Correct setup of $usedactions{A_REJECT}

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-lite/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-lite stable 4.4 branch of Git.

Shorewall/Perl/Shorewall/Chains.pm

@@ -619,7 +619,7 @@ our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
 			RAWDNAT     => STANDARD                                           + RAW_TABLE,
 			RAWSNAT     => STANDARD                                           + RAW_TABLE,
 			REDIRECT    => STANDARD                + NAT_TABLE,
-			REJECT      => STANDARD + FILTER_TABLE,
+			REJECT      => STANDARD + FILTER_TABLE + OPTIONS,
 			RETURN      => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
 			SAME        => STANDARD,
 			SECMARK     => STANDARD                            + MANGLE_TABLE,
@@ -2030,7 +2030,7 @@ sub chain_base( $ ) {
 sub forward_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
 }
 
 #
@@ -2085,7 +2085,7 @@ sub use_forward_chain($$) {
 #
 sub input_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
 }
 
 #
@@ -2093,7 +2093,7 @@ sub input_option_chain($) {
 #
 sub output_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
 }
 
 #
@@ -2101,7 +2101,7 @@ sub output_option_chain($) {
 #
 sub forward_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
 }
 
 #
@@ -2110,7 +2110,7 @@ sub forward_option_chain($) {
 sub input_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
 }
 
 #
@@ -2173,7 +2173,7 @@ sub use_input_chain($$) {
 sub output_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
 }
 
 #
@@ -2182,7 +2182,7 @@ sub output_chain($)
 sub prerouting_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
 }
 
 #
@@ -2191,7 +2191,7 @@ sub prerouting_chain($)
 sub postrouting_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
 }
 
 #
@@ -2244,7 +2244,7 @@ sub use_output_chain($$) {
 sub masq_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
 }
 
 #
@@ -2260,7 +2260,7 @@ sub syn_flood_chain ( $ ) {
 sub mac_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
 }
 
 sub macrecent_target($)
@@ -2297,7 +2297,7 @@ sub load_chain( $ ) {
 sub snat_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
 }
 
 #
@@ -2306,7 +2306,7 @@ sub snat_chain( $ )
 sub ecn_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
 }
 
 #
@@ -2915,8 +2915,6 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
 		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
@@ -2987,8 +2985,6 @@ sub initialize_chain_table($) {
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
@@ -6335,7 +6331,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
     my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
 
     my $prefix = '';
-    my $chain            = get_action_chain_name  || $chn;
+    my $chain            = get_action_chain_name  ||  $chn;
     my $disposition      = get_action_disposition || $dispo;
     my $original_matches = $matches;
     my $ruleref;
@@ -6435,7 +6431,7 @@ sub log_irule_limit( $$$$$$$$@ ) {
 
     my $prefix = '';
     my %matches;
-    my $chain       = get_action_chain_name  || $chn;
+    my $chain       = get_action_chain_name  ||  $chn;
     my $disposition = get_action_disposition || $dispo;
     my $original_matches = @matches;
 
@@ -8172,6 +8168,15 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
+fi
+EOF
+	}
     } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8192,6 +8197,15 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
+fi
+EOF
+	}
     }
 
     pop_indent;
@@ -8627,12 +8641,12 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {

Shorewall/Perl/Shorewall/Config.pm

@@ -885,6 +885,7 @@ sub initialize( $;$$) {
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
+	  MINIUPNPD => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -3300,9 +3301,9 @@ sub push_action_params( $$$$$$ ) {
     $actparams{caller}      = $caller;
     $actparams{disposition} = '' if $chainref->{action};
     #
-    # The Shorewall variable '@chain' has the non-word charaters removed
+    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
     #
-    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w-]//g;
 
     \%oldparms;
 }
@@ -5942,7 +5943,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                      , '';
+    default_yes_no 'DOCKER'                     , '';
 
     if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
@@ -6002,8 +6003,9 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
     default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
+    default_yes_no 'MINIUPNPD'                  , '';
 
-    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
+    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
     require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -89,6 +89,7 @@ sub setup_ecn()
 {
     my %interfaces;
     my @hosts;
+    my $interfaceref;
 
     if ( my $fn = open_file 'ecn' ) {
 
@@ -105,7 +106,13 @@ sub setup_ecn()
 						    2 );
 
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
+
+	    if ( $interfaceref->{root} ) {
+		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	    } else {
+		$interface = $interfaceref->{name};
+	    }
 
 	    my $lineinfo = shortlineinfo( '' );
 
@@ -1095,10 +1102,18 @@ sub add_common_rules ( $ ) {
 
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
+	    my $chainref1;
+
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
 	    $announced = 1;
 
 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,  j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -173,7 +173,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
+	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -457,7 +459,9 @@ sub do_one_nat( $$$$$ )
 
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
+	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -559,7 +563,9 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;
 
-		    unless ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};

Shorewall/Perl/Shorewall/Rules.pm

@@ -230,6 +230,7 @@ use constant { INLINE_OPT           => 1 ,
 	       NAT_OPT              => 128 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
+	       LOGJUMP_OPT          => 1024 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -242,7 +243,10 @@ our %options = ( inline      => INLINE_OPT ,
 		 nat         => NAT_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
+		 logjump     => LOGJUMP_OPT ,
     );
+
+our %reject_options;
 ################################################################################
 #   Declarations moved from the Tc module in 5.0.7                             #
 ################################################################################
@@ -353,8 +357,27 @@ sub initialize( $ ) {
 
     if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	%reject_options = ( 'icmp-net-unreachable'   => 1,
+			    'icmp-host-unreachable'  => 1,
+			    'icmp-port-unreachable'  => 1,
+			    'icmp-proto-unreachable' => 1,
+			    'icmp-net-prohibited'    => 1,
+			    'icmp-host-prohibited'   => 1,
+			    'icmp-admin-prohibited'  => 1,
+			    'icmp-tcp-reset'         => 2,
+	                  );
+			    
     } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	%reject_options = ( 'icmp6-no-route'         => 1,
+			    'no-route'               => 1,
+			    'icmp6-adm-prohibited'   => 1,
+			    'adm-prohibited'         => 1,
+			    'icmp6-addr-unreachable' => 1,
+			    'addr-unreach'           => 1,
+			    'icmp6-port-unreachable' => 1,
+			    'tcp-reset'              => 2,
+	                  );
     }
 
