Apply Paul Gear's patch for Ubuntu 16.04

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix link
2016-05-02 07:26:10 -07:00 · 2016-05-01 10:44:12 -07:00 · 2016-05-01 10:44:01 -07:00 · 2016-04-28 16:42:52 -07:00 · 2016-04-28 16:42:32 -07:00 · 2016-04-25 16:09:10 -07:00
41 changed files with 1042 additions and 303 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -339,7 +339,15 @@ show_classifiers() {
 #
 # Display blacklist chains
 #
+blacklist_filter() {
+    awk \
+	'BEGIN          { prnt=0; }; \
+        /^Members:/     { print "Dynamic:"; prnt=1; next; }; \
+                        { if (prnt == 1) print; };'
+}
+
 show_bl() {
+    [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset | blacklist_filter && echo
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
@@ -3444,6 +3452,29 @@ reject_command() {
    fi
 }

+blacklist_command() {
+    local family
+
+    [ $# -gt 0 ] || fatal_error "Missing address"
+
+    [ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
+
+    case ${IPSET:=ipset} in
+	*/*)
+	    if [ ! -x "$IPSET" ]; then
+		fatal_error "IPSET=$IPSET does not exist or is not executable"
+	    fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+	    ;;
+    esac
+
+    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+
+    return 0
+}
 save_command() {
    local finished
    finished=0
@@ -3793,6 +3824,38 @@ get_config() {
 	g_pager="| $g_pager"
     fi

+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -3819,7 +3882,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:$g_product start failed"
+	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi

@@ -3952,7 +4015,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi

@@ -3983,6 +4046,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
+    echo "   blacklist <address> [ <option> ... ]"
    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
@@ -4134,6 +4198,7 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
+    g_blacklistipset=

    VERBOSE=
    VERBOSITY=1
@@ -4325,6 +4390,13 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	blacklist)
+	    get_config Yes
+	    shift
+	    [ -n "$g_nolock" ] || mutex_on
+	    blacklist_command $@
+	    [ -n "$g_nolock" ] || mutex_off
+	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
+#
+# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
+#
+mylogger() {
+    local level
+
+    level=$1
+    shift
+
+    if [ -n "$SW_LOGGERTAG" ]; then
+	logger -p $level -t "$SW_LOGGERTAG" $*
+    else
+	logger -p $level $*
+    fi
+}
+
 #
 # Issue a message and stop
 #
@@ -33,24 +49,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "

 	case $COMMAND in
 	    start)
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -117,6 +117,7 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"

 rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc

 echo "Shorewall Core Uninstalled"

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
+		/etc/init.d/$PRODUCT enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #

-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -693,6 +706,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1553,6 +1585,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisCluster
+#
+# This macro handles Redis Cluster traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisSentinel
+#
+# This macro handles Redis Sentinel traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -279,6 +279,7 @@ our %EXPORT_TAGS = (
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
+				       create_load_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -286,6 +287,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
+				       terminating
 				       %targets
 				       %builtin_target
 				       %dscpmap
@@ -808,14 +810,13 @@ sub initialize( $$$ ) {
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
-		     REDIRECT     => 1,
 		     RAWDNAT      => 1,
+		     REDIRECT     => 1,
 		     RAWSNAT      => 1,
 		     REJECT       => 1,
 		     SAME         => 1,
 		     SNAT         => 1,
 		     TPROXY       => 1,
-		     reject       => 1,
 		   );
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -842,6 +843,24 @@ sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }

+#
+# Determine if a chain is terminating
+#
+sub terminating( $ ) {
+    my ( $chainref ) = @_;
+
+    return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
+}
+
+sub is_terminating( $$ ) {
+    my ( $table, $target ) = @_;
+
+    if ( my $chainref = $chain_table{$table}{$target} ) {
+	terminating( $chainref );
+    } else {
+	$terminating{$target};
+    }
+}
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1309,6 +1328,8 @@ sub push_rule( $$ ) {
    my $complete = 0;
    my $ruleref  = transform_rule( $_[1], $complete );

+    fatal_error "Chain $chainref->{name} jumps to itself" if ( $ruleref->{target} || '' ) eq $chainref->{name};
+
    set_irule_comment( $chainref, $ruleref );

