Clear inline matches between calls to process_rule()

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -922,10 +922,23 @@ show_events() {
 }
 
 show_actions() {
+    echo "A_ACCEPT                        # Audit and accept the connection"
+    echo "A_DROP                          # Audit and drop the connection"
+    echo "A_REJECT                        # Audit and reject the connection "
+    echo "allowBcast                      # Silently Allow Broadcast/multicast"
+    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
+    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
+    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+    echo "dropBcast                       # Silently Drop Broadcast/multicast"
+    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
+    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
+    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
+    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
+
     if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
     else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
     fi
 }
 

Shorewall/Perl/Shorewall/Accounting.pm

@@ -59,21 +59,21 @@ our $acctable;
 #
 
 use constant {
-	      LEGACY_SECTION      => 0,
+	      LEGACY      => 0,
-	      PREROUTING_SECTION  => 1,
+	      PREROUTING  => 1,
-	      INPUT_SECTION       => 2,
+	      INPUT       => 2,
-	      OUTPUT_SECTION      => 3,
+	      OUTPUT      => 3,
-	      FORWARD_SECTION     => 4,
+	      FORWARD     => 4,
-	      POSTROUTING_SECTION => 5
+	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING_SECTION,
+our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT_SECTION,
+		   INPUT       => INPUT,
-		   FORWARD     => FORWARD_SECTION,
+		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT_SECTION,
+		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING_SECTION
+		   POSTROUTING => POSTROUTING
 		 );
 
 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
     $jumpchainref = 0;
 
-    $asection = LEGACY_SECTION if $asection < 0;
+    $asection = LEGACY if $asection < 0;
 
     our $disposition = '';
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -138,17 +138,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
-				       PREROUTING
-				       INPUT
-				       FORWARD
-				       OUTPUT
-				       POSTROUTING
-				       ALLCHAINS
-				       STICKY
-				       STICKO
-				       REALPREROUTING
-				       ACTIONCHAIN
-
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -199,7 +188,6 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
-				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -337,10 +325,6 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
-#                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
-#                                               allowedchains
-#                                                            => Mangle action chains only -- specifies the set of builtin chains where
-#                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -472,22 +456,6 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
-#
-# Mangle Table allowed chains enumeration
-#
-use constant {
-    PREROUTING     => 1,        #Actually tcpre
-    INPUT          => 2,        #Actually tcin
-    FORWARD        => 4,        #Actually tcfor
-    OUTPUT         => 8,        #Actually tcout
-    POSTROUTING    => 16,       #Actually tcpost
-    ALLCHAINS      => 31,
-    STICKY         => 32,
-    STICKO         => 64,
-    REALPREROUTING => 128,
-    ACTIONCHAIN    => 256,
-};
-
 #
 # Possible IPSET options
 #
@@ -647,7 +615,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd member
+#                                the cmd
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -936,7 +904,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first one.
+	    # the first while 
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -2357,7 +2325,6 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
-		     restriction    => NO_RESTRICT,
 		   };
 
     trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2771,13 +2738,6 @@ sub new_standard_chain($) {
     $chainref;
 }
 
-sub new_action_chain($$) {
-    my $chainref = &new_chain( @_ );
-    $chainref->{referenced} = 1;
-    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
-    $chainref;
-}
-
 sub new_nat_chain($) {
     my $chainref = new_chain 'nat' ,$_[0];
     $chainref->{referenced} = 1;
@@ -2908,42 +2868,40 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
+		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
+		    'DROP'            => STANDARD,
+		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
+		    'REJECT'          => STANDARD + OPTIONS,
+		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'NONAT'           => STANDARD + NONAT  + NATONLY,
+		    'DNAT'            => NATRULE  + OPTIONS,
-		    'CONNMARK'        => STANDARD + OPTIONS,
+		    'DNAT-'           => NATRULE  + NATONLY,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
+		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'DEL'             => STANDARD + SET,
+		    'QUEUE'           => STANDARD + OPTIONS,
-		    'DNAT'            => NATRULE  + OPTIONS,
+		    'QUEUE!'          => STANDARD,
-		    'DNAT-'           => NATRULE  + NATONLY,
-		    'DROP'            => STANDARD,
-		    'DROP!'           => STANDARD,
-		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
-		    'INLINE'          => INLINERULE,
-		    'IPTABLES'        => IPTABLES,
-		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
-		    'MARK'            => STANDARD + OPTIONS,
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'QUEUE'           => STANDARD + OPTIONS,
-		    'QUEUE!'          => STANDARD,
-		    'REJECT'          => STANDARD + OPTIONS,
-		    'REJECT!'         => STANDARD + OPTIONS,
-		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
-		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'ADD'             => STANDARD + SET,
+		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
+		    'INLINE'          => INLINERULE,
+		    'IPTABLES'        => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3043,12 +3001,6 @@ sub initialize_chain_table($) {
 	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
-
-	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
-	$mangle_table->{INPUT}{chainnumber}         = INPUT;
-	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
-	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
-	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
     }
 
     if ( my $docker = $config{DOCKER} ) {
@@ -4517,7 +4469,7 @@ sub clearrule() {
 sub state_match( $ ) {
     my $state = shift;
 
-    if ( $state eq 'ALL' || $state eq '-' ) {
+    if ( $state eq 'ALL' ) {
 	''
     } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -7539,7 +7491,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7586,7 +7538,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 
     my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
        ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparams{chain} || $chainref->{name};
+    my  $chain = $actparms{chain} || $chainref->{name};
     my $table = $chainref->{table};
     my ( $jump, $mac,  $targetref, $basictarget );
     our @ends = ();
@@ -7748,7 +7700,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
+			    add_expanded_jump( $chainref, $targetref , 0, $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -7760,22 +7712,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $prerule . $matches
+				       $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparams{disposition} || $disposition,
+				       $actparms{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $prerule . $matches );
+				       $matches );
 
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7792,10 +7744,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparams{disposition} || $disposition,
+						     $actparms{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $prerule . $matches );
+					   $matches );
 		    }
 