     ############################################################################
@@ -1257,8 +1280,14 @@ sub normalize_action( $$$ ) {
 
     ( $level, my $tag ) = split ':', $level;
 
-    $level = 'none' unless supplied $level;
-    $tag   = ''     unless defined $tag;
+    if ( $actions{$action}{options} & LOGJUMP_OPT ) {
+	$level = 'none';
+	$tag   = '';
+    } else {
+	$level = 'none' unless supplied $level;
+	$tag   = ''     unless defined $tag;
+    }
+
     $param = ''     unless defined $param;
     $param = ''     if $param eq '-';
 
@@ -1798,6 +1827,7 @@ sub process_action(\$\$$) {
     my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
     my $type = $targets{$action};
     my $actionref = $actions{$action};
+    my $matches   = fetch_inline_matches;
 
     if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1819,7 +1849,7 @@ sub process_action(\$\$$) {
 
     my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
     my $options = $actionref->{options};
-    my $nolog = $options & NOLOG_OPT;
+    my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
 
     setup_audit_action( $action ) if $options & AUDIT_OPT;
 
@@ -1910,14 +1940,15 @@ sub process_action(\$\$$) {
 				      $dscp ,
 				      $state,
 				      $time );
+		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
+	    my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
 
 	    if ( $file_format == 1 ) {
 		fatal_error( "FORMAT-1 actions are no longer supported" );
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
+		($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line2( 'action file',
 				   \%rulecolumns,
 				   $action_commands,
@@ -1941,26 +1972,32 @@ sub process_action(\$\$$) {
 		next;
 	    }
 
-	    process_rule( $chainref,
-			  '',
-			  '',
-			  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
-			  '',
-			  $source,
-			  $dest,
-			  $proto,
-			  $ports,
-			  $sports,
-			  $origdest,
-			  $rate,
-			  $user,
-			  $mark,
-			  $connlimit,
-			  $time,
-			  $headers,
-			  $condition,
-			  $helper,
-			  0 );
+	    for my $proto ( split_list( $protos, 'Protocol' ) ) {
+		for my $user ( split_list( $users, 'User/Group' ) ) {
+		    process_rule( $chainref,
+				  '',
+				  '',
+				  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
+				  '',
+				  $source,
+				  $dest,
+				  $proto,
+				  $ports,
+				  $sports,
+				  $origdest,
+				  $rate,
+				  $user,
+				  $mark,
+				  $connlimit,
+				  $time,
+				  $headers,
+				  $condition,
+				  $helper,
+				  0 );
+
+		    set_inline_matches( $matches );
+		}
+	    }
 	}
     }
 
@@ -2055,7 +2092,7 @@ sub process_actions() {
 		$action =~ s/:.*$//;
 	    }
 
-	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
+	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*!?$/;
 
 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
@@ -2198,7 +2235,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
     my $generated = 0;
 
 
-    my $macrofile = $macros{$macro};
+    my $macrofile    = $macros{$macro};
+    my $save_matches = fetch_inline_matches;
 
     progress_message "..Expanding Macro $macrofile...";
 
@@ -2208,7 +2246,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 
     while ( read_a_line( NORMAL_READ ) ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
+	my ( $mtarget, $msource, $mdest, $mprotos, $mports, $msports, $morigdest, $mrate, $musers, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
 
 	if ( $file_format == 1 ) {
 	    fatal_error( "FORMAT-1 macros are no longer supported" );
@@ -2216,12 +2254,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2282,37 +2320,38 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}
 
-	$generated |= process_rule(
-				   $chainref,
-	                           $matches,
-	                           $matches1,
-				   $mtarget,
-				   $param,
-				   $msource,
-				   $mdest,
-				   merge_macro_column( $mproto,     $proto ) ,
-				   merge_macro_column( $mports,     $ports ) ,
-				   merge_macro_column( $msports,    $sports ) ,
-				   merge_macro_column( $morigdest,  $origdest ) ,
-				   merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $muser,      $user ) ,
-				   merge_macro_column( $mmark,      $mark ) ,
-				   merge_macro_column( $mconnlimit, $connlimit) ,
-				   merge_macro_column( $mtime,      $time ),
-				   merge_macro_column( $mheaders,   $headers ),
-				   merge_macro_column( $mcondition, $condition ),
-				   merge_macro_column( $mhelper,    $helper ),
-				   $wildcard
-				  );
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
+		$generated |= process_rule( $chainref,
+					    $matches,
+					    $matches1,
+					    $mtarget,
+					    $param,
+					    $msource,
+					    $mdest,
+					    merge_macro_column( $mp,         $proto ) ,
+					    merge_macro_column( $mports,     $ports ) ,
+					    merge_macro_column( $msports,    $sports ) ,
+					    merge_macro_column( $morigdest,  $origdest ) ,
+					    merge_macro_column( $mrate,      $rate ) ,
+					    merge_macro_column( $mu,         $user ) ,
+					    merge_macro_column( $mmark,      $mark ) ,
+					    merge_macro_column( $mconnlimit, $connlimit) ,
+					    merge_macro_column( $mtime,      $time ),
+					    merge_macro_column( $mheaders,   $headers ),
+					    merge_macro_column( $mcondition, $condition ),
+					    merge_macro_column( $mhelper,    $helper ),
+					    $wildcard
+		                          );
+
+		set_inline_matches( $save_matches );
+	    }
+	}
 
 	progress_message "   Rule \"$currentline\" $done";
     }
 
     pop_open;
-    #
-    # Clear the inline matches if we are the lowest level macro/inline invocation
-    #
-    set_inline_matches( '' ) if $macro_nest_level == 1;
 
     progress_message "..End Macro $macrofile";
 