    $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
@@ -1539,6 +1560,7 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
 	$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
+	$chainref->{complete} ||= ( ! @matches && ( $jump eq 'g' || is_terminating( $chainref->{table}, $target ) ) );
 	$ruleref->{targetopts} = $targetopts if $targetopts;
    } else {
 	$ruleref->{target} = '';
@@ -2485,7 +2507,7 @@ sub add_ijump_internal( $$$$$;@ ) {
    }

    if ( $ruleref->{simple} ) {
-	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
+	$fromref->{complete} = 1 if $jump eq 'g' || ( $toref ? terminating( $toref ) : $terminating{$to} );
    }

    $ruleref->{origin} = $origin if $origin;
@@ -7744,7 +7766,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
+			    add_expanded_jump( $chainref ,
+					       $targetref ,
+					       terminating( $targetref ) ,
+					       $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -8224,14 +8249,22 @@ EOF
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }

-sub ensure_ipset( $ ) {
-    my $set = shift;
+sub ensure_ipsets( @ ) {
+    my $set;
+
+    if ( @_ > 1 ) {
+	push_indent;
+	emit( "for set in @_; do" );
+	$set = '$set';
+    } else {
+	$set = $_[0];
+    }

    if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-		   qq(        \$IPSET -N $set hash:ip family inet) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
 		   qq(    fi) );
 	} else {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8241,10 +8274,15 @@ sub ensure_ipset( $ ) {
 	}
    } else {
 	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-	       qq(        \$IPSET -N $set hash:ip family inet6) ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
 	       qq(    fi) );
    }
+
+    if ( @_ > 1 ) {
+	emit 'done';
+	pop_indent;
+    }
 }

 #
@@ -8253,22 +8291,26 @@ sub ensure_ipset( $ ) {
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;

-    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
 	  'save_ipsets() {' );

    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
+	      '    local set' ,
 	      '',
 	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );

 	if ( @ipsets ) {
 	    emit '';
-	    ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
 	}

 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		#
+		# Requires V5 or later
+		#
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';

 		emit( '' ,
@@ -8277,11 +8319,6 @@ sub create_save_ipsets() {
 		      '    local set' ,
 		    );

-		if ( @ipsets ) {
-		    emit '';
-		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
-		}
-
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
@@ -8289,6 +8326,9 @@ sub create_save_ipsets() {
 		      '',
 		    );
 	    } else {
+		#
+		# Saving all ipsets (IPv4 and IPv6, if any )
+		# 
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@@ -8297,28 +8337,48 @@ sub create_save_ipsets() {
 	    }

 	    emit( "    return 0",
-		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    #
+	    # Requires V5 or later
+	    #
+	    my %ipsets;
+	    #
+	    # Requires V
+	    #
+	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
+
+	    my @sets = sort keys %ipsets;
+
 	    emit( '' ,
+		  '    rm -f $file' ,
+		  '    touch $file' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);

-	    if ( @ipsets ) {
-		emit '';
-		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    if ( @sets > 1 ) {
+		emit( '' ,
+		      "    for set in @sets; do" , 
+		      '        if qt $IPSET list $set; then' ,
+		      '            $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
+		      '        else' ,
+		      '            error_message "ipset $set not saved (not found)"' ,
+		      '        fi' ,
+		      '    done' );
+	    } else {
+		my $set = $sets[0];
+
+		emit( '' ,
+		      "    if qt \$IPSET list $set; then" ,
+		      "        \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
+		      '    else' ,
+		      "        error_message 'ipset $set not saved (not found)'" ,
+		      '    fi' );
 	    }

 	    emit( '' ,
-		  "    if qt \$IPSET list $_; then" ,
-		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
-		  '    else' ,
-		  "        error_message 'ipset $_ not saved (not found)'" ,
-		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-
-	    emit( '' ,
-		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  "    grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
@@ -8334,13 +8394,58 @@ sub create_save_ipsets() {
    }
 }