 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8623,20 +8575,18 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode1;
+			enter_cmd_mode;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			print "\n";
+			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			enter_cmd_mode;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			print "\n";
+			enter_cat_mode;
-			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( ":$name - [0:0]" );
-			print( ":$name - [0:0]\n" );
 		    }
 		} else {
-		    print( ":$name - [0:0]\n" );
+		    print( ":$name - [0:0]" );
 		}
 
 		push @chains, $chainref;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 
 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
 
     }

Shorewall/Perl/Shorewall/Config.pm

@@ -139,7 +139,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
-                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -186,7 +185,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases
 
-				       %actparams
+				       %actparms
 
                                        PARMSMODIFIED
                                        USEDCALLER
@@ -553,7 +552,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparams;
+our %actparms;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -671,13 +670,6 @@ our %variables; # Symbol table for expanding shell variables
 
 our $section_function; #Function Reference for handling ?section
 
-our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
-
-#
-# Files located via find_file()
-#
-our %filecache;
-
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -1069,7 +1061,7 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
     $parmsmodified = 0;
     $usedcaller    = 0;
 
@@ -1477,9 +1469,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc $_[0];
+    my $val = lc shift;
 
-    $val =~ s/^0+/0/;
+    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
     $val;
 }
 
@@ -1908,10 +1900,6 @@ sub find_file($)
 
     return $filename if $filename =~ '/';
 
-    my $file = $filecache{$filename};
-
-    return $file if $file;
-
     for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2162,12 +2150,6 @@ sub supplied( $ ) {
     defined $val && $val ne '';
 }
 
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 #
 # Pre-process a line from a configuration file.
 
@@ -2524,49 +2506,20 @@ sub join_parts( $$$ ) {
 }
 
 #
-# Declare passed() in Shorewall::User
+# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
 #
-sub declare_passed() {
+sub evaluate_expression( $$$ ) {
-    my $result = ( eval q(package Shorewall::User;
+    my ( $expression , $filename , $linenumber ) = @_;
-                          use strict;
-                          sub passed( $ ) {
-                              my $val = shift;
-                              defined $val && $val ne '' && $val ne '-';
-                          }
-
-                          1;) );
-    assert( $result, $@ );
-}
-
-#
-# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
-#
-sub evaluate_expression( $$$$ ) {
-    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
     my $val;
     my $count = 0;
-    my $chain = $actparams{chain};
+    my $chain = $actparms{chain};
-
-    #                     $1                   $2
-    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
-	my $val = passed($actparams{$2});
-
-	return $1 ? ! $val : $val unless $debug;
-
-	$val = $1 ? ! $val : $val;
-
-	print "EXPR=> '$val'\n" if $debug;
-
-	return $val;
-    }
-
     #                         $1      $2   $3                     -     $4
     while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
+	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2581,7 +2534,7 @@ sub evaluate_expression( $$$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparams{$var} : $chain;
+	    $val = $var ? $actparms{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2612,19 +2565,13 @@ sub evaluate_expression( $$$$ ) {
 
     print "EXPR=> $expression\n" if $debug;
 
-    if ( $just_expand || $expression =~ /^\d+$/ ) {
+    if ( $expression =~ /^\d+$/ ) {
 	$val = $expression
     } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-
+	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
-	declare_passed unless $evals++;
-
-	$val = eval qq(package Shorewall::User;
-                       use strict;
-                       # line $linenumber "$filename"
-                       $expression);
 
 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2655,7 +2602,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2673,7 +2620,7 @@ sub process_compiler_directive( $$$$ ) {
     my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2685,7 +2632,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2721,17 +2668,15 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      my $val = $actparams{$var} = evaluate_expression ( $expression,
+		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber,
+									$linenumber );
-									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber,
+							    $linenumber );
-							    0 );
 		  }
 	      }
 	  } ,
@@ -2755,12 +2700,12 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      if ( exists $actparams{$var} ) {
+		      if ( exists $actparms{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparams{$var} = '';
+			      $actparms{$var} = '';
 			  } else {
-			      delete $actparams{$var}
+			      delete $actparms{$var}
 			  }
 		      } else {
 			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
@@ -2791,16 +2736,8 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  } ,
-
-	  ERROR => sub() {
-	      directive_error( evaluate_expression( $expression ,
-						    $filename ,
-						    $linenumber ,
-						    1 ) ,
-			       $filename ,
-			       $linenumber ) unless $omitting;
 	  }
+
 	);
 
     if ( my $function = $directives{$keyword} ) {
@@ -2856,11 +2793,6 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
-
-		if ( $debug ) {
-		    s/\n/\nGS-----> /g;
-		    print "GS-----> $_\n";
-		}
 	    }
 	}
 
@@ -3188,7 +3120,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     $directive_callback->( 'PERL', $currentline ) if $directive_callback;
 
@@ -3215,8 +3147,6 @@ sub embedded_perl( $ ) {
 
     $embedded++;
 
-    declare_passed unless $evals++;
-
     unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3277,32 +3207,32 @@ sub push_action_params( $$$$$$ ) {
     my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
     my @parms = ( undef , split_list3( $parms , 'parameter' ) );
 
-    $actparams{modified}   = $parmsmodified;
+    $actparms{modified}   = $parmsmodified;
-    $actparams{usedcaller} = $usedcaller;
+    $actparms{usedcaller} = $usedcaller;
 
-    my %oldparms = %actparams;
+    my %oldparms = %actparms;
 
     $parmsmodified = 0;
     $usedcaller    = 0;
 
-    %actparams = ();
+    %actparms = ();
 
     for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];
 
-	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
     }
 
-    $actparams{0}           = $chainref;
+    $actparms{0}           = $chainref;
-    $actparams{action}      = $action;
+    $actparms{action}      = $action;
-    $actparams{loglevel}    = $loglevel;
+    $actparms{loglevel}    = $loglevel;
-    $actparams{logtag}      = $logtag;
+    $actparms{logtag}      = $logtag;
-    $actparams{caller}      = $caller;
+    $actparms{caller}      = $caller;
-    $actparams{disposition} = '' if $chainref->{action};
+    $actparms{disposition} = '' if $chainref->{action};
     #
     # The Shorewall variable '@chain' has the non-word charaters removed
     #
-    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
 