@@ -2337,10 +2376,11 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 					 $chainref->{name} ,
 				       );
 
-    my $actionref  = $actions{$inline};
-    my $inlinefile = $actionref->{file};
-    my $options    = $actionref->{options};
-    my $nolog      = $options & NOLOG_OPT;
+    my $actionref    = $actions{$inline};
+    my $inlinefile   = $actionref->{file};
+    my $options      = $actionref->{options};
+    my $nolog        = $options & NOLOG_OPT;
+    my $save_matches = fetch_inline_matches;
 
     setup_audit_action( $inline ) if $options & AUDIT_OPT;
 
@@ -2354,12 +2394,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	my  ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2424,28 +2464,33 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}
 
-	$generated |= process_rule(
-				   $chainref,
-	                           $matches,
-	                           $matches1,
-				   $mtarget,
-				   $param,
-				   $msource,
-				   $mdest,
-				   merge_macro_column( $mproto,     $proto ) ,
-				   merge_macro_column( $mports,     $ports ) ,
-				   merge_macro_column( $msports,    $sports ) ,
-				   merge_macro_column( $morigdest,  $origdest ) ,
-				   merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $muser,      $user ) ,
-				   merge_macro_column( $mmark,      $mark ) ,
-				   merge_macro_column( $mconnlimit, $connlimit) ,
-				   merge_macro_column( $mtime,      $time ),
-				   merge_macro_column( $mheaders,   $headers ),
-				   merge_macro_column( $mcondition, $condition ),
-				   merge_macro_column( $mhelper,    $helper ),
-				   $wildcard
-				  );
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
+		$generated |= process_rule( $chainref,
+					    $matches,
+					    $matches1,
+					    $mtarget,
+					    $param,
+					    $msource,
+					    $mdest,
+					    merge_macro_column( $mp,          $proto ) ,
+					    merge_macro_column( $mports,     $ports ) ,
+					    merge_macro_column( $msports,    $sports ) ,
+					    merge_macro_column( $morigdest,  $origdest ) ,
+					    merge_macro_column( $mrate,      $rate ) ,
+					    merge_macro_column( $mu,         $user ) ,
+					    merge_macro_column( $mmark,      $mark ) ,
+					    merge_macro_column( $mconnlimit, $connlimit) ,
+					    merge_macro_column( $mtime,      $time ),
+					    merge_macro_column( $mheaders,   $headers ),
+					    merge_macro_column( $mcondition, $condition ),
+					    merge_macro_column( $mhelper,    $helper ),
+					    $wildcard
+		                          );
+
+		set_inline_matches( $save_matches );
+	    }
+	}
 
 	progress_message "   Rule \"$currentline\" $done";
     }
@@ -2457,10 +2502,6 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
     progress_message "..End inline action $inlinefile";
 
     pop_action_params( $oldparms );
-    #
-    # Clear the inline matches if we are the lowest level macro/inline invocation
-    #
-    set_inline_matches( '' ) if $macro_nest_level == 1;
 
     return $generated;
 }
@@ -2642,7 +2683,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	    $action   = 'LOG';
 	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	    fatal_error "'builtin' actions may only be used in INLINE or IP[6]TABLES rules" if $actiontype == USERBUILTIN;
 	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS;
 	}
     }
@@ -2716,7 +2757,22 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		  }
 	      } ,
 
-	      REJECT => sub { $action = 'reject'; } ,
+	      REJECT => sub {
+		  if ( supplied( $param ) ) {
+		      my $option = $reject_options{$param};
+		      fatal_error "Invalid REJECT option ($param)" unless $option;
+		      if ( $option == 2 ) {
+			  #
+			  # tcp-reset
+			  #
+			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
+		      }
+
+		      $action = "REJECT --reject-with $param";
+		  } else {		      
+		      $action = 'reject';
+		  }
+	      },
 
 	      CONTINUE => sub { $action = 'RETURN'; } ,
 
@@ -3029,8 +3085,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	my $generated = process_inline( $basictarget,
 					$chainref,
-					$prerule . $rule . $raw_matches,
-					$matches1,
+					$prerule . $rule,
+					$matches1 . $raw_matches,
 					$loglevel,
 					$target,
 					$param,
@@ -3205,7 +3261,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	if ( $actiontype & ACTION ) {
 	    $action = $actionchain;
-	    $loglevel = '';
+
+	    if ( $actions{$basictarget}{options} & LOGJUMP_OPT ) {
+		$log_action = $basictarget;
+	    } else {
+		$loglevel = '';
+	    }
 	}
 
 	if ( $origdest ) {
@@ -3706,6 +3767,11 @@ sub process_rules() {
 			RELATED_SECTION,     'RELATED',
 			INVALID_SECTION,     'INVALID',
 			UNTRACKED_SECTION,   'UNTRACKED' );
+
+    #
+    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain will already exist.
+    #
+    $usedactions{normalize_action_name( 'A_REJECT' )} = $filter_table->{A_REJECT} if $filter_table->{A_REJECT};
     #
     # Create zone-forwarding chains if required
     #
@@ -3791,6 +3857,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 					 $chainref->{name} );
 
     my $inlinefile = $actions{$inline}{file};
+    my $matches    = fetch_inline_matches;
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -3885,6 +3952,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $matches );
     }
 
     pop_comment( $save_comment );