-sub load_ipsets() {
+sub create_load_ipsets() {

-    my @ipsets = all_ipsets;
+    my @ipsets = all_ipsets; #Dynamic Zone IPSETS

-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit ( '', );
-	emit ( '',
+    my $setting = $config{SAVE_IPSETS};
+
+    my $havesets =  @ipsets || @{$globals{SAVED_IPSETS}} || ( $setting && have_ipset_rules );
+
+    #
+    # Generate a function that flushes and destroys sets prior to restoring them
+    #
+    if ( $havesets ) {
+	my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+	emit ( "#\n#Flush and Destroy the sets that we will subsequently attempt to restore\n#",
+	       'zap_ipsets() {',
+	       '    local set',
+	       '' );
+
+	if ( $family == F_IPV6 || $setting !~ /yes/i ) {
+	    #
+	    # Requires V5 or later
+	    #
+	    emit( '' ,
+		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '        $IPSET flush $set' ,
+		  '        $IPSET destroy $set' ,
+		  "    done" ,
+		  '',
+		);
+	} else {
+	    #
+	    # Restoring all ipsets (IPv4 and IPv6, if any)
+	    #
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '    fi' );
+	};
+
+	emit( '}' );
+    }
+    #
+    # Now generate load_ipsets()
+    
+    emit ( "#\n#Flush and Destroy the sets then load fresh copy from a saved ipset file\n#",
+	   'load_ipsets() {' );
+
+    push_indent;
+
+    if ( $havesets ) {
+	emit(  '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8351,86 +8456,56 @@ sub load_ipsets() {
 	       '        ;;',
 	       'esac' ,
 	       '' ,
-	       'if [ "$COMMAND" = start ]; then' );
+	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

-	if ( $config{SAVE_IPSETS} ) {
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+		  '        zap_ipsets',
+		  '        $IPSET -R < ${VARDIR}/ipsets.save',
 		  '    fi' );
+	}

 	if ( @ipsets ) {
 	    emit ( '' );
-		ensure_ipset( $_ ) for @ipsets;
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	    }
-	} else {
-	    ensure_ipset( $_ ) for @ipsets;
-
-	    if ( @{$globals{SAVED_IPSETS}} ) {
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	    }
+	    ensure_ipsets( @ipsets );
 	}

-	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
+	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); ### Restore Command #################

-	if ( $config{SAVE_IPSETS} ) {
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
 	    emit( '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		  '        if chain_exists shorewall; then' ,
 		  '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		  '        else' ,
-		  '            $IPSET -F' ,
-		  '            $IPSET -X' ,
+		  '            zap_ipsets' ,
 		  '            $IPSET -R < $(my_pathname)-ipsets' ,
 		  '        fi' ,
 		  '    fi' ,
 		);
+	}

 	if ( @ipsets ) {
 	    emit ( '' );
-		ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
+
+	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
+	    ensure_ipsets( @ipsets );
+
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
 	    emit ( '' );
-	    }
-	} else {
-	    ensure_ipset( $_ ) for @ipsets;
-
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET flush' ,
-		   '        $IPSET destroy' ,
-		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	}
-
-	if ( @ipsets ) {
-	    emit ( 'elif [ "$COMMAND" = reload ]; then' );
-	    ensure_ipset( $_ ) for @ipsets;
-	}
-
-	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-	      '   save_ipsets'
-	    );
-
-	if ( @ipsets ) {
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
-	    ensure_ipset( $_ ) for @ipsets;
 	};

 	emit ( 'fi' ,
 	       '' );
+    } else {
+	emit 'true';
    }
+
+    pop_indent;
+
+    emit '}';	    
 }

 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -368,6 +368,7 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
+    create_load_ipsets;

    emit "#\n# Start/Reload the Firewall\n#";

@@ -406,7 +407,9 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );

-    load_ipsets;
+    emit( 'load_ipsets' ,
+	  '' );
+
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -573,16 +576,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        mylogger kern.info "$g_product started"
        ;;
-    reloaded)
-        logger -p kern.info "$g_product reloaded"
+    reload)
+        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -867,10 +870,6 @@ sub compiler {
    #
    complete_policy_chains;
    #
-    # Reject Action
-    #
-    process_reject_action if $config{REJECT_ACTION};
-    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -161,6 +161,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       set_section_function
                                       clear_section_function
                                       directive_callback
+		                       add_ipset
+		                       all_ipsets

 				       $product
 				       $Product
@@ -344,7 +346,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                                 => 'Ipset Match nomatch',
 		 IPSET_MATCH_COUNTERS
                                 => 'Ipset Match counters',
-		 IPSET_V5        => 'Version 5 ipsets',
+		 IPSET_V5        => 'Version 5 or later ipset',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -673,6 +675,7 @@ our $section_function; #Function Reference for handling ?section

 our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().