     \%oldparms;
 }
@@ -3315,10 +3245,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
-    %actparams          = %$oldparms;
+    %actparms          = %$oldparms;
     my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparams{modified}   || 0;
+    ( $parmsmodified ) = delete $actparms{modified}   || 0;
-    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
+    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
     $return;
 }
 
@@ -3328,11 +3258,11 @@ sub default_action_params {
 
     for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparams{$i};
+	my $curval = $actparms{$i};
-	$actparams{$i} = $val unless supplied( $curval );
+	$actparms{$i} = $val unless supplied( $curval );
     }
 
-    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
 }
 
 sub get_action_params( $ ) {
@@ -3343,65 +3273,53 @@ sub get_action_params( $ ) {
     my @return;
 
     for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparams{$i};
+	my $val = $actparms{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
     }
 
     @return;
 }
 
-sub setup_audit_action( $ ) {
-    my ( $action ) = @_;
-
-    my ( $target, $audit ) = get_action_params( 2 );
-
-    if ( supplied $audit ) {
-	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
-	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
-	$actparams{1} = "A_$target" unless $target =~ /^A_/;
-    }
-}
-
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparams{ 'loglevel', 'logtag' };
+    @actparms{ 'loglevel', 'logtag' };
 }
 
 sub get_action_chain() {
-    $actparams{0};
+    $actparms{0};
 }
 
 sub get_action_chain_name() {
-    $actparams{chain};
+    $actparms{chain};
 }
 
 sub set_action_name_to_caller() {
-    $actparams{chain} = $actparams{caller};
+    $actparms{chain} = $actparms{caller};
 }
 
 sub get_action_disposition() {
-    $actparams{disposition};
+    $actparms{disposition};
 }
 
 sub set_action_disposition($) {
-    $actparams{disposition} = $_[0];
+    $actparms{disposition} = $_[0];
 }
 
 sub set_action_param( $$ ) {
     my $i = shift;
 
     fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparams{$i} = shift;
+    $actparms{$i} = shift;
 }
 
 #
-# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparams{chain};
+    my $chain = $actparms{chain};
     #                         $1      $2   $3                   -     $4
     while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 
@@ -3415,16 +3333,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }
 
-	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
+	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparams{$var} ) { 
+	} elsif ( exists $actparms{$var} ) { 
-	    $val = $actparams{$var};
+	    $val = $actparms{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3443,7 +3361,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparams{$var} : $actparams{chain};
+	    my $val = $var ? $actparms{$var} : $actparms{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3503,17 +3421,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
     my $options = $_[0];
 
-  LINE:
     while ( $currentfile ) {
+
 	$currentline = '';
 	$currentlinenumber = 0;
 
 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle directives
+	    # Handle conditionals
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3527,7 +3445,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3538,20 +3456,19 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
-	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
-		    handle_first_entry if $first_entry;
-		    embedded_perl( $1 );
-		    next LINE;
-		}
-
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
-		    next LINE;
+		    next;
+		}
+
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
+		    handle_first_entry if $first_entry;
+		    embedded_perl( $1 );
+		    next;
 		}
 	    }
 	    #
@@ -3563,7 +3480,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		next LINE if $currentline =~ /^\s*$/;
+		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3574,7 +3491,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparams
+	    # Expand Shell Variables using %params and %actparms
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
 
@@ -3594,16 +3511,18 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
+		} else {
+		    $currentlinenumber = 0;
 		}
 
-		next LINE;
+		$currentline = '';
-	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-		my $sectionname = $1;
+                my $sectionname = $1;
-		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-		fatal_error "This file does not allow ?SECTION" unless $section_function;
+                fatal_error "This file does not allow ?SECTION" unless $section_function;
-		$section_function->($sectionname);
+                $section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-		next LINE;
+                $currentline = '';
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -6106,7 +6025,7 @@ sub get_configuration( $$$$ ) {
 
     default_log_level 'SFILTER_LOG_LEVEL', 'info';
 
-    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
+    if ( $val = $config{SFILTER_DISPOSITION} ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
     } else {
@@ -6115,14 +6034,14 @@ sub get_configuration( $$$$ ) {
 
     default_log_level 'RPFILTER_LOG_LEVEL', 'info';
 
-    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
+    if ( $val = $config{RPFILTER_DISPOSITION} ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
     } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
     }
 
-    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
+    if ( $val = $config{MACLIST_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6141,7 +6060,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
     }
 
-    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
+    if ( $val = $config{RELATED_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6160,7 +6079,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
     }
 
-    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
+    if ( $val = $config{INVALID_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6179,7 +6098,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
     }
 
-    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
+    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6198,7 +6117,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
     }
 
-    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
+    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6208,7 +6127,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
     }
 
-    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
+    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
     } else {
@@ -6239,7 +6158,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
     }
 
-    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
+    if ( $val = $config{TC_PRIOMAP} ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6258,13 +6177,12 @@ sub get_configuration( $$$$ ) {
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
+    default 'OPTIMIZE'              , 0;
 
     for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
-    default 'OPTIMIZE' , 0;
-
     if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
     } elsif ( $val =~ /^none$/i ) {
@@ -6599,7 +6517,6 @@ sub report_used_capabilities() {
 }
 
 END {
-    print "eval() called $evals times\n" if $debug;
     cleanup;
 }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -69,7 +69,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
     my $destnets = '';
     my $baserule = '';
     my $inlinematches = '';
-    my $prerule       = '';
     #
     # Leading '+'
     #
@@ -84,13 +83,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
     }	
     #
-    # Handle early matches
-    #
-    if ( $inlinematches =~ s/s*\+// ) {
-	$prerule = $inlinematches;
-	$inlinematches = '';
-    }
-    #
     # Parse the remaining part of the INTERFACE column
     #
     if ( $family == F_IPV4 ) {
@@ -344,7 +336,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     $prerule ,
+		     '' ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,