Shorewall/Perl/Shorewall/Zones.pm

@@ -82,6 +82,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
+		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -210,7 +211,6 @@ our %interfaces;
 our %roots;
 our @bport_zones;
 our %ipsets;
-our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -327,7 +327,6 @@ sub initialize( $$ ) {
     %interfaces = ();
     @bport_zones = ();
     %ipsets = ();
-    %physical = ();
     %basemap = ();
     %basemap1 = ();
     %mapbase = ();
@@ -1311,7 +1310,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1385,21 +1384,23 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
     }
 
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
-						       filter     => $filterref ,
-						       nets       => 0 ,
-						       number     => $nextinum ,
-						       root       => $root ,
-						       broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical ,
-						       base       => var_base( $physical ),
-						       zones      => {},
-						       origin     => shortlineinfo( '' ),
-						       wildcard   => $wildcard,
-						     };
+    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
+						   bridge     => $bridge ,
+						   filter     => $filterref ,
+						   nets       => 0 ,
+						   number     => $nextinum ,
+						   root       => $root ,
+						   broadcasts => $broadcasts ,
+						   options    => \%options ,
+						   zone       => '',
+						   physical   => $physical ,
+						   base       => var_base( $physical ),
+						   zones      => {},
+						   origin     => shortlineinfo( '' ),
+						   wildcard   => $wildcard,
+					         };
+
+    $interfaces{$physical} = $interfaceref if $physical ne $interface;
 
     if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1570,20 +1571,23 @@ sub known_interface($)
 
 		my $physical = map_physical( $interface, $interfaceref );
 
-		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
-						   bridge   => $interfaceref->{bridge} ,
-						   name     => $i ,
-						   number   => $interfaceref->{number} ,
-						   physical => $physical ,
-						   base     => var_base( $physical ) ,
-						   wildcard => $interfaceref->{wildcard} ,
-						   zones    => $interfaceref->{zones} ,
-						 };
+		$interfaceref =
+		    $interfaces{$interface} =
+		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
+					       bridge   => $interfaceref->{bridge} ,
+					       name     => $i ,
+					       number   => $interfaceref->{number} ,
+					       physical => $physical ,
+					       base     => var_base( $physical ) ,
+					       wildcard => $interfaceref->{wildcard} ,
+					       zones    => $interfaceref->{zones} ,
+		                              };
+		return $interfaceref;
 	    }
 	}
     }
 
-    $physical{$interface} || 0;
+    0;
 }
 
 # 
@@ -1655,12 +1659,19 @@ sub find_interface( $ ) {
 }
 
 #
-# Returns the physical interface associated with the passed logical name
+# Returns the physical interface associated with the passed interface name
 #
 sub get_physical( $ ) {
     $interfaces{ $_[0] }->{physical};
 }
 
+#
+# Returns the logical interface associated with the passed interface name
+#
+sub get_logical( $ ) {
+    $interfaces{ $_[0] }->{name};
+}
+
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -2040,6 +2051,7 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2053,7 +2065,7 @@ sub process_host( ) {
 
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-
+	$interface = $interfaceref->{name};
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {

Shorewall/README.txt

@@ -1 +0,0 @@
-This is the Shorewall 4.4 stable branch of Git.

Shorewall/Samples/Universal/shorewall.conf

@@ -192,6 +192,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/Samples/one-interface/shorewall.conf

@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -200,6 +200,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/action.A_Drop

@@ -1,30 +1,25 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.A_Drop
 #
-# /usr/share/shorewall/action.A_Drop
+# The audited default DROP common rules
 #
-#	The audited default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Silently DROP 'auth'
+# Special Handling for Auth
 #
 Auth(A_DROP)
 #

Shorewall/action.A_REJECT

@@ -0,0 +1,41 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+#
+# A_REJECT Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+AUDIT(reject)
+
+?if passed @1
+    ?if @1 =~ /tcp-reset$/
+        ?set reject_proto 6
+    ?else
+        ?set reject_proto ''
+    ?endif
+REJECT(@1)	-	-	$reject_proto
+?else
+REJECT
+?endif

Shorewall/action.A_REJECT!

@@ -0,0 +1,30 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECT!
+#
+# A_REJECT! Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+A_REJECT(@1)

Shorewall/action.A_Reject

@@ -1,20 +1,18 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.A_Reject
 #
-# /usr/share/shorewall/action.A_Reject
+# The audited default REJECT action common rules
 #
-#	The audited default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #

Shorewall/action.AutoBL

@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Auto Blacklist Action
+# Shorewall -- /usr/share/shorewall/action.AutoBL
+#
+# Auto Blacklist Action
 #
 # Parameters are:
 #
-#    Event          - Name of the event to associate with this blacklist
-#    Interval
-#    Count          - Interval and number of Packets to trigger blacklisting
-#                     Default is 60 seconds and 5 packets.
-#    Successive     - If a matching packet arrives within this many
-#                     seconds of the preceding one, it should be logged
-#                     and dealt with according to the Disposition and
-#                     Log Level parameters below. Default is 2 seconds.
-#    Blacklist time - Number of seconds to blacklist
-#                     Default is 300 (5 minutes)
-#    Disposition    - Disposition of blacklisted packets
-#                     Default is DROP
-#    Log Level      - Level to Log Rejects
-#                     Default is info (6)
+# Event          - Name of the event to associate with this blacklist
+#                  Interval
+# Count          - Interval and number of Packets to trigger blacklisting
+#                  Default is 60 seconds and 5 packets.
+# Successive     - If a matching packet arrives within this many
+#                  seconds of the preceding one, it should be logged
+#                  and dealt with according to the Disposition and
+#                  Log Level parameters below. Default is 2 seconds.
+# Blacklist time - Number of seconds to blacklist
+#                  Default is 300 (5 minutes)
+# Disposition    - Disposition of blacklisted packets
+#                  Default is DROP
+# Log Level      - Level to Log Rejects
+#                  Default is info (6)
 #
 ###############################################################################
 