+our %ipsets; # All required IPsets
 #
 # Files located via find_file()
 #
@@ -1073,6 +1076,7 @@ sub initialize( $;$$) {
    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
+    %ipsets = ();

    %helpers_enabled = (
 			amanda       => 1,
@@ -1171,6 +1175,14 @@ sub initialize( $;$$) {

 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );

+sub add_ipset( $ ) {
+    $ipsets{$_[0]} = 1;
+}
+
+sub all_ipsets() {
+    sort keys %ipsets;
+}
+
 #
 # Create 'currentlineinfo'
 #
@@ -1244,6 +1256,34 @@ sub shortlineinfo( $ ) {

 sub handle_first_entry();

+#
+# Issue a Information Message
+#
+sub info_message
+{
+    my $currentlineinfo = currentlineinfo;
+    our @localtime;
+
+    handle_first_entry if $first_entry;
+
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
+
+    if ( $log ) {
+	@localtime = localtime;
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+    }
+
+    if ( $confess ) {
+	print STDERR longmess( "   INFO: @_$currentlineinfo" );
+	print $log   longmess( "   INFO: @_$currentlineinfo\n" ) if $log;
+    } else {
+	print STDERR "   INFO: @_$currentlineinfo\n";
+	print $log   "   INFO: @_$currentlineinfo\n" if $log;
+    }
+
+    $| = 0; #Re-allow output buffering
+}
+
 #
 # Issue a Warning Message
 #
@@ -1673,7 +1713,7 @@ sub progress_message {

 	    @localtime = localtime unless $havelocaltime;

-	    printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
    }
@@ -1692,7 +1732,7 @@ sub progress_message_nocompress {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1713,7 +1753,7 @@ sub progress_message2 {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1734,7 +1774,7 @@ sub progress_message3 {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -2510,6 +2550,13 @@ sub directive_warning( $$$ ) {
    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 }

+sub directive_info( $$$ ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $info, $currentfilename, $currentlinenumber ) = @_;
+    info_message $info;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+}
+
 #
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
@@ -2656,7 +2703,7 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -2801,7 +2848,26 @@ sub process_compiler_directive( $$$$ ) {
 						    1 ) ,
 			       $filename ,
 			       $linenumber ) unless $omitting;
-	  }
+	  } ,
+
+	  WARNING => sub() {
+	      directive_warning( evaluate_expression( $expression ,
+						      $filename ,
+						      $linenumber ,
+						      1 ),
+				 $filename ,
+				 $linenumber ) unless $omitting;
+	  } ,
+
+	  INFO => sub() {
+	      directive_info( evaluate_expression( $expression ,
+						   $filename ,
+						   $linenumber ,
+						   1 ),
+			      $filename ,
+			      $linenumber ) unless $omitting;
+	  } ,
+
 	);

    if ( my $function = $directives{$keyword} ) {
@@ -3514,7 +3580,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -4894,8 +4960,16 @@ sub ensure_config_path() {

    @config_path = split /:/, $config{CONFIG_PATH};

+    #
+    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
+    # clash on a case-insensitive filesystem.
+    #
+    push @config_path, $globals{SHAREDIR}    . "/deprecated";
+    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
+
    for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
+        s|//|/|g;
    }

    if ( $shorewall_dir ) {
@@ -5411,7 +5485,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -5851,16 +5925,21 @@ sub get_configuration( $$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';

-    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
    $val = $config{SAVE_IPSETS};
-	unless ( $val eq 'ipv4' ) {
+
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+	if ( $val eq 'ipv4' ) {
+	    fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
+	} else {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
-	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
+
+	require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
    }

+
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5991,7 +6070,33 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }

-    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
+    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
+	if ( $val =~ /^ipset/ ) {
+	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
+
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+
+	    if ( supplied( $set ) ) {
+		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
+	    } else {
+		$set = 'SW_DBL' . $family;
+	    }
+
+	    add_ipset( $set );
+	    
+	    $level = validate_level( $level );
+
+	    $tag = '' unless defined $tag;
+
+	    $config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
+
+	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
+
+	} else {
+	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
+	}
+    }
+
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6503,7 +6608,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -646,6 +646,7 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
@@ -674,18 +675,90 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
+    my $dbl_type;
+    my $dbl_ipset;
+    my $dbl_level;
+    my $dbl_tag;
+    my $dbl_target;
+
+    if ( $config{REJECT_ACTION} ) {
+	process_reject_action;
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+    } else {
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
+	    }
+
+	    incr_cmd_level $rejectref;
+	    add_ijump $rejectref, j => 'DROP', d => '$address';
+	    decr_cmd_level $rejectref;
+	    add_commands $rejectref, 'done';
+	}
+
+	if ( $family == F_IPV4 ) {
+	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
+	} else {
+	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
+	}
+
+	add_ijump $rejectref , j => 'DROP', p => 2;
+	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+
+	if ( have_capability( 'ENHANCED_REJECT' ) ) {
+	    add_ijump $rejectref , j => 'REJECT', p => 17;
+
+	    if ( $family == F_IPV4 ) {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
+	    } else {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
+	    }
+	} else {
+	    add_ijump $rejectref , j => 'REJECT';
+	}
+    }
+
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};

-    if ( $config{DYNAMIC_BLACKLIST} ) {
+    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
+	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
+
+	unless ( $dbl_type =~ /^ipset-only/ ) {
 	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
 	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
 	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
 	}

+	if ( $dbl_ipset ) {
+	    if ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+	    } else {
+		$dbl_target = 'DROP'; 
+	    }
+	}
+    }
+
    setup_mss;

    if ( $config{FASTACCEPT} ) {
@@ -787,8 +860,13 @@ sub add_common_rules ( $ ) {
 		}
 	    }

+	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
+		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+	    }
+	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -947,46 +1025,6 @@ sub add_common_rules ( $ ) {
 	}
    }

-    unless ( $config{REJECT_ACTION} ) {
-	if ( have_capability( 'ADDRTYPE' ) ) {
-	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
-	} else {
-	    if ( $family == F_IPV4 ) {
-		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
-	    } else {
-		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
-	    }
-
-	    incr_cmd_level $rejectref;
-	    add_ijump $rejectref, j => 'DROP', d => '$address';
-	    decr_cmd_level $rejectref;
-	    add_commands $rejectref, 'done';
-	}
-
-	if ( $family == F_IPV4 ) {
-	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
-	} else {
-	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
-	}
-
-	add_ijump $rejectref , j => 'DROP', p => 2;
-	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
-
-	if ( have_capability( 'ENHANCED_REJECT' ) ) {
-	    add_ijump $rejectref , j => 'REJECT', p => 17;
-
-	    if ( $family == F_IPV4 ) {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
-	    } else {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
-	    }
-	} else {
-	    add_ijump $rejectref , j => 'REJECT';
-	}
-    }
-
    $list = find_interfaces_by_option 'dhcp';

    if ( @$list ) {
@@ -1113,7 +1151,7 @@ sub add_common_rules ( $ ) {

 	    for $interface ( @$list ) {
 		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}

@@ -1801,12 +1839,14 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
+    my @zone_interfaces   = keys %{zone_interfaces( $zone )};

-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
+	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1823,7 +1863,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the input interface
+	    # Not a bridge -- match the output interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2433,16 +2473,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            logger -p kern.err "ERROR:$g_product start failed"
+	            mylogger kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            logger -p kern.err "ERROR:$g_product reload failed"
+	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            logger -p kern.err "ERROR:$g_product refresh failed"
+	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac

@@ -2651,7 +2691,7 @@ EOF
    emit '

    set_state "Stopped"
-    logger -p kern.info "$g_product Stopped"
+    mylogger kern.info "$g_product Stopped"

    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -392,7 +392,7 @@ sub start_provider( $$$$$ ) {
 }

 #
-# Look up a provider and return it's number. If unknown provider, 0 is returned
+# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -408,7 +408,7 @@ sub lookup_provider( $ ) {
 	}
    }

