208,7 +2279,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 
     while ( read_a_line( NORMAL_READ ) ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
+	my ( $mtarget, $msource, $mdest, $mprotos, $mports, $msports, $morigdest, $mrate, $musers, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
 
 	if ( $file_format == 1 ) {
 	    fatal_error( "FORMAT-1 macros are no longer supported" );
@@ -2216,12 +2287,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2282,37 +2353,38 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}
 
-	$generated |= process_rule(
-				   $chainref,
-	                           $matches,
-	                           $matches1,
-				   $mtarget,
-				   $param,
-				   $msource,
-				   $mdest,
-				   merge_macro_column( $mproto,     $proto ) ,
-				   merge_macro_column( $mports,     $ports ) ,
-				   merge_macro_column( $msports,    $sports ) ,
-				   merge_macro_column( $morigdest,  $origdest ) ,
-				   merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $muser,      $user ) ,
-				   merge_macro_column( $mmark,      $mark ) ,
-				   merge_macro_column( $mconnlimit, $connlimit) ,
-				   merge_macro_column( $mtime,      $time ),
-				   merge_macro_column( $mheaders,   $headers ),
-				   merge_macro_column( $mcondition, $condition ),
-				   merge_macro_column( $mhelper,    $helper ),
-				   $wildcard
-				  );
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
+		$generated |= process_rule( $chainref,
+					    $matches,
+					    $matches1,
+					    $mtarget,
+					    $param,
+					    $msource,
+					    $mdest,
+					    merge_macro_column( $mp,         $proto ) ,
+					    merge_macro_column( $mports,     $ports ) ,
+					    merge_macro_column( $msports,    $sports ) ,
+					    merge_macro_column( $morigdest,  $origdest ) ,
+					    merge_macro_column( $mrate,      $rate ) ,
+					    merge_macro_column( $mu,         $user ) ,
+					    merge_macro_column( $mmark,      $mark ) ,
+					    merge_macro_column( $mconnlimit, $connlimit) ,
+					    merge_macro_column( $mtime,      $time ),
+					    merge_macro_column( $mheaders,   $headers ),
+					    merge_macro_column( $mcondition, $condition ),
+					    merge_macro_column( $mhelper,    $helper ),
+					    $wildcard
+		                          );
+
+		set_inline_matches( $save_matches );
+	    }
+	}
 
 	progress_message "   Rule \"$currentline\" $done";
     }
 
     pop_open;
-    #
-    # Clear the inline matches if we are the lowest level macro/inline invocation
-    #
-    set_inline_matches( '' ) if $macro_nest_level == 1;
 
     progress_message "..End Macro $macrofile";
 
@@ -2337,14 +2409,15 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 					 $chainref->{name} ,
 				       );
 
-    my $actionref  = $actions{$inline};
-    my $inlinefile = $actionref->{file};
-    my $options    = $actionref->{options};
-    my $nolog      = $options & NOLOG_OPT;
+    my $actionref    = $actions{$inline};
+    my $inlinefile   = $actionref->{file};
+    my $options      = $actionref->{options};
+    my $nolog        = $options & NOLOG_OPT;
+    my $save_matches = fetch_inline_matches;
 
     setup_audit_action( $inline ) if $options & AUDIT_OPT;
 
-    progress_message "..Expanding inline action $inlinefile...";
+    progress_message "..Expanding inline action $inlinefile..." unless $inline eq $config{REJECT_ACTION};
 
     push_open $inlinefile, 2, 1, undef , 2;
 
@@ -2354,12 +2427,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	my  ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2424,28 +2497,33 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}
 
-	$generated |= process_rule(
-				   $chainref,
-	                           $matches,
-	                           $matches1,
-				   $mtarget,
-				   $param,
-				   $msource,
-				   $mdest,
-				   merge_macro_column( $mproto,     $proto ) ,
-				   merge_macro_column( $mports,     $ports ) ,
-				   merge_macro_column( $msports,    $sports ) ,
-				   merge_macro_column( $morigdest,  $origdest ) ,
-				   merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $muser,      $user ) ,
-				   merge_macro_column( $mmark,      $mark ) ,
-				   merge_macro_column( $mconnlimit, $connlimit) ,
-				   merge_macro_column( $mtime,      $time ),
-				   merge_macro_column( $mheaders,   $headers ),
-				   merge_macro_column( $mcondition, $condition ),
-				   merge_macro_column( $mhelper,    $helper ),
-				   $wildcard
-				  );
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
+		$generated |= process_rule( $chainref,
+					    $matches,
+					    $matches1,
+					    $mtarget,
+					    $param,
+					    $msource,
+					    $mdest,
+					    merge_macro_column( $mp,          $proto ) ,
+					    merge_macro_column( $mports,     $ports ) ,
+					    merge_macro_column( $msports,    $sports ) ,
+					    merge_macro_column( $morigdest,  $origdest ) ,
+					    merge_macro_column( $mrate,      $rate ) ,
+					    merge_macro_column( $mu,         $user ) ,
+					    merge_macro_column( $mmark,      $mark ) ,
+					    merge_macro_column( $mconnlimit, $connlimit) ,
+					    merge_macro_column( $mtime,      $time ),
+					    merge_macro_column( $mheaders,   $headers ),
+					    merge_macro_column( $mcondition, $condition ),
+					    merge_macro_column( $mhelper,    $helper ),
+					    $wildcard
+		                          );
+
+		set_inline_matches( $save_matches );
+	    }
+	}
 
 	progress_message "   Rule \"$currentline\" $done";
     }
@@ -2457,10 +2535,6 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
     progress_message "..End inline action $inlinefile";
 
     pop_action_params( $oldparms );
-    #
-    # Clear the inline matches if we are the lowest level macro/inline invocation
-    #
-    set_inline_matches( '' ) if $macro_nest_level == 1;
 
     return $generated;
 }
@@ -2642,7 +2716,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	    $action   = 'LOG';
 	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	    fatal_error "'builtin' actions may only be used in INLINE or IP[6]TABLES rules" if $actiontype == USERBUILTIN;
 	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS;
 	}
     }
@@ -2716,7 +2790,22 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		  }
 	      } ,
 
-	      REJECT => sub { $action = 'reject'; } ,
+	      REJECT => sub {
+		  if ( supplied( $param ) ) {
+		      my $option = $reject_options{$param};
+		      fatal_error "Invalid REJECT option ($param)" unless $option;
+		      if ( $option == 2 ) {
+			  #
+			  # tcp-reset
+			  #
+			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
+		      }
+
+		      $action = "REJECT --reject-with $param";
+		  } else {		      
+		      $action = 'reject';
+		  }
+	      },
 