Shorewall/action.Broadcast

@@ -30,32 +30,44 @@
 
 DEFAULTS DROP,-
 
-?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
-?else
 ?begin perl;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 
-my ( $action )         = get_action_params( 1 );
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
 
-add_commands $chainref, 'for address in $ALL_BCASTS; do';
+if ( have_capability( 'ADDRTYPE' ) ) {
-incr_cmd_level $chainref;
+    if ( $level ne '' ) {
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-add_jump $chainref, $action, 0, "-d \$address ";
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-decr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-add_commands $chainref, 'done';
+    }
 
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
+} else {
+    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
+}
 
 1;
 
 ?end perl;
-?endif

Shorewall/action.DNSAmp

@@ -30,4 +30,4 @@
 
 DEFAULTS DROP
 
-@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"

Shorewall/action.Drop

@@ -28,16 +28,30 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+#
+# The following magic provides different defaults for @2 thru @5, when @1 is
+# 'audit'.
+#
+?begin perl;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) {
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+?end perl;
 
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
 DEFAULTS -,-,DROP,ACCEPT,DROP
-?endif
 
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -47,7 +61,7 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if passed(@2)
+?if @2 ne '-'
 Auth(@2)
 ?endif
 #

Shorewall/action.Established

@@ -30,6 +30,19 @@
 
 DEFAULTS ACCEPT
 
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
+}
+
+1;
+
+?end perl;

Shorewall/action.GlusterFS

@@ -11,11 +11,20 @@
 
 DEFAULTS 2,0
 
-?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
+?begin perl
-    ?error Invalid value for Bricks (@1)
+
-?elsif @2 !~ /^[01]$/
+use Shorewall::Config qw(:DEFAULT :internal);
-    ?error Invalid value for IB (@2)
+use Shorewall::Chains;
-?endif
+use Shorewall::Rules;
+use strict;
+
+my ( $bricks, $ib ) = get_action_params( 2 );
+
+fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
+fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
+
+?end perl
+
 
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/action.Invalid

@@ -30,6 +30,24 @@
 
 DEFAULTS DROP,-
 
-#
+?begin perl;
-# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
+
-#
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}
+
+if ( my $check = check_state( 'INVALID' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
+}
+
+1;
+
+?end perl;

Shorewall/action.New

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   New[([<action>])]
+#   Untracked[([<action>])]
 #
 #       Default action is ACCEPT
 #
@@ -30,6 +30,19 @@
 
 DEFAULTS ACCEPT
 
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'NEW' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
+}
+
+1;
+
+?end perl;

Shorewall/action.NotSyn

@@ -30,4 +30,23 @@
 
 DEFAULTS DROP,-
 
-@1	 -	-	;;+  -p 6 ! --syn
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
+     $action = "A_$action";
+}    
+
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
+
+1;
+
+?end perl;

Shorewall/action.RST

@@ -30,4 +30,21 @@
 
 DEFAULTS DROP,-
 
-@1	 -	-	;;+ -p 6 --tcp-flags RST RST
+?begin perl;
+
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
+     $action = "A_$action";
+}    
+
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
+
+1;
+
+?end perl;

Shorewall/action.Reject

@@ -27,16 +27,30 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+#
+# The following magic provides different defaults for @2 thru @5, when @1 is
+# 'audit'.
+#
+?begin perl;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) {
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+?end perl;
 
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP
-?endif
 
 #TARGET		SOURCE	DEST	PROTO
 #
@@ -46,7 +60,7 @@ COUNT
 #
 # Special handling for Auth
 #
-?if passed(@2)
+?if @2 ne '-'
 Auth(@2)
 ?endif
 #

Shorewall/action.Related

@@ -30,6 +30,20 @@
 
 DEFAULTS DROP
 
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
+}
+
+1;
+
+?end perl;

Shorewall/action.SetEvent

@@ -12,6 +12,11 @@
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
 
 DEFAULTS -,ACCEPT,src
 

Shorewall/action.TCPFlags

@@ -12,18 +12,30 @@
 
 DEFAULTS -
 
-?if passed(@1)
+?begin perl;
-    ?if @1 eq 'audit'
+use strict;
-        ?set tcpflags_action 'A_DROP'
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-    ?else
+use Shorewall::Chains;
-	?error The parameter to TCPFlags must be 'audit' or '-'
+use Shorewall::Rules;
-    ?endif
+
-?else
+my $action = 'DROP';
-    ?set tcpflags_action 'DROP'
+
-?endif
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
+
+?end perl;
+
+
+
+
 
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0

Shorewall/action.Untracked

@@ -29,6 +29,19 @@
 ##########################################################################################
 DEFAULTS DROP
 
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'UNTRACKED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
+}
+
+1;
+
+?end perl;

Shorewall/action.allowInvalid

@@ -28,12 +28,25 @@
 
 DEFAULTS -
 
-?if passed(@1)
+?begin perl;
-    ?if @1 eq 'audit'
+
-Invalid(A_ACCEPT)
+use strict;
-    ?else
+use Shorewall::IPAddrs;
-        ?error The first parameter to allowInvalid must be 'audit' or '-'
+use Shorewall::Config;
-    ?endif
+use Shorewall::Chains;
-?else
+use Shorewall::Rules;
-Invalid(ACCEPT)
+
-?endif
+my $action = 'ACCEPT';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
+     $action = "A_ACCEPT";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?end perl;

Shorewall/action.dropInvalid

@@ -28,14 +28,25 @@
 
 DEFAULTS -
 
-DEFAULTS -
+?begin perl;
 
-?if passed(@1)
+use strict;
-    ?if @1 eq 'audit'
+use Shorewall::IPAddrs;
-Invalid(A_DROP)
+use Shorewall::Config;
-    ?else
+use Shorewall::Chains;
-        ?error The first parameter to dropInvalid must be 'audit' or '-'
+use Shorewall::Rules;
-    ?endif
+
-?else
+my $action = 'DROP';
-Invalid(DROP)
+
-?endif
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?end perl;