@@ -37,7 +39,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #

Shorewall/action.AutoBLL

@@ -1,13 +1,16 @@
 #
-# Shorewall version 5 - Auto Blacklisting Logger Action
+# Shorewall -- /usr/share/shorewall/action.AutoBLL
+#
+# Auto Blacklisting Logger Action
 #
 # Arguments are
 #
-#    Event:       Name of the blacklisted event
-#    Disposition: What to do with packets
-#    Level:       Log level and optional tag for logging.
+# Event       - Name of the blacklisted event
+# Disposition - What to do with packets
+# Level       - Log level and optional tag for logging
+#
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #

Shorewall/action.Broadcast

@@ -1,32 +1,30 @@
 #
-# Shorewall 4 - Broadcast Action
+# Shorewall -- /usr/share/shorewall/action.Broadcast
 #
-#    /usr/share/shorewall/action.Broadcast
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Broadcast[([<action>|-[,{audit|-}])]
 #
-#   Broadcast[([<action>|-[,{audit|-}])]
+# Default action is DROP
 #
-#       Default action is DROP
-#
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall/action.DNSAmp

@@ -1,32 +1,33 @@
 #
-# Shorewall 5 - DNS Amplification Action
+# Shorewall -- /usr/share/shorewall/action.DNSAmp
 #
-#    /usr/share/shorewall/action.DNSAmp
+#  DNS Amplification Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   DNSAmp[([<action>])]
+# DNSAmp[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT
 
 DEFAULTS DROP
 

Shorewall/action.Drop

@@ -1,29 +1,27 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.Drop
 #
-# /usr/share/shorewall/action.Drop
+# The default DROP common rules
 #
-#	The default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# The action accepts five optional parameters:
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is to do nothing special
-#	    with them.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
@@ -39,7 +37,7 @@ DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
 DEFAULTS -,-,DROP,ACCEPT,DROP
 ?endif
 
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
@@ -67,7 +65,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall/action.DropSmurfs

@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop Smurfs Action
+# Shorewall -- /usr/share/shorewall/action.DropSmurfs
 #
-# /usr/share/shorewall/action.DropSmurfs
+# Drop Smurfs Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
-#          audit = Audit dropped packets.
+# -     = Do not Audit
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################
 
 DEFAULTS -
 
@@ -79,8 +79,3 @@ if ( $family == F_IPV4 ) {
 }
 
 ?end perl;
-
-
-
-
-

Shorewall/action.Established

@@ -1,32 +1,32 @@
 #
-# Shorewall 5 - Established Action
+# Shorewall -- /usr/share/shorewall/action.Established
 #
-#    /usr/share/shorewall/action.Established
+# Established Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Established[([<action>])]
+# Established[([<action>])]
 #
-#       Default action is ACCEPT
+# Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS ACCEPT
 

Shorewall/action.GlusterFS

@@ -1,13 +1,14 @@
 #
-# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
+# Shorewall -- /usr/share/shorewall/action.GlusterFS
 #
-# /etc/shorewall/action.GlusterFS
+# GlusterFS Handler for GlusterFS 3.4 and Later
 #
 # Parameters:
-#	Bricks:		Number of bricks
-#	IB:		0 or 1, indicating whether Infiniband is used or not
 #
-#########################################################################################
+# Bricks - Number of bricks
+# IB     - 0 or 1, indicating whether Infiniband is used or not
+#
+###############################################################################
 
 DEFAULTS 2,0
 
@@ -17,8 +18,8 @@ DEFAULTS 2,0
     ?error Invalid value for IB (@2)
 ?endif
 
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#ACTION		SOURCE		DEST		PROTO	DPORT
+
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467
 
@@ -31,4 +32,3 @@ ACCEPT		-		-		tcp	24007
 ?set last_port 49150 + @{1}
 
 ACCEPT		-		-		tcp	49151:$last_port
-

Shorewall/action.IfEvent

@@ -1,34 +1,38 @@
 #
-# Shorewall version 5 - Perform an Action based on a Event
+# Shorewall -- /usr/share/shorewall/action.IfEvent
 #
-# /etc/shorewall/action.IfEvent
+# Perform an Action based on a Event
 #
 # Parameters:
-#    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:       Anything that can appear in the ACTION column of a rule.
-#    Duration:     Duration in seconds over which the event is to be tested.
-#    Hit Count:    Number of packets seen within the duration -- default is 1
-#    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
-#                  address (src) or destination address (dst)
-#    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
-#                  the Action is taken. If 'update', the timestamp associated with the event will
-#                  be updated and the action taken if the time limit/hitcount are matched.
-#                  If '-', the action will be taken if the limit/hitcount are matched but the
-#                  event's timestamp will not be updated.
 #
-#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
-#                  be used. These are like 'check' and 'update' respectively, but they also
-#                  remove any event entries for the IP address that are older than <duration>
-#                  seconds.
-#    Disposition:  Disposition for any event generated.
+# Event        - Must start with a letter and be composed of letters, digits,
+#                '-', and '_'.
+# Action       - Anything that can appear in the ACTION column of a rule.
+# Duration     - Duration in seconds over which the event is to be tested.
+# Hit Count    - Number of packets seen within the duration -- default is 1
+# Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
+#                associated with the source address (src) or destination
+#                address (dst)
+# Command      - 'check' (default) 'reset', or 'update'. If 'reset',
+#                the event will be reset before the Action is taken.
+#                If 'update', the timestamp associated with the event will
+#                be updated and the action taken if the time limit/hitcount
+#                are matched.
+#                If '-', the action will be taken if the limit/hitcount are
+#                matched but the event's timestamp will not be updated.
+#
+#                If a duration is specified, then 'checkreap' and 'updatereap'
+#                may also be used. These are like 'check' and 'update'
+#                respectively, but they also remove any event entries for
+#                the IP address that are older than <duration> seconds.
+# Disposition  - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT
 