 	      CONTINUE => sub { $action = 'RETURN'; } ,
 
@@ -2802,7 +2891,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
 
-		$action .= " --timeout $timeout";
+		$action .= " --timeout $timeout --exist";
 	    }
 	}
     }
@@ -2893,65 +2982,63 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	# And we need the dest zone for local/loopback/off-firewall/destonly checks
 	#
 	$destref   = find_zone( $chainref->{destzone}   ) if $chainref->{destzone};
-    } else {
-	unless ( $actiontype & NATONLY ) {
-	    #
-	    # Check for illegal bridge port rule
-	    #
-	    if ( $destref->{type} & BPORT ) {
-		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		    return 0 if $wildcard;
-		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
-		}
-	    }
-
-	    $chain = rules_chain( ${sourcezone}, ${destzone} );
-	    #
-	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
-	    #
-	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
-	    $chainref->{destzone} = $destzone;
-
-	    my $policy = $chainref->{policy};
-
-	    if ( $policy eq 'NONE' ) {
+    } elsif ( ! ( $actiontype & NATONLY ) ) {
+	#
+	# Check for illegal bridge port rule
+	#
+	if ( $destref->{type} & BPORT ) {
+	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		return 0 if $wildcard;
-		fatal_error "Rules may not override a NONE policy";
+		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
-	    #
-	    # Handle Optimization level 1 when specified alone
-	    #
-	    if ( $optimize == 1 && $section == NEW_SECTION ) {
-		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
-		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:${loglevel}";
-		} else {
-		    return 0 if $basictarget eq $policy;
-		}
+	}
+
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
+	#
+	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+	#
+	( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
+	$chainref->{destzone} = $destzone;
+
+	my $policy = $chainref->{policy};
+
+	if ( $policy eq 'NONE' ) {
+	    return 0 if $wildcard;
+	    fatal_error "Rules may not override a NONE policy";
+	}
+	#
+	# Handle Optimization level 1 when specified alone
+	#
+	if ( $optimize == 1 && $section == NEW_SECTION ) {
+	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
+	    if ( $loglevel ne '' ) {
+		return 0 if $target eq "${policy}:${loglevel}";
+	    } else {
+		return 0 if $basictarget eq $policy;
 	    }
-	    #
-	    # Mark the chain as referenced and add appropriate rules from earlier sections.
-	    #
-	    $chainref = ensure_rules_chain $chain;
-	    #
-	    # Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
-	    #
-	    if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
-		my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
-		my $auxref   = $filter_table->{$auxchain};
+	}
+	#
+	# Mark the chain as referenced and add appropriate rules from earlier sections.
+	#
+	$chainref = ensure_rules_chain $chain;
+	#
+	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
+	#
+	if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
+	    my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
+	    my $auxref   = $filter_table->{$auxchain};
 
-		unless ( $auxref ) {
-		    my $save_comment = push_comment;
-		    $auxref = new_chain 'filter', $auxchain;
-		    $auxref->{blacklistsection} = 1 if $blacklist;
+	    unless ( $auxref ) {
+		my $save_comment = push_comment;
+		$auxref = new_chain 'filter', $auxchain;
+		$auxref->{blacklistsection} = 1 if $blacklist;
 
-		    add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
-		    pop_comment( $save_comment );
-		}
-
-		$chain    = $auxchain;
-		$chainref = $auxref;
+		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
+		pop_comment( $save_comment );
 	    }
+
+	    $chain    = $auxchain;
+	    $chainref = $auxref;
 	}
     }
     #
@@ -2969,7 +3056,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle actions
     #
-    my $actionchain; #Name of the action chain
+    my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
 	#
@@ -3029,8 +3116,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	my $generated = process_inline( $basictarget,
 					$chainref,
-					$prerule . $rule . $raw_matches,
-					$matches1,
+					$prerule . $rule,
+					$matches1 . $raw_matches,
 					$loglevel,
 					$target,
 					$param,
@@ -3205,7 +3292,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	if ( $actiontype & ACTION ) {
 	    $action = $actionchain;
-	    $loglevel = '';
+
+	    if ( $actions{$basictarget}{options} & LOGJUMP_OPT ) {
+		$log_action = $basictarget;
+	    } else {
+		$loglevel = '';
+	    }
 	}
 
 	if ( $origdest ) {
@@ -3493,7 +3585,7 @@ sub perl_action_tcp_helper($$) {
 sub process_section ($) {
     my $sect = shift;
     #
-    # split_line1 has already verified that there are exactly two tokens on the line
+    # split_line2 has already verified that there are exactly two tokens on the line
     #
     fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
     fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
@@ -3637,7 +3729,7 @@ sub process_raw_rule ( ) {
     fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
 
     if ( @protos > 1 ) {
-	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
+	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
     }
 
     for $source ( @source ) {
@@ -3706,6 +3798,11 @@ sub process_rules() {
 			RELATED_SECTION,     'RELATED',
 			INVALID_SECTION,     'INVALID',
 			UNTRACKED_SECTION,   'UNTRACKED' );
+
+    #
+    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain may already exist.
+    #
+    $usedactions{normalize_action_name( 'A_REJECT' )} = $filter_table->{A_REJECT} if $filter_table->{A_REJECT};
     #
     # Create zone-forwarding chains if required
     #
@@ -3791,6 +3888,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 					 $chainref->{name} );
 
     my $inlinefile = $actions{$inline}{file};
+    my $matches    = fetch_inline_matches;
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -3860,14 +3958,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$msource = $source if $msource eq '-';
-	$mdest   = $dest   if $msource eq '-';
+	$mdest   = $dest   if $mdest   eq '-';
 	$mprotos = $protos if $mprotos eq '-';
 
 	for my $proto (split_list( $mprotos, 'Protocol' ) ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),
@@ -3885,6 +3983,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $matches );
     }
 
     pop_comment( $save_comment );
@@ -4096,8 +4196,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 
 	CHECKSUM   => {
-	    defaultchain   => 0,
-	    allowedchains  => ALLCHAINS,
+	    defaultchain   => POSTROUTING,
+	    allowedchains  => POSTROUTING | FORWARD | OUTPUT,
 	    minparams      => 0,
 	    maxparams      => 0 ,
 	    function       => sub() {
@@ -4222,7 +4322,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 
 	DSCP       => {
-	    defaultchain   => 0,
+	    defaultchain   => POSTROUTING,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 1,
 	    maxparams      => 1,
@@ -4387,6 +4487,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	NFLOG      => {
+	    defaultchain  => 0,
+	    allowedchains => ALLCHAINS,
+	    minparams     => 0,
+	    maxparams     => 3,
+	    function      => sub () {
+		$target = validate_level( "NFLOG($params)" );
+	    }
+	},
+
 	RESTORE    => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
@@ -4662,10 +4772,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
     }
 
-    unless ( ( $chain || $default_chain ) == OUTPUT ) {
-	fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
-    }
-
     if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@@ -4708,6 +4814,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
     }
+
     #
     # Call the command's processing function
     #
@@ -4718,12 +4825,23 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    if ( $chain == ACTIONCHAIN ) {
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
 		$chainref->{allowedchains} &= $commandref->{allowedchains};
+		$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
 	    } else {
+		#
+		# Inline within one of the standard chains
+		#
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+		unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		    fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+		}
 	    }
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+	    }
+
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}
 
@@ -4889,6 +5007,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
+			if ( supplied $mark && $command eq 'IPMARK' ) {
+			    my @params = split ',', $mark;
+			    $params[1] = '0xff' unless supplied $params[1];
+			    $params[2] = '0x00' unless supplied $params[2];
+			    $params[3] = '0'    unless supplied $params[3];
+			    $mark = join ',', @params;
+			}
 		    } else {
 			$mark = '';
 		    }
@@ -4899,7 +5024,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
     }
 	