Shorewall/action.mangletemplate

@@ -1,22 +0,0 @@
-#
-# Shorewall version 5 - Mangle Action Template
-#
-# /etc/shorewall/action.mangletemplate
-#
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined with the mangle option in /etc/shorewall/actions.
-#
-#	To define a new action:
-#
-#	1. Add the <action name> to /etc/shorewall/actions with the mangle option
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
-#
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
-#
-# Columns are the same as in /etc/shorewall/mangle.
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP

Shorewall/actions.std

@@ -8,18 +8,21 @@
 #
 # Builtin Actions are:
 #
-?if 0
+#    A_ACCEPT           # Audits then accepts a connection request
-A_ACCEPT                        # Audits then accepts a connection request
+#    A_DROP             # Audits then drops a connection request
-A_DROP                          # Audits then drops a connection request
+#    A_REJECT		# Audits then drops a connection request
-A_REJECT		        # Audits then drops a connection request
+#    allowBcast		# Silently Allow Broadcast/multicast
-allowBcast		        # Silently Allow Broadcast/multicast
+#    dropBcast		# Silently Drop Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
-dropNotSyn		        # Silently Drop Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
+#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
-allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+#                       # work with kernel 2.6.14 and later).
-forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-Limit                           # Limit the rate of connections from each individual IP address
+#    forwardUPnP	# Allow traffic that upnpd has redirected from
-?endif
+#			# 'upnp' interfaces.
+#    Limit              # Limit the rate of connections from each individual
+#                       # IP address
+#
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
@@ -27,25 +30,21 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline,\		# Handles packets in the ESTABLISHED state
+Established  inline		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+Invalid      inline             # Handles packets in the INVALID conntrack state
-             state=INVALID      #
+New	     inline             # Handles packets in the NEW conntrack state
-New	     inline,state=NEW	# Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
-NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
+Related      inline             # Handles packets in the RELATED conntrack state
-             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit       # Handle packets with RST set
+RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED    #

Shorewall/lib.cli-std

@@ -470,15 +470,11 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
     esac
-    #
-    # Only use the pager if 'trace' or -r was specified and -d was not
-    #
-    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
 
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	eval $PERL $debugflags $pc $options $@ $g_pager
+	$PERL $debugflags $pc $options $@
     else
-	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
+	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
     fi
 
     status=$?

Shorewall/manpages/shorewall-actions.xml

@@ -53,19 +53,7 @@
 
           <variablelist>
             <varlistentry>
-              <term><option>audit</option></term>
+              <term>builtin</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. When this option is specified,
-                the action is expected to have at least two parameters; the
-                first is a target and the second is either 'audit' or omitted.
-                If the second is 'audit', then the first must be an auditable
-                target (ACCEPT, DROP or REJECT).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>builtin</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -98,7 +86,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>inline</option></term>
+              <term>inline</term>
 
               <listitem>
                 <para>Causes the action body (defined in
@@ -114,9 +102,9 @@
                   way:</para>
 
                   <simplelist>
-                    <member>DropSmurfs</member>
+                    <member>Broadcast</member>
 
-                    <member>IfEvent</member>
+                    <member>DropSmurfs</member>
 
                     <member>Invalid (Prior to Shorewall 4.5.13)</member>
 
@@ -131,19 +119,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>mangle</option></term>
+              <term>noinline</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. Specifies that this action is
-                to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>noinline</option></term>
 
               <listitem>
                 <para>Causes any later <option>inline</option> option for the
@@ -152,7 +128,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>nolog</option></term>
+              <term>nolog</term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.11. When this option is
@@ -166,16 +142,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+              <term>terminating</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
-                in <filename>actions.std</filename>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>terminating</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with

Shorewall/manpages/shorewall-mangle.xml

@@ -68,9 +68,8 @@
         <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
-          <para>The <replaceable>chain-designator </replaceable>indicates the
+          <para>The chain-specifier indicates the Netfilter chain that the
-          Netfilter chain that the entry applies to and may be one of the
+          entry applies to and may be one of the following:</para>
-          following:</para>
 
           <variablelist>
             <varlistentry>
@@ -112,14 +111,10 @@
           url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
           FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
 
-          <para>A <replaceable>chain-designator</replaceable> may not be
+          <para>A chain-designator may not be specified if the SOURCE or DEST
-          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          rule is placed in the INPUT chain.</para>
-          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body unless the action is declared as
-          <option>inline</option> in <ulink
-          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
 
           <para>Where a command takes parameters, those parameters are
           enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -128,21 +123,6 @@
           following.</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7.
-                <replaceable>action</replaceable> must be an action declared
-                with the <option>mangle</option> option in <ulink
-                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
-                comma-separated list within parentheses following the
-                <replaceable>action</replaceable> name.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -390,7 +370,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                proceeds as if that <replaceable>action</replaceable> had been
+                procedes as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>
@@ -740,6 +720,33 @@ Normal-Service       =&gt; 0x00</programlisting>
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <orderedlist numeration="arabic">
+            <listitem>
+              <para><emphasis role="bold">TTL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.4.24.</para>
+
+              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
+              <emphasis role="bold">:F</emphasis> but the resulting rule is
+              always added to the FORWARD chain. Beginning with Shorewall
+              4.5.7.s, it may be optionally followed by <emphasis
+              role="bold">:P</emphasis>, in which case the rule is added to
+              the PREROUTING chain.</para>
+
+              <para>If <emphasis role="bold">+</emphasis> is included, packets
+              matching the rule will have their TTL incremented by
+              <replaceable>number</replaceable>. Similarly, if <emphasis
+              role="bold">-</emphasis> is included, matching packets have
+              their TTL decremented by <replaceable>number</replaceable>. If
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
+              role="bold">-</emphasis> is given, the TTL of matching packets
+              is set to <replaceable>number</replaceable>. The valid range of
+              values for <replaceable>number</replaceable> is 1-255.</para>
+            </listitem>
+          </orderedlist>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-rules.xml