-    $providerref ? $providerref->{number} : 0;
+    $providerref;
 }

 #
@@ -666,7 +666,9 @@ sub process_a_provider( $ ) {
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
+	my $n = $p ? $p->{number} : 0;
+	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
+	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -1094,7 +1096,7 @@ CEOF

    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "persistent_${what}_${table}\n" );
+	    emit( "do_persistent_${what}_${table}\n" );
 	}

 	if ( $shared ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2193,10 +2193,16 @@ sub use_policy_action( $$ ) {
 sub process_reject_action() {
    my $rejectref = $filter_table->{reject};
    my $action    = $config{REJECT_ACTION};
+    #
+    # This gets called very early in the compilation process so we fake the section
+    #
+    $section = DEFAULTACTION_SECTION;

    if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
    } else {
+	progress_message2 "$doing $actions{$action}->{file} for chain reject...";
+
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
@@ -2221,6 +2227,8 @@ sub process_reject_action() {
 			0,            #Wildcard
 	    );
    }
+
+    $section = '';
 }

 ################################################################################
@@ -2384,7 +2392,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {

    setup_audit_action( $inline ) if $options & AUDIT_OPT;

-    progress_message "..Expanding inline action $inlinefile...";
+    progress_message "..Expanding inline action $inlinefile..." unless $inline eq $config{REJECT_ACTION};

    push_open $inlinefile, 2, 1, undef , 2;

@@ -3769,7 +3777,7 @@ sub process_rules() {
 			UNTRACKED_SECTION,   'UNTRACKED' );

    #
-    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain will already exist.
+    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain may already exist.
    #
    $usedactions{normalize_action_name( 'A_REJECT' )} = $filter_table->{A_REJECT} if $filter_table->{A_REJECT};
    #
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -674,7 +674,8 @@ sub validate_tc_class( ) {
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;

-	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+	fatal_error "MARK value too large"        unless $markval <= $globals{TC_MAX};
+	fatal_error "MARK value must be non-zero" unless $markval;

 	if ( $classnumber ) {
 	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -103,7 +103,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
-		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -210,7 +209,6 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
-our %ipsets;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -326,7 +324,6 @@ sub initialize( $$ ) {
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
-    %ipsets = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -348,6 +345,7 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -395,6 +393,7 @@ sub initialize( $$ ) {
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
@@ -1280,7 +1279,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			require_capability( 'IPSET_V5', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1344,7 +1343,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
+	    add_ipset($ipset);
 	}

 	if ( $options{bridge} ) {
@@ -2153,7 +2152,7 @@ sub process_host( ) {

 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
+	add_ipset($set);
    }

    #
@@ -2273,8 +2272,4 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }

-sub all_ipsets() {
-    sort keys %ipsets;
-}
-
 1;
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }

 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface

 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }

 #
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -23,14 +23,17 @@ COUNT
 #
 Auth(A_DROP)
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/action.A_Reject.deprecated
+++ b/Shorewall/action.A_Reject.deprecated
@@ -18,15 +18,18 @@
 #
 COUNT
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -10,7 +10,7 @@
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
-# The action accepts five optional parameters:
+# The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
@@ -22,6 +22,8 @@
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
@@ -29,12 +31,12 @@

 ?if passed(@1)
    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
-DEFAULTS -,-,DROP,ACCEPT,DROP
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif

 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
@@ -49,14 +51,17 @@ COUNT
 Auth(@2)
 ?endif
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
-# ACCEPT critical ICMP types
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
@@ -65,7 +70,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -10,7 +10,7 @@
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
-# The action accepts five optional parameters:
+# The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
@@ -22,18 +22,20 @@
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################

 ?if passed(@1)
    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif

 #ACTION		SOURCE	DEST	PROTO
@@ -48,15 +50,18 @@ COUNT
 Auth(@2)
 ?endif
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
-# ACCEPT critical ICMP types
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
@@ -66,7 +71,7 @@ Invalid(DROP,@1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -419,11 +419,13 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -512,7 +514,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"

 cd configfiles

@@ -1060,15 +1062,31 @@ fi
 # Install the Action files
 #
 for f in action.* ; do
+    case $f in
+	*.deprecated)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
+	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
+	    ;;
+	*)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	    ;;
+    esac
 done

 cd Macros

 for f in macro.* ; do
+    case $f in
+	*.deprecated)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
+	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
+	    ;;
+	*)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	    ;;
+    esac
 done

 cd ..
@@ -1159,6 +1177,8 @@ fi
 # Install the Man Pages
 #

+if [ -n "$MANDIR" ]; then
+
 cd manpages

 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1178,6 +1198,7 @@ done
 cd ..