-    $command = ( $command ? "$command($mark)" : $mark ) . $designator;
+    $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
     my $line = ( $family == F_IPV6 ?
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );

Shorewall/Perl/Shorewall/Tc.pm

@@ -350,9 +350,10 @@ sub process_simple_device() {
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
+	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
 
@@ -674,7 +675,8 @@ sub validate_tc_class( ) {
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
-	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+	fatal_error "MARK value too large"        unless $markval <= $globals{TC_MAX};
+	fatal_error "MARK value must be non-zero" unless $markval;
 
 	if ( $classnumber ) {
 	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -2165,7 +2167,7 @@ sub convert_tos($$) {
     if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2233,13 +2235,19 @@ sub convert_tos($$) {
     }
 }
 
-sub open_mangle_for_output() {
+sub open_mangle_for_output( $ ) {
+    my ($fn ) = @_;
     my ( $mangle, $fn1 );
 
     if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
     } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	#
+	# Transfer permissions from the existing tcrules file to the new mangle file
+	#
+	transfer_permissions( $fn, $fn1 );
+
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2325,13 +2333,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 
 		first_entry(
 			    sub {
-				my $date = localtime;
+				my $date = compiletime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2375,7 +2383,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output;
+		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}

Shorewall/Perl/Shorewall/Zones.pm

@@ -82,6 +82,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
+		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -102,7 +103,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
-		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -209,8 +209,6 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
-our %ipsets;
-our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -326,8 +324,6 @@ sub initialize( $$ ) {
     %roots = ();
     %interfaces = ();
     @bport_zones = ();
-    %ipsets = ();
-    %physical = ();
     %basemap = ();
     %basemap1 = ();
     %mapbase = ();
@@ -341,6 +337,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -349,6 +346,7 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -390,12 +388,14 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
@@ -1119,6 +1119,8 @@ sub process_interface( $$ ) {
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
+    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
@@ -1193,6 +1195,7 @@ sub process_interface( $$ ) {
     my %options;
 
     $options{port} = 1 if $port;
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
 
     my $hostoptionsref = {};
 
@@ -1236,6 +1239,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
+		} elsif ( $option eq 'nodbl' ) {
+		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1258,6 +1263,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
+		} elsif ( $option eq 'dbl' ) {
+		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
+
+		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
+		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1281,7 +1291,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			require_capability( 'IPSET_V5', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1308,10 +1318,10 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1345,7 +1355,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
+	    add_ipset($ipset);
 	}
 
 	if ( $options{bridge} ) {
@@ -1385,21 +1395,23 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
     }
 
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
-						       filter     => $filterref ,
-						       nets       => 0 ,
-						       number     => $nextinum ,
-						       root       => $root ,
-						       broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical ,
-						       base       => var_base( $physical ),
-						       zones      => {},
-						       origin     => shortlineinfo( '' ),
-						       wildcard   => $wildcard,
-						     };
+    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
+						   bridge     => $bridge ,
+						   filter     => $filterref ,
+						   nets       => 0 ,
+						   number     => $nextinum ,
+						   root       => $root ,
+						   broadcasts => $broadcasts ,
+						   options    => \%options ,
+						   zone       => '',
+						   physical   => $physical ,
+						   base       => var_base( $physical ),
+						   zones      => {},
+						   origin     => shortlineinfo( '' ),
+						   wildcard   => $wildcard,
+					         };
+
+    $interfaces{$physical} = $interfaceref if $physical ne $interface;
 
     if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1570,20 +1582,23 @@ sub known_interface($)
 
 		my $physical = map_physical( $interface, $interfaceref );
 
-		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
-						   bridge   => $interfaceref->{bridge} ,
-						   name     => $i ,
-						   number   => $interfaceref->{number} ,
-						   physical => $physical ,
-						   base     => var_base( $physical ) ,
-						   wildcard => $interfaceref->{wildcard} ,
-						   zones    => $interfaceref->{zones} ,
-						 };
+		$interfaceref =
+		    $interfaces{$interface} =
+		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
+					       bridge   => $interfaceref->{bridge} ,
+					       name     => $i ,
+					       number   => $interfaceref->{number} ,
+					       physical => $physical ,
+					       base     => $interfaceref->{base} ,
+					       wildcard => $interfaceref->{wildcard} ,
+					       zones    => $interfaceref->{zones} ,
+		                              };
+		return $interfaceref;
 	    }
 	}
     }
 
-    $physical{$interface} || 0;
+    0;
 }
 
 # 
@@ -1655,12 +1670,19 @@ sub find_interface( $ ) {
 }
 
 #
-# Returns the physical interface associated with the passed logical name
+# Returns the physical interface associated with the passed interface name
 #
 sub get_physical( $ ) {
     $interfaces{ $_[0] }->{physical};
 }
 
+#
+# Returns the logical interface associated with the passed interface name
+#
+sub get_logical( $ ) {
+    $interfaces{ $_[0] }->{name};
+}
+
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -1896,7 +1918,7 @@ sub verify_required_interfaces( $ ) {
 
     my $returnvalue = 0;
 
-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');
 
     if ( @$interfaces ) {
 	my $first = 1;
@@ -1962,7 +1984,7 @@ sub verify_required_interfaces( $ ) {
 
     }
 
-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );
 
     if ( @$interfaces ) {
 
@@ -2040,6 +2062,7 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2053,7 +2076,7 @@ sub process_host( ) {
 
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-
+	$interface = $interfaceref->{name};
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
@@ -2141,7 +2164,7 @@ sub process_host( ) {
 
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
+	add_ipset($set);
     }
 
     #
@@ -2149,7 +2172,7 @@ sub process_host( ) {
     #
     $interface = '%vserver%' if $type & VSERVER;
 
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
 
     progress_message "   Host \"$currentline\" validated";
 
@@ -2261,8 +2284,4 @@ sub find_zones_by_option( $$ ) {
     \@zns;
 }
 
-sub all_ipsets() {
-    sort keys %ipsets;
-}
-
 1;

Shorewall/Perl/compiler.pl

@@ -41,10 +41,7 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to this release
-#         --tcrules                   # Create mangle from tcrules
-#         --routestopped              # Create stoppedrules from routestopped
-#         --notrack                   # Create conntrack from notrack
+#         --update                    # Update configuration to current release
 #
 use strict;
 use FindBin;

Shorewall/Perl/lib.runtime

@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.core
+# Functions imported from /usr/share/shorewall/lib.runtime
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -599,7 +599,15 @@ debug_restore_input() {
 }
 
 interface_enabled() {
-    return $(cat ${VARDIR}/$1.status)
+    status=0
+
+    if [ -f ${VARDIR}/${1}_disabled ]; then
+	status=1
+    elif [ -f ${VARDIR}/${1}.status ]; then
+	status=$(cat ${VARDIR}/${1}.status)
+    fi
+
+    return $status
 }
 
 distribute_load() {
@@ -678,8 +686,10 @@ interface_is_usable() # $1 = interface
 
     if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi
@@ -996,9 +1006,16 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 
     if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    gateway="nexthop $gateway"
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    run_ip route replace table $2 $route
+	    if interface_is_up $3; then
+		gateway="nexthop $gateway"
+	    else
+		gateway="nexthop $gateway dead"
+	    fi
+
+	    if eval echo $route \| fgrep -q \'$gateway\'; then
+		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+		run_ip route replace table $2 $route
+	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1112,10 @@ interface_is_usable() # $1 = interface
 
     if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi
@@ -1110,7 +1129,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }
 