 DEFAULTS -,ACCEPT,-,1,src,check,-
 

Shorewall/action.Invalid

@@ -1,35 +1,35 @@
 #
-# Shorewall 4 - Invalid Action
+# Shorewall -- /usr/share/shorewall/action.Invalid
 #
-#    /usr/share/shorewall/action.Invalid
+# Invalid Action
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Invalid[([<action>])]
 #
-#   Invalid[([<action>])]
+# Default action is DROP
 #
-#       Default action is DROP
-#
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 
 #
-# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
+# All logic for this action is triggered by the 'audit' and 'state' options
+# in actions.std
 #

Shorewall/action.New

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - New Action
+# Shorewall -- /usr/share/shorewall/action.New
 #
-#    /usr/share/shorewall/action.New
+# New Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   New[([<action>])]
+# New[([<action>])]
 #
-#       Default action is ACCEPT
+# Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS ACCEPT
 

Shorewall/action.NotSyn

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - NotSyn Action
+# Shorewall -- /usr/share/shorewall/action.NotSyn
 #
-#    /usr/share/shorewall/action.NotSyn
+# NotSyn Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>])]
+# NotSyn[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall/action.RST

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - RST Action
+# Shorewall -- /usr/share/shorewall/action.RST
 #
-#    /usr/share/shorewall/action.RST
+# RST Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>])]
+# RST[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall/action.Reject

@@ -1,29 +1,27 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.Reject
 #
-# /usr/share/shorewall/action.Reject
+# The default REJECT action common rules
 #
-#	The default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# The action accepts five optional parameters:
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is to do nothing
-#	    special with them.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
@@ -38,7 +36,7 @@ DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
 DEFAULTS -,-,REJECT,ACCEPT,DROP
 ?endif
 
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #

Shorewall/action.Related

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - Related Action
+# Shorewall -- /usr/share/shorewall/action.Related
 #
-#    /usr/share/shorewall/action.Related
+# Related Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Related[([<action>])]
+# Related[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP
 

Shorewall/action.ResetEvent

@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Reset an Event
+# Shorewall -- /etc/shorewall/action.ResetEvent
 #
-# /etc/shorewall/action.ResetEvent
+# Reset an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any rule generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#                        DO NOT REMOVE THE FOLLOWING LINE
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 
 DEFAULTS -,ACCEPT,src,-
 

Shorewall/action.SetEvent

@@ -1,14 +1,17 @@
 #
-# Shorewall version 5 - Set an Event
+# Shorewall -- /usr/share/shorewall/action.SetEvent
 #
-# /etc/shorewall/action.SetEvent
+# Set an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any event generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #

Shorewall/action.TCPFlags

@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop TCPFlags Action
+# Shorewall -- /usr/share/shorewall/action.TCPFlags
 #
-# /usr/share/shorewall/action.TCPFlags
+# Drop TCPFlags Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
-#          audit = Audit dropped packets.
+# -     = Do not Audit
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################
 
 DEFAULTS -
 

Shorewall/action.Untracked

@@ -1,32 +1,33 @@
 #
-# Shorewall 4 - Untracked Action
+# Shorewall --/usr/share/shorewall/action.Untracked
 #
-#    /usr/share/shorewall/action.Untracked
+# Untracked Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+# Untracked[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
+
 DEFAULTS DROP
 
 #

Shorewall/action.allowInvalid

@@ -1,30 +1,28 @@
-\#
-# Shorewall 4 - allowInvalid Action
 #
-#    /usr/share/shorewall/action.allowInvalid
+# Shorewall -- /usr/share/shorewall/action.allowInvalid
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   allowInvalid[([audit])]
+#  allowInvalid[([audit])]
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS -
 

Shorewall/action.dropInvalid

@@ -1,32 +1,30 @@
 #
-# Shorewall 5 - dropInvalid Action
+# Shorewall -- /usr/share/shorewall/action.dropInvalid
 #
-#    /usr/share/shorewall/action.dropInvalid
+# dropInvalid Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   dropInvalid[([audit])]
+# dropInvalid[([audit])]
 #
-##########################################################################################
-
-DEFAULTS -
+###############################################################################
 
 DEFAULTS -
 

Shorewall/action.mangletemplate

@@ -1,20 +1,20 @@
 #
-# Shorewall version 5 - Mangle Action Template
+# Shorewall -- /etc/shorewall/action.mangletemplate
 #
-# /etc/shorewall/action.mangletemplate
+# Mangle Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined with the mangle option in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined with the mangle option in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions with the mangle option
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional
+# information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
 #

Shorewall/action.template

@@ -1,20 +1,20 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall -- /usr/share/shorewall/action.template
 #
-# /etc/shorewall/action.template
+# Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional
+# information.
 #
 # Columns are the same as in /etc/shorewall/rules.
 #

Shorewall/actions.std

@@ -11,7 +11,6 @@
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
-A_REJECT		        # Audits then drops a connection request
 allowBcast		        # Silently Allow Broadcast/multicast
 dropBcast		        # Silently Drop Broadcast/multicast
 dropNotSyn		        # Silently Drop Non-syn TCP packets
@@ -23,6 +22,8 @@ Limit                           # Limit the rate of connections from each indivi
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds

Shorewall/configfiles/shorewall.conf

@@ -194,6 +194,8 @@ MAPOLDACTIONS=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX=ko
 
 MULTICAST=No

Shorewall/manpages/shorewall-mangle.xml

@@ -390,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall/manpages/shorewall-rules.xml