 echo "Man Pages Installed"
+fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -333,6 +333,38 @@ get_config() {
 	g_pager="| $g_pager"
    fi

+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -403,7 +435,7 @@ compiler() {
    get_config Yes

    case $COMMAND in
-	*start|try|refresh)
+	*start|try|refresh|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -498,7 +530,6 @@ compiler() {
 start_command() {
    local finished
    finished=0
-    local object
    local rc
    rc=0

@@ -517,7 +548,7 @@ start_command() {
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
-		logger -p kern.err "ERROR:$g_product start failed"
+		mylogger kern.err "ERROR:$g_product start failed"
 	    fi
 	fi

@@ -608,7 +639,7 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/$object; then
+	if ! uptodate ${VARDIR}/firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -997,7 +1028,7 @@ restart_command() {
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
-	    logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
+	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -130,6 +130,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>mangle</option></term>

--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -488,6 +488,15 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">nodbl</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. When specified, dynamic
+                blacklisting is disabled on the interface.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>

--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -504,7 +504,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

                    <member>0xc0a80403 LAND 0xFF = 0x03</member>

-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -156,20 +156,23 @@

      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>

        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
-          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-          and you are running Shorewall 4.5.5 or earlier.</para>
+          here. You can use the same marks for different interfaces.</para>

-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
+          integer in the range 1-65535 and determines the relative order in
+          which the tc mark classification filter for this class is to be
+          applied to packets being sent on the
+          <replaceable>interface</replaceable>. Filters are applied in
+          ascending numerical order. If not supplied, the value is derived
+          from the class priority (PRIORITY column value below):
+          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>

@@ -293,7 +296,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>You must define <emphasis
@@ -320,7 +323,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
              </listitem>
            </varlistentry>

@@ -339,7 +342,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 15)
                is used.</para>

                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
@@ -372,7 +375,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>

                <note>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -761,15 +761,38 @@

      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>||<emphasis
+        role="bold">ipset</emphasis>[<emphasis
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall drop</command>,
-          <command>shorewall reject</command>, <command>shorewall
-          logdrop</command> and <command>shorewall logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          chain-based dynamic blacklisting using the <command>shorewall6
+          drop</command>, <command>shorewall6 reject</command>,
+          <command>shorewall6 logdrop</command> and <command>shorewall6
+          logreject</command> is disabled. Default is <emphasis
+          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
+          ipset-based dynamic blacklisting is also supported. The name of the
+          set (<replaceable>setname</replaceable>) and the level
+          (<replaceable>log_level</replaceable>), if any, at which blacklisted
+          traffic is to be logged may also be specified. The default set name
+          is SW_DBL4 and the default log level is <option>none</option> (no
+          logging). if <option>ipset-only</option> is given, then chain-based
+          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>
+
+          <para>When ipset-based dynamic blacklisting is enabled, the contents
+          of the blacklist will be preserved over
+          <command>stop</command>/<command>reboot</command>/<command>start</command>
+          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+          <replaceable>setname</replaceable> is included in the list of sets
+          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>

@@ -824,7 +847,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          (see below).</para>

          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -2480,9 +2504,11 @@ INLINE          -       -       -       ; -j REJECT
          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
-          determined by the setting of LOG_VERBOSITY above.</para>
+          role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
+          role="bold">try</emphasis>, and <emphasis
+          role="bold">safe-</emphasis>* command. Logging verbosity is
+          determined by the setting of LOG_VERBOSITY above. </para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,6 +49,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall</command>

@@ -955,6 +968,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -2593,6 +2625,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -670,6 +683,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          The <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1515,6 +1547,35 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by
+    Shorewall6-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>See ALSO</title>

--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -83,7 +83,7 @@ case "$command" in
 	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -365,6 +365,15 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">nodbl</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. When specified, dynamic
+                blacklisting is disabled on the interface.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>

--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -515,7 +515,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