 #
@@ -1119,7 +1138,7 @@ find_interface_addresses() # $1 = interface
 
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }
 
 #

Shorewall/Perl/prog.footer

@@ -25,6 +25,7 @@ usage() {
     echo "   savesets <file>"
     echo "   call <function> [ <parameter> ... ]"
     echo "   version"
+    echo "   info"
     echo
     echo "Options are:"
     echo
@@ -469,6 +470,10 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
+    info)
+	[ $# -ne 1 ] && usage 2
+	info_command
+	;;
     help)
 	[ $# -ne 1 ] && usage 2
 	usage 0

Shorewall/README.txt

@@ -1 +0,0 @@
-This is the Shorewall 4.4 stable branch of Git.

Shorewall/Samples/Universal/shorewall.conf

@@ -23,6 +23,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -128,15 +134,13 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -192,6 +198,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"
@@ -240,10 +248,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -34,6 +34,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,15 +145,13 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -203,6 +209,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"
@@ -251,10 +259,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -31,6 +31,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -136,15 +142,13 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -180,6 +184,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -200,6 +206,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"
@@ -248,10 +256,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -34,6 +34,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,15 +145,13 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -203,6 +209,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"
@@ -251,10 +259,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/action.A_Drop

@@ -1,41 +1,39 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.A_Drop
 #
-# /usr/share/shorewall/action.A_Drop
+# The audited default DROP common rules
 #
-#	The audited default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Silently DROP 'auth'
+# Special Handling for Auth
 #
 Auth(A_DROP)
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #

Shorewall/action.A_REJECT

@@ -0,0 +1,41 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+#
+# A_REJECT Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+AUDIT(reject)
+
+?if passed @1
+    ?if @1 =~ /tcp-reset$/
+        ?set reject_proto 6
+    ?else
+        ?set reject_proto ''
+    ?endif
+REJECT(@1)	-	-	$reject_proto
+?else
+REJECT
+?endif

Shorewall/action.A_REJECT!

@@ -0,0 +1,30 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECT!
+#
+# A_REJECT! Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+A_REJECT(@1)

Shorewall/action.A_Reject.deprecated

@@ -1,34 +1,35 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.A_Reject
 #
-# /usr/share/shorewall/action.A_Reject
+# The audited default REJECT action common rules
 #
-#	The audited default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).

Shorewall/action.AutoBL

@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Auto Blacklist Action
+# Shorewall -- /usr/share/shorewall/action.AutoBL
+#
+# Auto Blacklist Action
 #
 # Parameters are:
 #
-#    Event          - Name of the event to associate with this blacklist
-#    Interval
-#    Count          - Interval and number of Packets to trigger blacklisting
-#                     Default is 60 seconds and 5 packets.
-#    Successive     - If a matching packet arrives within this many
-#                     seconds of the preceding one, it should be logged
-#                     and dealt with according to the Disposition and
-#                     Log Level parameters below. Default is 2 seconds.
-#    Blacklist time - Number of seconds to blacklist
-#                     Default is 300 (5 minutes)
-#    Disposition    - Disposition of blacklisted packets
-#                     Default is DROP
-#    Log Level      - Level to Log Rejects
-#                     Default is info (6)
+# Event          - Name of the event to associate with this blacklist
+#                  Interval
+# Count          - Interval and number of Packets to trigger blacklisting
+#                  Default is 60 seconds and 5 packets.
+# Successive     - If a matching packet arrives within this many
+#                  seconds of the preceding one, it should be logged
+#                  and dealt with according to the Disposition and
+#                  Log Level parameters below. Default is 2 seconds.
+# Blacklist time - Number of seconds to blacklist
+#                  Default is 300 (5 minutes)
+# Disposition    - Disposition of blacklisted packets
+#                  Default is DROP
+# Log Level      - Level to Log Rejects
+#                  Default is info (6)
 #
 ###############################################################################
 
@@ -37,7 +39,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #

Shorewall/action.AutoBLL

@@ -1,13 +1,16 @@
 #
-# Shorewall version 5 - Auto Blacklisting Logger Action
+# Shorewall -- /usr/share/shorewall/action.AutoBLL
+#
+# Auto Blacklisting Logger Action
 #
 # Arguments are
 #
-#    Event:       Name of the blacklisted event
-#    Disposition: What to do with packets
-#    Level:       Log level and optional tag for logging.
+# Event       - Name of the blacklisted event
+# Disposition - What to do with packets
+# Level       - Log level and optional tag for logging
+#
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #

Shorewall/action.Broadcast

@@ -1,32 +1,30 @@
 #
-# Shorewall 4 - Broadcast Action
+# Shorewall -- /usr/share/shorewall/action.Broadcast
 #
-#    /usr/share/shorewall/action.Broadcast
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Broadcast[([<action>|-[,{audit|-}])]
 #
-#   Broadcast[([<action>|-[,{audit|-}])]
+# Default action is DROP
 #
-#       Default action is DROP
-#
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall/action.DNSAmp

@@ -1,32 +1,33 @@
 #
-# Shorewall 5 - DNS Amplification Action
+# Shorewall -- /usr/share/shorewall/action.DNSAmp
 #
-#    /usr/share/shorewall/action.DNSAmp
+#  DNS Amplification Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   DNSAmp[([<action>])]
+# DNSAmp[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT
 
 DEFAULTS DROP
 

Shorewall/action.Drop

@@ -1,29 +1,29 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.Drop
 #
-# /usr/share/shorewall/action.Drop
+# The default DROP common rules
 #
-#	The default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# The action accepts six optional parameters:
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is to do nothing special
-#	    with them.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
@@ -31,15 +31,15 @@
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
     ?else
         ?error The first parameter to Drop must be 'audit' or '-'
     ?endif
 ?else
-DEFAULTS -,-,DROP,ACCEPT,DROP
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
 
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
@@ -51,14 +51,17 @@ COUNT
 Auth(@2)
 ?endif
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
-# ACCEPT critical ICMP types
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
@@ -67,7 +70,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall/action.DropSmurfs

@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop Smurfs Action
+# Shorewall -- /usr/share/shorewall/action.DropSmurfs
 #
-# /usr/share/shorewall/action.DropSmurfs
+# Drop Smurfs Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
-#          audit = Audit dropped packets.
+# -     = Do not Audit
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################
 