@@ -328,18 +328,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
-                with the exception that the mark is assigned to connection to
-                which the packet belongs is marked rather than to the packet
-                itself.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">CONTINUE</emphasis></term>
 
@@ -558,35 +546,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
-
-              <listitem>
-                <para>where <replaceable>mark</replaceable> is a packet mark
-                value.</para>
-
-                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
-                table" support in your kernel and iptables.</para>
-
-                <para>Normally will set the mark value of the current packet.
-                If preceded by a vertical bar ("|"), the mark value will be
-                logically ORed with the current mark value to produce a new
-                mark value. If preceded by an ampersand ("&amp;"), will be
-                logically ANDed with the current mark value to produce a new
-                mark value.</para>
-
-                <para>Both "|" and "&amp;" require Extended MARK Target
-                support in your kernel and iptables.</para>
-
-                <para>The mark value may be optionally followed by "/" and a
-                mask value (used to determine those bits of the connection
-                mark to actually be set). When a mask is specified, the result
-                of logically ANDing the mark value with the mask must be the
-                same as the mark value.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1441,7 +1400,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specify a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall/manpages/shorewall.conf.xml

@@ -998,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          separated from normal column input by a single semicolon.</para>
+          seperated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/action.Drop

@@ -31,24 +31,37 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is
+# 'audit'.
+#
+?begin perl;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) {
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+?end perl;
 
-?if passed($1)
-    ?if $1 eq 'audit'
-DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
-?endif
 
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
-?if passed($2)
 Auth($2)
-?endif
 #
 # ACCEPT critical ICMP types
 #

Shorewall6/action.Reject

@@ -27,24 +27,37 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is
+# 'audit'.
+#
+?begin perl;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) {
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+?end perl;
 
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
-?endif
 
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
-?if passed($2)
 Auth($2)
-?endif
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).

Shorewall6/action.mangletemplate

@@ -1,22 +0,0 @@
-#
-# Shorewall version 5 - Mangle Action Template
-#
-# /etc/shorewall6/action.mangletemplate
-#
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined with the mangle option in /etc/shorewall/actions.
-#
-#	To define a new action:
-#
-#	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
-#	2. Copy this file to /etc/shorewall6/action.<action name>
-#	3. Add the desired rules to that file.
-#
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
-#
-# Columns are the same as in /etc/shorewall6/mangle.
-#
-############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP

Shorewall6/actions.std

@@ -8,12 +8,11 @@
 #
 # Builtin Actions are:
 #
-?if 0
+#    allowBcasts        # Accept multicast and anycast packets
-allowBcasts                     # Accept multicast and anycast packets
+#    dropBcasts         # Silently Drop multicast and anycast packets
-dropBcasts                      # Silently Drop multicast and anycast packets
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
-dropNotSyn		        # Silently Drop Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
+#
-?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -27,19 +26,15 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline,\		# Handles packets in the ESTABLISHED state
+Established  inline		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+Invalid	     inline		# Handles packets in the INVALID conntrack state
-             state=INVALID
+New	     inline             # Handles packets in the NEW conntrack state
-New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
+Related      inline             # Handles packets in the RELATED conntrack state
-             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED

Shorewall6/manpages/shorewall6-actions.xml

@@ -53,18 +53,6 @@
           <para>Added in Shorewall 4.5.10. Available options are:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><option>audit</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. When this option is specified,
-                the action is expected to have at least two parameters; the
-                first is a target and the second is either 'audit' or omitted.
-                If the second is 'audit', then the first must be an auditable
-                target (ACCEPT, DROP or REJECT).</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term>builtin</term>
 
@@ -99,7 +87,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>inline</option></term>
+              <term>inline</term>
 
               <listitem>
                 <para>Causes the action body (defined in
@@ -115,9 +103,9 @@
                   way:</para>
 
                   <simplelist>
-                    <member>DropSmurfs</member>
+                    <member>Broadcast</member>
 
-                    <member>IfEvent</member>
+                    <member>DropSmurfs</member>
 
                     <member>Invalid (Prior to Shorewall 4.5.13)</member>
 
@@ -132,19 +120,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>mangle</option></term>
+              <term>noinline</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. Specifies that this action is
-                to be used in <ulink
-                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
-                rather than <ulink
-                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>noinline</option></term>
 
               <listitem>
                 <para>Causes any later <option>inline</option> option for the
@@ -153,7 +129,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>nolog</option></term>
+              <term>nolog</term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.11. When this option is
@@ -167,16 +143,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+              <term>terminating</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
-                in <filename>actions.std</filename>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>terminating</option></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with

Shorewall6/manpages/shorewall6-mangle.xml

@@ -69,9 +69,8 @@
         <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
-          <para>The <replaceable>chain-designator</replaceable> indicates the
+          <para>The chain-specifier indicates the Netfilter chain that the
-          Netfilter chain that the entry applies to and may be one of the
+          entry applies to and may be one of the following:</para>
-          following:</para>
 
           <variablelist>
             <varlistentry>
@@ -113,14 +112,10 @@
           url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
           and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
 
-          <para>A <replaceable>chain-designator</replaceable> may not be
+          <para>A chain-designator may not be specified if the SOURCE or DEST
-          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          rule is placed in the INPUT chain.</para>
-          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body unless the action is declared as
-          <option>inline</option> in <ulink
-          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
 
           <para>Where a command takes parameters, those parameters are
           enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -129,21 +124,6 @@
           following.</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7.
-                <replaceable>action</replaceable> must be an action declared
-                with the <option>mangle</option> option in <ulink
-                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
-                comma-separated list within parentheses following the
-                <replaceable>action</replaceable> name.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -401,7 +381,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                proceeds as if that <replaceable>action</replaceable> had been
+                procedes as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall6/manpages/shorewall6-rules.xml

@@ -303,18 +303,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
-                with the exception that the mark is assigned to connection to
-                which the packet belongs is marked rather than to the packet
-                itself.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">CONTINUE</emphasis></term>
 