@@ -672,11 +672,37 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
 
               <listitem>
                 <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp-net-unreachable</option></member>
+
+                  <member><option>icmp-host-unreachable</option></member>
+
+                  <member><option>i</option><option>cmp-port-unreachable</option></member>
+
+                  <member><option>icmp-proto-unreachable</option></member>
+
+                  <member><option>icmp-net-prohibited</option></member>
+
+                  <member><option>icmp-host-prohibited</option></member>
+
+                  <member><option>icmp-admin-prohibited</option></member>
+
+                  <member><option>icmp-tcp-reset</option> (the PROTO column
+                  must specify TCP)</member>
+                </simplelist>
               </listitem>
             </varlistentry>
 
@@ -1441,7 +1467,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall/manpages/shorewall.conf.xml

@@ -998,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 
@@ -1548,6 +1548,18 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1636,7 +1648,7 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
         role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
 
         <listitem>
@@ -1647,6 +1659,10 @@ LOG:info:,bar                        net                    fw</programlisting>
           where <emphasis role="bold">uname</emphasis> holds the output of
           '<command>uname -r</command>' and <emphasis
           role="bold">g_family</emphasis> holds '4'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
         </listitem>
       </varlistentry>
 

Shorewall/modules.essential

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Essential Modules File
+# Shorewall -- /usr/share/shorewall/modules.essential
 #
-# /usr/share/shorewall/modules.essential
+# Essential Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 #

Shorewall/modules.extensions

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Extensions Modules File
+# Shorewall -- /usr/share/shorewall/modules.extensions
 #
-# /usr/share/shorewall/modules.extensions
+# Extensions Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule ipt_addrtype

Shorewall/modules.ipset

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall -- /usr/share/shorewall/modules.ipset
 #
-# /usr/share/shorewall/modules.ipset
+# IP Set Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_set

Shorewall/modules.tc

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Traffic Shaping Modules File
+# Shorewall -- /usr/share/shorewall/modules.tc
 #
-# /usr/share/shorewall/modules.tc
+# Traffic Shaping Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule sch_sfq

Shorewall/modules.xtables

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Xtables Modules File
+# Shorewall -- /usr/share/shorewall/modules.xtables
 #
-# /usr/share/shorewall/modules.xtables
+# Xtables Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT

Shorewall6-lite/README.txt

@@ -1 +0,0 @@
-This is the Shorewall6-lite stable 4.4 branch of Git.

Shorewall6/README.txt

@@ -1 +0,0 @@
-This is the Shorewall6 stable 4.4 branch of Git.

Shorewall6/action.A_AllowICMPs

@@ -1,13 +1,11 @@
 #
-# Shorewall6 version 5 - Audited AllowICMPs Action
+# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
 #
-# /usr/share/shorewall6/action.A_AllowICMPs
-#
-#	This action A_ACCEPTs needed ICMP types
+# This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#TARGET		SOURCE		DEST	PROTO		DEST
-#							PORT(S)
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
 ?comment Needed ICMP types (RFC4890)
 
 A_ACCEPT	-		-	ipv6-icmp	destination-unreachable

Shorewall6/action.A_Drop

@@ -1,52 +0,0 @@
-#
-# Shorewall6 version 5 - Audited Drop Action
-#
-# /usr/share/shorewall6/action.ADrop
-#
-#	The Audited default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-#TARGET			SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Reject 'auth'
-#
-Auth(A_REJECT)
-#
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs		-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep

Shorewall6/action.A_Reject

@@ -1,50 +0,0 @@
-#
-# Shorewall6 version 5 - Audited Reject Action
-#
-# /usr/share/shorewall6/action.A_Reject
-#
-#	The audited default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-#TARGET			SOURCE	DEST	PROTO
-#
-# Don't log 'auth' -- REJECT
-#
-Auth(A_REJECT)
-#
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-A_AllowICMPs		-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep

Shorewall6/action.AllowICMPs

@@ -1,13 +1,10 @@
 #
-# Shorewall6 version 5 - AllowICMPs Action
+# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
 #
-# /usr/share/shorewall6/action.AllowICMPs
-#
-#	This action ACCEPTs needed ICMP types
+# This action ACCEPTs needed ICMP types
 #
 ###############################################################################
-#TARGET	SOURCE		DEST	PROTO		DEST
-#						PORT(S)
+#ACTION	SOURCE		DEST	PROTO		DPORT
 
 DEFAULTS ACCEPT
 

Shorewall6/action.Broadcast

@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - Multicast/Anycast Action
+# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
 #
-#    /usr/share/shorewall/action.Broadcast
+# Multicast/Anycast IPv6 Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Broadcast[([<action>|-[,{audit|-}])]
+# Broadcast[([<action>|-[,{audit|-}])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
 
 DEFAULTS DROP,-
 

Shorewall6/action.Drop

@@ -1,78 +0,0 @@
-#
-# Shorewall6 version 5 - Drop Action
-#
-# /usr/share/shorewall6/action.Drop
-#
-#	The default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-
-?if passed($1)
-    ?if $1 eq 'audit'
-DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,REJECT,DROP,ACCEPT,DROP
-?endif
-
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Reject 'auth'
-#
-?if passed($2)
-Auth($2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-AllowICMPs($4)	-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,$1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,$1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB($3)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,$1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep($5)

Shorewall6/action.Reject

@@ -1,76 +0,0 @@
-#
-# Shorewall6 version 5 - Reject Action
-#
-# /usr/share/shorewall6/action.Reject
-#
-#	The default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
-?endif
-
-#TARGET		SOURCE	DEST	PROTO
-#
-# Don't log 'auth' -- REJECT
-#
-?if passed($2)
-Auth($2)
-?endif
-#
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-AllowICMPs($4)	-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,$1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,$1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB($3)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,$1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep($5)