 DEFAULTS -
 
@@ -79,8 +79,3 @@ if ( $family == F_IPV4 ) {
 }
 
 ?end perl;
-
-
-
-
-

Shorewall/action.Established

@@ -1,32 +1,32 @@
 #
-# Shorewall 5 - Established Action
+# Shorewall -- /usr/share/shorewall/action.Established
 #
-#    /usr/share/shorewall/action.Established
+# Established Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Established[([<action>])]
+# Established[([<action>])]
 #
-#       Default action is ACCEPT
+# Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS ACCEPT
 

Shorewall/action.GlusterFS

@@ -1,13 +1,14 @@
 #
-# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
+# Shorewall -- /usr/share/shorewall/action.GlusterFS
 #
-# /etc/shorewall/action.GlusterFS
+# GlusterFS Handler for GlusterFS 3.4 and Later
 #
 # Parameters:
-#	Bricks:		Number of bricks
-#	IB:		0 or 1, indicating whether Infiniband is used or not
 #
-#########################################################################################
+# Bricks - Number of bricks
+# IB     - 0 or 1, indicating whether Infiniband is used or not
+#
+###############################################################################
 
 DEFAULTS 2,0
 
@@ -17,8 +18,8 @@ DEFAULTS 2,0
     ?error Invalid value for IB (@2)
 ?endif
 
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#ACTION		SOURCE		DEST		PROTO	DPORT
+
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467
 
@@ -31,4 +32,3 @@ ACCEPT		-		-		tcp	24007
 ?set last_port 49150 + @{1}
 
 ACCEPT		-		-		tcp	49151:$last_port
-

Shorewall/action.IfEvent

@@ -1,34 +1,38 @@
 #
-# Shorewall version 5 - Perform an Action based on a Event
+# Shorewall -- /usr/share/shorewall/action.IfEvent
 #
-# /etc/shorewall/action.IfEvent
+# Perform an Action based on a Event
 #
 # Parameters:
-#    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:       Anything that can appear in the ACTION column of a rule.
-#    Duration:     Duration in seconds over which the event is to be tested.
-#    Hit Count:    Number of packets seen within the duration -- default is 1
-#    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
-#                  address (src) or destination address (dst)
-#    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
-#                  the Action is taken. If 'update', the timestamp associated with the event will
-#                  be updated and the action taken if the time limit/hitcount are matched.
-#                  If '-', the action will be taken if the limit/hitcount are matched but the
-#                  event's timestamp will not be updated.
 #
-#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
-#                  be used. These are like 'check' and 'update' respectively, but they also
-#                  remove any event entries for the IP address that are older than <duration>
-#                  seconds.
-#    Disposition:  Disposition for any event generated.
+# Event        - Must start with a letter and be composed of letters, digits,
+#                '-', and '_'.
+# Action       - Anything that can appear in the ACTION column of a rule.
+# Duration     - Duration in seconds over which the event is to be tested.
+# Hit Count    - Number of packets seen within the duration -- default is 1
+# Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
+#                associated with the source address (src) or destination
+#                address (dst)
+# Command      - 'check' (default) 'reset', or 'update'. If 'reset',
+#                the event will be reset before the Action is taken.
+#                If 'update', the timestamp associated with the event will
+#                be updated and the action taken if the time limit/hitcount
+#                are matched.
+#                If '-', the action will be taken if the limit/hitcount are
+#                matched but the event's timestamp will not be updated.
+#
+#                If a duration is specified, then 'checkreap' and 'updatereap'
+#                may also be used. These are like 'check' and 'update'
+#                respectively, but they also remove any event entries for
+#                the IP address that are older than <duration> seconds.
+# Disposition  - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT
 
 DEFAULTS -,ACCEPT,-,1,src,check,-
 

Shorewall/action.Invalid

@@ -1,35 +1,35 @@
 #
-# Shorewall 4 - Invalid Action
+# Shorewall -- /usr/share/shorewall/action.Invalid
 #
-#    /usr/share/shorewall/action.Invalid
+# Invalid Action
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Invalid[([<action>])]
 #
-#   Invalid[([<action>])]
+# Default action is DROP
 #
-#       Default action is DROP
-#
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 
 #
-# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
+# All logic for this action is triggered by the 'audit' and 'state' options
+# in actions.std
 #

Shorewall/action.New

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - New Action
+# Shorewall -- /usr/share/shorewall/action.New
 #
-#    /usr/share/shorewall/action.New
+# New Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   New[([<action>])]
+# New[([<action>])]
 #
-#       Default action is ACCEPT
+# Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS ACCEPT
 

Shorewall/action.NotSyn

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - NotSyn Action
+# Shorewall -- /usr/share/shorewall/action.NotSyn
 #
-#    /usr/share/shorewall/action.NotSyn
+# NotSyn Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>])]
+# NotSyn[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall/action.RST

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - RST Action
+# Shorewall -- /usr/share/shorewall/action.RST
 #
-#    /usr/share/shorewall/action.RST
+# RST Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>])]
+# RST[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall/action.Reject

@@ -1,44 +1,44 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.Reject
 #
-# /usr/share/shorewall/action.Reject
+# The default REJECT action common rules
 #
-#	The default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# The action accepts six optional parameters:
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is to do nothing
-#	    special with them.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
     ?else
 	?error The first parameter to Reject must be 'audit' or '-'
     ?endif
 ?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
 
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
@@ -50,15 +50,18 @@ COUNT
 Auth(@2)
 ?endif
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
-# ACCEPT critical ICMP types
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
@@ -68,7 +71,7 @@ Invalid(DROP,@1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall/action.Related

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - Related Action
+# Shorewall -- /usr/share/shorewall/action.Related
 #
-#    /usr/share/shorewall/action.Related
+# Related Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Related[([<action>])]
+# Related[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP
 

Shorewall/action.ResetEvent

@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Reset an Event
+# Shorewall -- /etc/shorewall/action.ResetEvent
 #
-# /etc/shorewall/action.ResetEvent
+# Reset an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any rule generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#                        DO NOT REMOVE THE FOLLOWING LINE
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 
 DEFAULTS -,ACCEPT,src,-
 

Shorewall/action.SetEvent

@@ -1,14 +1,17 @@
 #
-# Shorewall version 5 - Set an Event
+# Shorewall -- /usr/share/shorewall/action.SetEvent
 #
-# /etc/shorewall/action.SetEvent
+# Set an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any event generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #

Shorewall/action.TCPFlags

@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop TCPFlags Action
+# Shorewall -- /usr/share/shorewall/action.TCPFlags
 #
-# /usr/share/shorewall/action.TCPFlags
+# Drop TCPFlags Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
-#          audit = Audit dropped packets.
+# -     = Do not Audit
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################
 
 DEFAULTS -
 

Shorewall/action.Untracked

@@ -1,32 +1,33 @@
 #
-# Shorewall 4 - Untracked Action
+# Shorewall --/usr/share/shorewall/action.Untracked
 #
-#    /usr/share/shorewall/action.Untracked
+# Untracked Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+# Untracked[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
+
 DEFAULTS DROP
 
 #

Shorewall/action.allowInvalid

@@ -1,30 +1,28 @@
-\#
-# Shorewall 4 - allowInvalid Action
 #
-#    /usr/share/shorewall/action.allowInvalid
+# Shorewall -- /usr/share/shorewall/action.allowInvalid
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   allowInvalid[([audit])]
+#  allowInvalid[([audit])]
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS -
 