@@ -535,35 +523,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
-
-              <listitem>
-                <para>where <replaceable>mark</replaceable> is a packet mark
-                value.</para>
-
-                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
-                table" support in your kernel and iptables.</para>
-
-                <para>Normally will set the mark value of the current packet.
-                If preceded by a vertical bar ("|"), the mark value will be
-                logically ORed with the current mark value to produce a new
-                mark value. If preceded by an ampersand ("&amp;"), will be
-                logically ANDed with the current mark value to produce a new
-                mark value.</para>
-
-                <para>Both "|" and "&amp;" require Extended MARK Target
-                support in your kernel and iptables.</para>
-
-                <para>The mark value may be optionally followed by "/" and a
-                mask value (used to determine those bits of the connection
-                mark to actually be set). When a mask is specified, the result
-                of logically ANDing the mark value with the mask must be the
-                same as the mark value.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1306,7 +1265,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specify a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall6/manpages/shorewall6.conf.xml

@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          separated from normal column input by a single semicolon.</para>
+          seperated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 

docs/Actions.xml

@@ -32,8 +32,6 @@
 
       <year>2013</year>
 
-      <year>2015-2016</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -399,27 +397,6 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
       url="configuration_file_basics.htm#ActionVariables">Action Variables
       section</ulink> of the Configuration Basics article.</para>
     </section>
-
-    <section>
-      <title>Mangle Actions</title>
-
-      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
-      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
-      <ulink
-      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
-      Because the rules and mangle files have different column layouts,
-      actions can be defined to be used in one file or the other but not in
-      both. To designate an action to be used in the mangle file, specify the
-      <option>mangle</option> option in the action's entry in <ulink
-      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
-      <ulink
-      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
-
-      <para>To create a mangle action, follow the steps in the preceding
-      section, but use the
-      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
-      </para>
-    </section>
   </section>
 
   <section id="Logging">

docs/configuration_file_basics.xml

@@ -175,23 +175,20 @@
 
         <listitem>
           <para><filename>/etc/shorewall/init</filename> - commands that you
-          wish to execute at the beginning of a <quote>shorewall
+          wish to execute at the beginning of a <quote>shorewall start</quote>
-          start</quote>, "shorewall reload" or <quote>shorewall
+          or <quote>shorewall restart</quote>.</para>
-          restart</quote>.</para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/start</filename> - commands that you
           wish to execute near the completion of a <quote>shorewall
-          start</quote>, "shorewall reload" or <quote>shorewall
+          start</quote> or <quote>shorewall restart</quote></para>
-          restart</quote></para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/started</filename> - commands that
           you wish to execute after the completion of a <quote>shorewall
-          start</quote>, "shorewall reload" or <quote>shorewall
+          start</quote> or <quote>shorewall restart</quote></para>
-          restart</quote></para>
         </listitem>
 
         <listitem>
@@ -1782,10 +1779,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
         <para><ulink url="Macros.html">Macro</ulink> files</para>
       </listitem>
 
-      <listitem>
-        <para><ulink url="Actions.html">Action</ulink> files</para>
-      </listitem>
-
       <listitem>
         <para><ulink
         url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -1992,33 +1985,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
     @disposition are used to generated the --log-prefix in logging rules. When
     either is empty, the historical value is used to generate the
     --log-prefix.</para>
-
-    <para>Within an action body, if a parameter is omitted in a DEFAULTS
-    statement, then the value of the corresponding action and Shorewall
-    variables is '-', while if the parameter is specified as '-' in the
-    parameter list, the value of the action/Shorewall variable is '', if it is
-    expanded before the DEFAULTS statement.</para>
-
-    <para>Additionally, when an expression is evaluated, the value 0 evaluates
-    as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed
-    with value zero. To make testing of the presense of parameters more
-    efficient and uniform, an new function has been added in Shorewall 5.0.7
-    for use in ?IF and ?ELSEIF:</para>
-
-    <simplelist>
-      <member>?IF [!] passed(&lt;variable&gt;)</member>
-    </simplelist>
-
-    <para>where &lt;variable&gt; is an action or Shorewall variable.</para>
-
-    <para>'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
-    is not empty and its contents are other than '-'. If '!' is present, the
-    result is inverted.</para>
-
-    <para>In this simple form, the expression is evaluated by the compiler
-    without having to invoke the (expensive) Perl exec() function. The
-    'passed' function may also be used in more complex expressions, but exec()
-    will be invoked to evaluate those expressions.</para>
   </section>
 
   <section id="Conditional">
@@ -2202,31 +2168,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
 &lt;lines to be included if all three expressions evaluate to false.
 
 ?ENDIF</programlisting>
-
-    <para>Beginning in Shorewall 5.0.7, an error can be raised using the
-    ?ERROR directive:</para>
-
-    <programlisting>?ERROR <replaceable>message</replaceable></programlisting>
-
-    <para>Variables in the message are evaluated and the result appears in a
-    standard Shorewall ERROR: message.</para>
-
-    <para>Example from the 5.0.7 action.GlusterFS:</para>
-
-    <programlisting>?if @1 !~ /^\d+/ || ! @1 || @1 &gt; 1024
-    ?error Invalid value for Bricks (@1)
-?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
-?endif
-</programlisting>
-
-    <para>The above code insures that the first action paramater is a non-zero
-    number &lt;= 1024 and that the second parameter is either 0 or 1. If 2000
-    is passed for the first parameter, the following error message is
-    generated:</para>
-
-    <programlisting>   ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
-      from /etc/shorewall/rules (line 45)</programlisting>
   </section>
 
   <section id="Embedded">
@@ -2577,44 +2518,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
     "!tcp").</para>
   </section>
 