Shorewall6/action.mangletemplate

@@ -1,20 +1,17 @@
 #
-# Shorewall version 5 - Mangle Action Template
+# Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
 #
-# /etc/shorewall6/action.mangletemplate
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined with the mangle option in /etc/shorewall/actions.
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined with the mangle option in /etc/shorewall/actions.
+# To define a new action:
 #
-#	To define a new action:
+# 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
+# 2. Copy this file to /etc/shorewall6/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
-#	2. Copy this file to /etc/shorewall6/action.<action name>
-#	3. Add the desired rules to that file.
-#
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional information.
 #
 # Columns are the same as in /etc/shorewall6/mangle.
 #

Shorewall6/action.template

@@ -1,25 +1,21 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall6 -- /usr/share/shorewall6/action.template
 #
-# /etc/shorewall6/action.template
+# Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional information.
 #
 # Columns are the same as in /etc/shorewall6/rules.
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#####################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

Shorewall6/lib.base

@@ -1,24 +1,24 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall6/lib.base
+# Shorewall -- /usr/share/shorewall6/lib.base
 #
-#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is part of Shorewall.
+# This program is part of Shorewall.
 #
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 2 of the license or, at your
+# option, any later version.
 #
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components.
 

Shorewall6/manpages/shorewall6-mangle.xml

@@ -401,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall6/manpages/shorewall6-rules.xml

@@ -673,11 +673,37 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
 
               <listitem>
                 <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp6-no-route</option></member>
+
+                  <member><option>no-route</option></member>
+
+                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
+
+                  <member><option>adm-prohibited</option></member>
+
+                  <member><option>icmp6-addr-unreachable</option></member>
+
+                  <member><option>addr-unreach</option></member>
+
+                  <member><option>icmp6-port-unreachable</option></member>
+
+                  <member><option>tcp-reset</option> (the PROTO column must
+                  specify TCP)</member>
+                </simplelist>
               </listitem>
             </varlistentry>
 
@@ -1306,7 +1332,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall6/manpages/shorewall6.conf.xml

@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 
@@ -1436,7 +1436,7 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
         role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
 
         <listitem>
@@ -1447,6 +1447,10 @@ LOG:info:,bar                        net                    fw</programlisting>
           where <emphasis role="bold">uname</emphasis> holds the output of
           '<command>uname -r</command>' and <emphasis
           role="bold">g_family</emphasis> holds '6'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/modules.essential

@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Essential Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.essential
 #
-# /usr/share/shorewall6/modules.essential
+# Essential Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule nfnetlink

Shorewall6/modules.extensions

@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Extensions Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.extension
 #
-# /usr/share/shorewall6/modules.extension
+# Extensions Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule ip6_queue

Shorewall6/modules.ipset

@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.ipset
 #
-# /usr/share/shorewall6/modules.ipset
+# IP Set Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall6 and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall6 and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_set

Shorewall6/modules.tc

@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Traffic Shaping Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.tc
 #
-# /usr/share/shorewall6/modules.tc
+# Traffic Shaping Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule sch_sfq

Shorewall6/modules.xtables

@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Xtables Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.xtables
 #
-# /usr/share/shorewall6/modules.xtables
+# Xtables Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT

docs/IPv6Support.xml

@@ -202,23 +202,6 @@
     Shorewall with some notable exceptions:</para>
 
     <variablelist>
-      <varlistentry>
-        <term>No NAT</term>
-
-        <listitem>
-          <para>In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't
-          support any form of NAT). Most people consider this to be a giant
-          step forward.</para>
-
-          <para>When an ISP assigns you an IPv6 address, you are actually
-          assigned an IPv6 <firstterm>prefix</firstterm> (similar to a
-          subnet). A 64-bit prefix defines a subnet with 4 billion hosts
-          squared (the size of the IPv4 address space squared). Regardless of
-          the length of your prefix, you get to assign local addresses within
-          that prefix.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>Default Zone Type</term>
 

docs/ProxyARP.xml

@@ -331,7 +331,7 @@ shorewall start</programlisting>
     in /etc/shorewall6/proxyndp is required:</para>
 
     <programlisting>#ADDRESS	          INTERFACE    EXTERNAL    HAVEROUTE    PERSISTENT
-2001:470:b:227::44 -            eth1        Yes</programlisting>
+2001:470:b:227::44        -            eth1        Yes</programlisting>
 
     <para>A practical application is shown in the Linux <ulink
     url="Vserver.html#NDP">Vserver article</ulink>.</para>

docs/support.xml

@@ -85,7 +85,7 @@
     problem reporting process. It will ensure that you provide us with the
     information we need to solve your problem as quickly as possible.</para>
 
-    <graphic align="center" fileref="images/Troubleshoot.png" />
+    <graphic align="center" fileref="images/Troubleshoot.png"/>
 
     <orderedlist>
       <important>
@@ -126,12 +126,10 @@
 
           <para>If that didn't solve your problem, then please</para>
 
-          <programlisting><command>/sbin/shorewall trace start 2&gt; /tmp/trace</command></programlisting>
+          <programlisting><command>/sbin/shorewall trace start &gt; /tmp/trace 2&gt;&amp;1</command></programlisting>
 
           <para>Forward the <filename>/tmp/trace</filename> file as an
-          attachment compressed with gzip or bzip2 (If you are running
-          Shorewall-perl, there is no need to compress the file — it will be
-          very short).</para>
+          attachment compressed with gzip or bzip2.</para>
 
           <para>If compilation succeeds but the compiled program fails, then
           please include the compiled program with your report. The compiled
@@ -203,7 +201,7 @@
         message produced by Shorewall is "done.":</para>
 
         <blockquote>
-          <para></para>
+          <para/>
 
           <programlisting>…
 Activating Rules...