Shorewall/action.dropInvalid

@@ -1,32 +1,30 @@
 #
-# Shorewall 5 - dropInvalid Action
+# Shorewall -- /usr/share/shorewall/action.dropInvalid
 #
-#    /usr/share/shorewall/action.dropInvalid
+# dropInvalid Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   dropInvalid[([audit])]
+# dropInvalid[([audit])]
 #
-##########################################################################################
-
-DEFAULTS -
+###############################################################################
 
 DEFAULTS -
 

Shorewall/action.mangletemplate

@@ -1,20 +1,20 @@
 #
-# Shorewall version 5 - Mangle Action Template
+# Shorewall -- /etc/shorewall/action.mangletemplate
 #
-# /etc/shorewall/action.mangletemplate
+# Mangle Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined with the mangle option in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined with the mangle option in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions with the mangle option
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional
+# information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
 #

Shorewall/action.template

@@ -1,20 +1,20 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall -- /usr/share/shorewall/action.template
 #
-# /etc/shorewall/action.template
+# Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional
+# information.
 #
 # Columns are the same as in /etc/shorewall/rules.
 #

Shorewall/actions.std

@@ -11,7 +11,6 @@
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
-A_REJECT		        # Audits then drops a connection request
 allowBcast		        # Silently Allow Broadcast/multicast
 dropBcast		        # Silently Drop Broadcast/multicast
 dropNotSyn		        # Silently Drop Non-syn TCP packets
@@ -23,6 +22,8 @@ Limit                           # Limit the rate of connections from each indivi
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds

Shorewall/configfiles/shorewall.conf

@@ -23,6 +23,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -128,16 +134,14 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CHAIN_SCRIPTS=Yes
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=No
@@ -194,6 +200,8 @@ MAPOLDACTIONS=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX=ko
 
 MULTICAST=No
@@ -240,10 +248,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/init.debian.sh

@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,10 +97,11 @@ shorewall_start () {
 
 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -145,7 +146,7 @@ case "$1" in
   restart)
      shorewall_restart
      ;;
-  force0reload|reload)
+  force-reload|reload)
      shorewall_reload
      ;;
   status)

Shorewall/install.sh

@@ -419,11 +419,13 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -512,7 +514,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
 
 cd configfiles
 
@@ -1060,15 +1062,31 @@ fi
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    case $f in
+	*.deprecated)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
+	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
+	    ;;
+	*)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	    ;;
+    esac
 done
 
 cd Macros
 
 for f in macro.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    case $f in
+	*.deprecated)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
+	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
+	    ;;
+	*)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	    ;;
+    esac
 done
 
 cd ..
@@ -1159,6 +1177,8 @@ fi
 # Install the Man Pages
 #
 
+if [ -n "$MANDIR" ]; then
+
 cd manpages
 
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1178,6 +1198,7 @@ done
 cd ..
 
 echo "Man Pages Installed"
+fi
 
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
     run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
@@ -1194,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     fi
 
     run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

Shorewall/lib.cli-std

@@ -316,6 +316,8 @@ get_config() {
 
     g_loopback=$(find_loopback_interfaces)
 
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
     if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -323,7 +325,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
@@ -333,6 +335,10 @@ get_config() {
 	g_pager="| $g_pager"
     fi
 
+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	setup_dbl
+    fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib
@@ -403,7 +409,7 @@ compiler() {
     get_config Yes
 
     case $COMMAND in
-	*start|try|refresh)
+	*start|try|refresh|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -461,13 +467,13 @@ compiler() {
 
     case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
     esac
     #
@@ -498,7 +504,6 @@ compiler() {
 start_command() {
     local finished
     finished=0
-    local object
     local rc
     rc=0
 
@@ -517,7 +522,7 @@ start_command() {
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
-		logger -p kern.err "ERROR:$g_product start failed"
+		mylogger kern.err "ERROR:$g_product start failed"
 	    fi
 	fi
 
@@ -573,7 +578,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -589,7 +594,8 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -603,12 +609,12 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
     if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/$object; then
+	if ! uptodate ${VARDIR}/firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -632,8 +638,6 @@ compile_command() {
 		shift
 		option=${option#-}
 
-		[ -z "$option" ] && usage 1
-
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -670,7 +674,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -692,7 +696,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -706,7 +710,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -760,7 +764,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -776,7 +780,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -789,7 +793,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -852,7 +856,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -868,7 +872,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -881,7 +885,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -946,7 +950,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -962,7 +966,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -977,7 +981,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -997,7 +1001,7 @@ restart_command() {
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
-	    logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
+	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
     else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
@@ -1055,7 +1059,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1138,7 +1142,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1154,7 +1158,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1167,7 +1171,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -1255,7 +1259,7 @@ try_command() {
     timeout=
 
     handle_directory() {
-	[ -n "$g_shorewalldir" ] && usage 2
+	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1285,7 +1289,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1299,7 +1303,7 @@ try_command() {
 
     case $# in
 	0)
-	    usage 1
+	    missing_argument
 	    ;;
 	1)
 	    handle_directory $1
@@ -1310,7 +1314,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -1440,6 +1444,12 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1449,7 +1459,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1462,6 +1472,9 @@ remote_reload_command() # $* = original arguments less the command.
     done
 
     case $# in
+	0)
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1471,7 +1484,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -1495,6 +1508,11 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No
 
 	g_haveconfig=Yes
+
+	if [ -z "$system" ]; then
+	    system=$FIREWALL
+	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+	fi
     else
 	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
     fi
@@ -1711,7 +1729,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid command: $COMMAND"
 	    ;;
     esac
 

Shorewall/manpages/shorewall-actions.xml

@@ -130,6 +130,18 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>mangle</option></term>
 

Shorewall/manpages/shorewall-interfaces.xml

@@ -306,6 +306,72 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>The normal setting for this option will be <emphasis
+                role="bold">dst</emphasis> or <emphasis
+                role="bold">none</emphasis> for internal interfaces and
+                <emphasis role="bold">src</emphasis> or <emphasis
+                role="bold">src-dst</emphasis> for Internet-facing
+                interfaces.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">destonly</emphasis></term>
 
@@ -348,7 +414,7 @@ loc     eth2            -</programlisting>
                       url="../bridge-Shorewall-perl.html">Shorewall-perl for
                       firewall/bridging</ulink>, then you need to include
                       DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
                       DHCP uses UDP ports 67 and 68.</para>
                     </note>
                   </listitem>
@@ -380,7 +446,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +517,8 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              <term><emphasis role="bold"><emphasis
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -488,6 +554,18 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">nodbl</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. When specified, dynamic
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">nosmurfs</emphasis></term>
 

Shorewall/manpages/shorewall-mangle.xml

@@ -137,7 +137,7 @@
                 <replaceable>action</replaceable> must be an action declared
                 with the <option>mangle</option> option in <ulink
                 url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                 comma-separated list within parentheses following the
                 <replaceable>action</replaceable> name.</para>
               </listitem>
@@ -355,7 +355,8 @@ DIVERTHA        -               -               tcp</programlisting>
     EF   =&gt; 0x2e</programlisting>
 