-  <section id="Ranges">
-    <title>Port Ranges</title>
-
-    <para>If you need to specify a range of ports, the proper syntax is
-    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
-    to forward the range of tcp ports 4000 through 4100 to local host
-    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
-
-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
-DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
-
-    <para>If you omit the low port number, a value of zero is assumed; if you
-    omit the high port number, a value of 65535 is assumed.</para>
-
-    <para>Also, unless otherwise documented, a port range can be preceded by
-    '!' to specify "All ports except those in this range" (e.g.,
-    "!4000:4100").</para>
-  </section>
-
-  <section id="Portlists">
-    <title>Port Lists</title>
-
-    <para>In most cases where a port or port range may appear, a
-    comma-separated list of ports or port ranges may also be entered.
-    Shorewall requires the Netfilter <emphasis
-    role="bold">multiport</emphasis> match capability if ports lists are used
-    (see the output of "<emphasis role="bold">shorewall show
-    capabilities</emphasis>").</para>
-
-    <para>Also, unless otherwise documented, a port list can be preceded by
-    '!' to specify "All ports except these" (e.g., "!80,443").</para>
-
-    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-    (5) file may specify no more than 15 ports; port ranges appearing in a
-    list count as two ports each.</para>
-  </section>
-
   <section id="ICMP">
     <title>ICMP and ICMP6 Types and Codes</title>
 
@@ -2691,6 +2594,44 @@ redirect                      =&gt; 137</programlisting>
     Shorewall 4.4.19.</para>
   </section>
 
+  <section id="Ranges">
+    <title>Port Ranges</title>
+
+    <para>If you need to specify a range of ports, the proper syntax is
+    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
+    to forward the range of tcp ports 4000 through 4100 to local host
+    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
+
+    <para>If you omit the low port number, a value of zero is assumed; if you
+    omit the high port number, a value of 65535 is assumed.</para>
+
+    <para>Also, unless otherwise documented, a port range can be preceded by
+    '!' to specify "All ports except those in this range" (e.g.,
+    "!4000:4100").</para>
+  </section>
+
+  <section id="Portlists">
+    <title>Port Lists</title>
+
+    <para>In most cases where a port or port range may appear, a
+    comma-separated list of ports or port ranges may also be entered.
+    Shorewall requires the Netfilter <emphasis
+    role="bold">multiport</emphasis> match capability if ports lists are used
+    (see the output of "<emphasis role="bold">shorewall show
+    capabilities</emphasis>").</para>
+
+    <para>Also, unless otherwise documented, a port list can be preceded by
+    '!' to specify "All ports except these" (e.g., "!80,443").</para>
+
+    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
+  </section>
+
   <section id="MAC">
     <title>Using MAC Addresses</title>
 
@@ -2743,7 +2684,9 @@ redirect                      =&gt; 137</programlisting>
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
 
     <simplelist>
-      <member>LOGLIMIT=10/minute:5</member>
+      <member>LOGRATE=10/minute</member>
+
+      <member>LOGBURST=5</member>
     </simplelist>
 
     <para>For each logging rule, the first time the rule is reached, the
@@ -2755,6 +2698,11 @@ redirect                      =&gt; 137</programlisting>
     30 seconds, the burst will be fully recharged; back where we
     started.</para>
 
+    <note>
+      <para>The LOGRATE and LOGBURST options are deprecated in favor of
+      LOGLIMIT.</para>
+    </note>
+
     <para>Shorewall also supports per-IP rate limiting.</para>
 
     <para>Another example from <ulink
@@ -2788,7 +2736,8 @@ redirect                      =&gt; 137</programlisting>
     <firstterm>Condition Match Support</firstterm> and you must be running
     Shorewall 4.4.24 or later. See the output of <command>shorewall show
     capabilities</command> and <command>shorewall version</command> to
-    determine if you can use this feature.</para>
+    determine if you can use this feature. As of this writing, Condition Match
+    Support requires that you install xtables-addons.</para>
 
     <para>The SWITCH column contains the name of a
     <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
@@ -2952,8 +2901,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
         <para>If <emphasis role="bold">detect</emphasis> is specified in the
         ADDRESS column of an entry in <ulink
         url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
-        firewall still startS if the optional interface in the INTERFACE
+        firewall still start if the optional interface in the INTERFACE column
-        column does not have an IP address.</para>
+        does not have an IP address.</para>
       </listitem>
     </itemizedlist>
 
@@ -2971,8 +2920,7 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
 
     <para>Shorewall allows you to have configuration directories other than
     <filename class="directory">/etc/shorewall</filename>. The shorewall
-    <command>check</command>, <command>start</command> and
+    check, start and restart commands allow you to specify an alternate
-    <command>restart</command> commands allow you to specify an alternate
     configuration directory and Shorewall will use the files in the alternate
     directory rather than the corresponding files in /etc/shorewall. The
     alternate directory need not contain a complete configuration; those files

docs/three-interface.xml

@@ -854,16 +854,22 @@ DNAT      net       dmz:10.10.11.2:80   tcp        5000</programlisting></para>
             with:<programlisting>#ACTION   SOURCE    DEST            PROTO  DPORT         SPORT    ORIGDEST
 DNAT      loc       dmz:10.10.11.2  tcp    80            -        <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
             you have a dynamic IP then you must ensure that your external
-            interface is up before starting Shorewall and you must code the
+            interface is up before starting Shorewall and you must take steps
-            rule as follows (assume that your external interface is <filename
+            as follows (assume that your external interface is <filename
-            class="devicefile">eth0</filename>):</para>
+            class="devicefile">eth0</filename>):<orderedlist>
+                <listitem>
+                  <para>Include the following in /etc/shorewall/params:</para>
 
-            <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
+                  <para><command>ETH0_IP=$(find_interface_address
-DNAT      loc       dmz:10.10.11.2   tcp     80            -        &amp;eth0</programlisting>
+                  eth0)</command></para>
+                </listitem>
 
-            <para>'&amp;eth0' expands to the IP address of eth0 (see <ulink
+                <listitem>
-            url="configuration_file_basics.htm#AddressVariables">this
+                  <para>Make your <literal>loc-&gt;dmz</literal> rule:
-            article</ulink>).</para>
+                  <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
+DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</programlisting></para>
+                </listitem>
+              </orderedlist></para>
           </listitem>
 
           <listitem>