                 <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
               </listitem>
             </varlistentry>
 
@@ -390,7 +391,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>
@@ -504,7 +505,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
 
                     <member>0xc0a80403 LAND 0xFF = 0x03</member>
 
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                     1:103</member>
                   </simplelist>
                 </blockquote>
@@ -598,6 +599,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.9. Logs matching packets using
+                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
@@ -1224,6 +1255,17 @@ Normal-Service       =&gt; 0x00</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 
@@ -1334,7 +1376,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
           (Shorewall 4.5.9 and later).</para>
 
-          <programlisting>/etc/shorewall/tcrules:
+          <programlisting>/etc/shorewall/mangle:
 
        #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
        CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

Shorewall/manpages/shorewall-policy.xml

@@ -35,7 +35,7 @@
       <para>This file determines what to do with a new connection request if
       we don't get a match from the /etc/shorewall/rules file . For each
       source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
     </important>
 
     <important>
@@ -61,7 +61,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
           <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
           not override the implicit intra-zone ACCEPT policy while "all+"
           does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
           <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
           not override the implicit intra-zone ACCEPT policy while "all+"
           does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -406,6 +406,16 @@
                     are present.</para>
                   </listitem>
                 </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-rules.xml

@@ -597,7 +597,29 @@
                 the next rule. See <ulink
                 url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>NFLOG is similar to<emphasis role="bold">
                 LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                 except that the log level is not changed when this ACTION is
                 used in an action or macro body and the invocation of that
@@ -631,12 +653,12 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
                 by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 
@@ -672,11 +694,37 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
 
               <listitem>
                 <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp-net-unreachable</option></member>
+
+                  <member><option>icmp-host-unreachable</option></member>
+
+                  <member><option>i</option><option>cmp-port-unreachable</option></member>
+
+                  <member><option>icmp-proto-unreachable</option></member>
+
+                  <member><option>icmp-net-prohibited</option></member>
+
+                  <member><option>icmp-host-prohibited</option></member>
+
+                  <member><option>icmp-admin-prohibited</option></member>
+
+                  <member><option>icmp-tcp-reset</option> (the PROTO column
+                  must specify TCP)</member>
+                </simplelist>
               </listitem>
             </varlistentry>
 
@@ -1441,7 +1489,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,
@@ -1634,6 +1682,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>utc</term>
 

Shorewall/manpages/shorewall-tcclasses.xml

@@ -156,20 +156,23 @@
 
       <varlistentry>
         <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
 
         <listitem>
           <para>The mark <emphasis>value</emphasis> which is an integer in the
           range 1-255. You set mark values in the <ulink
           url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
           file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
-          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-          and you are running Shorewall 4.5.5 or earlier.</para>
+          here. You can use the same marks for different interfaces.</para>
 
-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
+          integer in the range 1-65535 and determines the relative order in
+          which the tc mark classification filter for this class is to be
+          applied to packets being sent on the
+          <replaceable>interface</replaceable>. Filters are applied in
+          ascending numerical order. If not supplied, the value is derived
+          from the class priority (PRIORITY column value below):
+          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
         </listitem>
       </varlistentry>
 
@@ -293,7 +296,7 @@
                 <para>This is the default class for that interface where all
                 traffic should go, that is not classified otherwise.</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>You must define <emphasis
@@ -320,7 +323,7 @@
                 priority determines the order in which filter rules are
                 processed during packet classification. If not specified, the
                 value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
               </listitem>
             </varlistentry>
 
@@ -339,7 +342,7 @@
                 (":") and a <replaceable>priority</replaceable>. This priority
                 determines the order in which filter rules are processed
                 during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 15)
                 is used.</para>
 
                 <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
@@ -372,7 +375,7 @@
                 (":") and a <replaceable>priority</replaceable>. This priority
                 determines the order in which filter rules are processed
                 during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                 is used.</para>
 
                 <note>

Shorewall/manpages/shorewall.conf.xml

@@ -307,6 +307,9 @@
                 that were active when Shorewall stopped continue to work and
                 all new connections from the firewall system itself are
                 allowed.</para>
+
+                <para>Note that the routestopped file is not supported in
+                Shorewall 5.0 and later versions.</para>
               </listitem>
             </varlistentry>
 
@@ -481,8 +484,8 @@
 
           <para>ALL sends all packets through the blacklist chains.</para>
 
-          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
-          is specified.</para>
+          <para>Note: The ESTABLISHED state may not be specified if
+          FASTACCEPT=Yes is specified.</para>
         </listitem>
       </varlistentry>
 
@@ -577,13 +580,14 @@
         <listitem>
           <para>If this option is set to <emphasis role="bold">No</emphasis>
           then Shorewall won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people who prefer to
-          configure traffic shaping when the network interfaces come up rather
-          than when the firewall is started. If that is what you want to do,
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          /etc/shorewall/tcstart file. That way, your traffic shaping rules
-          can still use the “fwmark” classifier based on packet marking
-          defined in <ulink
+          [<command>re</command>]<command>start</command> or
+          <command>reload</command>. This setting is intended for use by
+          people who prefer to configure traffic shaping when the network
+          interfaces come up rather than when the firewall is started. If that
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          not supply an /etc/shorewall/tcstart file. That way, your traffic
+          shaping rules can still use the “fwmark” classifier based on packet
+          marking defined in <ulink
           url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
           If not specified, CLEAR_TC=Yes is assumed.</para>
         </listitem>
@@ -677,8 +681,8 @@
 
         <listitem>
           <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/route_stopped files cause an 'ip rule del' command to
-          be generated in addition to an 'ip rule add' command. Setting this
+          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
+          generated in addition to an 'ip rule add' command. Setting this
           option to No, causes the 'ip rule del' command to be omitted.</para>
         </listitem>
       </varlistentry>
@@ -761,15 +765,87 @@
 
       <varlistentry>
         <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>||<emphasis
+        role="bold">ipset</emphasis>[<emphasis
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.7. When set to <emphasis
           role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall drop</command>,
-          <command>shorewall reject</command>, <command>shorewall
-          logdrop</command> and <command>shorewall logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          chain-based dynamic blacklisting using <command>shorewall
+          drop</command>, <command>shorewall reject</command>,
+          <command>shorewall logdrop</command> and <command>shorewall
+          logreject</command> is disabled. Default is <emphasis
+          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
+          ipset-based dynamic blacklisting using the <command>shorewall
+          blacklist</command> command is also supported. The name of the set
+          (<replaceable>setname</replaceable>) and the level
+          (<replaceable>log_level</replaceable>), if any, at which blacklisted
+          traffic is to be logged may also be specified. The default set name
+          is SW_DBL4 and the default log level is <option>none</option> (no
+          logging). If <option>ipset-only</option> is given, then chain-based
+          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          had been specified.</para>
+
+          <para>Possible <replaceable>option</replaceable>s are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>src-dst</term>
+
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall restart</command> if
+                  RESTART=restart, otherwise <command>shorewall stop
+                  &amp;&amp; shorewall start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When ipset-based dynamic blacklisting is enabled, the contents
+          of the blacklist will be preserved over
+          <command>stop</command>/<command>reboot</command>/<command>start</command>
+          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+          <replaceable>setname</replaceable> is included in the list of sets
+          to be saved in SAVE_IPSETS.</para>
         </listitem>
       </varlistentry>
 
@@ -806,7 +882,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           helpers file from the administrative system into the script. When
           set to No or not specified, the compiler will not copy the modules
           or helpers file from <filename>/usr/share/shorewall</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>
 
           <para>When compiling for direct use by Shorewall, causes the
           contents of the local module or helpers file to be copied into the
@@ -824,7 +900,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           packets until these packets reach the chain in which the original
           connection was accepted. So for packets going from the 'loc' zone to
           the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          (see below).</para>
 
           <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
           are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -834,12 +911,27 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
           cleared the packet mark in the first rule in the mangle FORWARD
           chain. This behavior is maintained with the default setting of this
           option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -998,7 +1090,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 
@@ -1330,7 +1422,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
       <varlistentry>
         <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
 
         <listitem>
           <para>This parameter tells the /sbin/shorewall program where to look
@@ -1340,7 +1432,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
           If not assigned or if assigned an empty value, /var/log/messages is
           assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+          Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
         </listitem>
       </varlistentry>
 
@@ -1548,6 +1643,18 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1636,7 +1743,7 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
         role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
 
         <listitem>
@@ -1647,6 +1754,10 @@ LOG:info:,bar                        net                    fw</programlisting>
           where <emphasis role="bold">uname</emphasis> holds the output of
           '<command>uname -r</command>' and <emphasis
           role="bold">g_family</emphasis> holds '4'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
         </listitem>
       </varlistentry>
 
@@ -1962,6 +2073,9 @@ LOG:info:,bar                        net                    fw</programlisting>
           When PAGER is given, the output of verbose <command>status</command>
           commands and the <command>dump</command> command are piped through
           the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
         </listitem>
       </varlistentry>
 
@@ -2151,18 +2265,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
         </listitem>
       </varlistentry>
@@ -2232,7 +2346,7 @@ INLINE          -       -       -       ; -j REJECT
           restored unconditionally at the top of the mangle OUTPUT and
           PREROUTING chains, even if the saved mark is zero. When this option
           is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
           not being routed correctly on output, try setting this option to
           <emphasis role="bold">No</emphasis>.</para>
         </listitem>
@@ -2408,10 +2522,9 @@ INLINE          -       -       -       ; -j REJECT
 
         <listitem>
           <para>This option is used to specify the shell program to be used to
-          run the Shorewall compiler and to interpret the compiled script. If
-          not specified or specified as a null value, /bin/sh is assumed.
-          Using a light-weight shell such as ash or dash can significantly
-          improve performance.</para>
+          interpret the compiled script. If not specified or specified as a
+          null value, /bin/sh is assumed. Using a light-weight shell such as
+          ash or dash can significantly improve performance.</para>
         </listitem>
       </varlistentry>
 
@@ -2464,8 +2577,10 @@ INLINE          -       -       -       ; -j REJECT
           <para>If specified, determines where Shorewall will log the details
           of each <emphasis role="bold">start</emphasis>, <emphasis
           role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
+          role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
+          role="bold">try</emphasis>, and <emphasis
+          role="bold">safe-</emphasis>* command. Logging verbosity is
           determined by the setting of LOG_VERBOSITY above.</para>
         </listitem>
       </varlistentry>
@@ -2822,6 +2937,20 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
+          produced by the ?INFO and ?WARNING directives include the filename
+          and linenumber of the directive. When set to No, that additional
+          information is omitted. The setting may be overridden on a directive
+          by directive basis by following ?INFO or ?WARNING with '!' (no
+          intervening white space).</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2882,6 +3011,23 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall/manpages/shorewall.xml

@@ -49,6 +49,21 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg
+      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
+      ...</arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -436,9 +451,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -460,9 +475,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -484,9 +499,9 @@
 
       <arg><option>-i</option></arg>
 
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
 
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -951,7 +966,45 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1578,8 +1631,8 @@
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
         <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
+        [ <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
@@ -1605,7 +1658,13 @@
           directory. If compilation succeeds, then firewall is copied to
           <replaceable>system</replaceable> using scp. If the copy succeeds,
           Shorewall Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">start</emphasis> command succeeds, then the
@@ -1640,9 +1699,9 @@
         <term><emphasis role="bold">remote-reload
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was added in Shorewall 5.0.0.</para>
@@ -1666,8 +1725,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -1702,9 +1767,9 @@
         <term><emphasis role="bold">remote-restart
         </emphasis>[-<option>s</option>] [-<option>c</option>]
         [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>reload</command> in
@@ -1729,8 +1794,14 @@
           defaulted) directory is compiled to a file called firewall in that
           directory. If compilation succeeds, then firewall is copied to
           <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
 
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -2593,6 +2664,34 @@
     started.</para>
   </refsect1>
 
+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall/modules.essential

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Essential Modules File
+# Shorewall -- /usr/share/shorewall/modules.essential
 #
-# /usr/share/shorewall/modules.essential
+# Essential Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 #

Shorewall/modules.extensions

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Extensions Modules File
+# Shorewall -- /usr/share/shorewall/modules.extensions
 #
-# /usr/share/shorewall/modules.extensions
+# Extensions Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule ipt_addrtype

Shorewall/modules.ipset

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall -- /usr/share/shorewall/modules.ipset
 #
-# /usr/share/shorewall/modules.ipset
+# IP Set Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_set

Shorewall/modules.tc

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Traffic Shaping Modules File
+# Shorewall -- /usr/share/shorewall/modules.tc
 #
-# /usr/share/shorewall/modules.tc
+# Traffic Shaping Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule sch_sfq

Shorewall/modules.xtables

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Xtables Modules File
+# Shorewall -- /usr/share/shorewall/modules.xtables
 #
-# /usr/share/shorewall/modules.xtables
+# Xtables Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT

Shorewall/uninstall.sh

@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/lib.runtime
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*

Shorewall6-lite/README.txt

@@ -1 +0,0 @@
-This is the Shorewall6-lite stable 4.4 branch of Git.

Shorewall6-lite/init.debian.sh

@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6-lite
@@ -92,10 +92,11 @@ shorewall6_start () {
 
 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 Lite firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -47,6 +47,19 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -666,7 +679,45 @@
           <para>Re-enables receipt of packets from hosts previously
           blacklisted by a <command>drop</command>,
           <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          The <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>
 
@@ -1515,6 +1566,35 @@
     started.</para>
   </refsect1>
 
+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by
+    Shorewall6-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
   <refsect1>
     <title>See ALSO</title>
 

Shorewall6/README.txt

@@ -1 +0,0 @@
-This is the Shorewall6 stable 4.4 branch of Git.

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,15 +127,13 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -25,6 +25,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -122,15 +128,13 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -160,6 +164,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -214,10 +220,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,15 +127,13 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -24,6 +24,12 @@ VERBOSITY=1
 
 PAGER=
 
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,15 +127,13 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
+
+BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 
 HELPERS=
 
+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No
 
 INLINE_MATCHES=Yes
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################