                    <member>0xc0a80403 LAND 0xFF = 0x03</member>

-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -152,20 +152,23 @@

      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>

        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
+          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
-          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
-          and you are running Shorewall 4.5 5 or earlier.</para>
+          here. You can use the same marks for different interfaces.</para>

-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
+          integer in the range 1-65535 and determines the relative order in
+          which the tc mark classification filter for this class is to be
+          applied to packets being sent on the
+          <replaceable>interface</replaceable>. Filters are applied in
+          ascending numerical order. If not supplied, the value is derived
+          from the class priority (PRIORITY column value below):
+          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>

@@ -314,7 +317,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
              </listitem>
            </varlistentry>

@@ -366,7 +369,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>

                <note>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -623,15 +623,38 @@

      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>||<emphasis
+        role="bold">ipset</emphasis>[<emphasis
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall6 drop</command>,
-          <command>shorewall6 reject</command>, <command>shorewall6
-          logdrop</command> and <command>shorewall6 logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          chain-based dynamic blacklisting using the <command>shorewall6
+          drop</command>, <command>shorewall6 reject</command>,
+          <command>shorewall6 logdrop</command> and <command>shorewall6
+          logreject</command> is disabled. Default is <emphasis
+          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
+          ipset-based dynamic blacklisting is also supported. The name of the
+          set (<replaceable>setname</replaceable>) and the level
+          (<replaceable>log_level</replaceable>), if any, at which blacklisted
+          traffic is to be logged may also be specified. The default set name
+          is SW_DBL6 and the default log level is <option>none</option> (no
+          logging). if <option>ipset-only</option> is given, then chain-based
+          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>
+
+          <para>When ipset-based dynamic blacklisting is enabled, the contents
+          of the blacklist will be preserved over
+          <command>stop</command>/<command>reboot</command>/<command>start</command>
+          sequences if SAVE_IPSETS=Yes or if
+          <replaceable>setname</replaceable> is included in the list of sets
+          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>

@@ -686,7 +709,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          (see below).</para>

          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -2115,11 +2139,13 @@ INLINE          -       -       -       ; -j REJECT
        role="bold">STARTUP_LOG=</emphasis>[<emphasis>pathname</emphasis>]</term>

        <listitem>
-          <para>If specified, determines where Shorewall6 will log the details
+          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
+          role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
+          role="bold">try</emphasis>, and <emphasis
+          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -48,6 +48,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -923,6 +936,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          The <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -2469,6 +2501,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall6:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>See ALSO</title>

--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -74,7 +74,7 @@
  <section>
    <title>Documentation for Earlier Versions</title>

-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.4/4.6
+    <para><ulink url="4.6/Documentation_Index.html">Shorewall 4.4/4.6
    Documentation</ulink></para>

    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -204,7 +204,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally. The default is
+            is given, the log prefix is determined normally. The default is
            ACCEPT.</para>
          </listitem>
        </varlistentry>
@@ -258,7 +258,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -404,7 +404,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
          </listitem>
        </varlistentry>
      </variablelist>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1739,7 +1739,7 @@ SSH(ACCEPT)    net:$MYIP      $FW

      <listitem>
        <para><ulink
-        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        url="manpages/shorewall-blrules.html">shorewall-blrules</ulink>
        (5)</para>
      </listitem>

@@ -1747,6 +1747,12 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>

+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>
+        (5)</para>
+      </listitem>
+
      <listitem>
        <para><ulink
        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
@@ -1756,17 +1762,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink
        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
      </listitem>
-
-      <listitem>
-        <para><ulink
-        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
-        (5)</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
-        (5)</para>
-      </listitem>
    </itemizedlist>

    <para>They may also appear in the ORIGDEST column of:</para>
@@ -1830,7 +1825,7 @@ SSH(ACCEPT)    net:$MYIP      $FW

      <listitem>
        <para><ulink
-        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        url="manpages/shorewall-blrules.html">shorewall-blrules</ulink>
        (5)</para>
      </listitem>

@@ -1838,6 +1833,12 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>

+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>
+        (5)</para>
+      </listitem>
+
      <listitem>
        <para><ulink
        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
@@ -1846,18 +1847,13 @@ SSH(ACCEPT)    net:$MYIP      $FW

      <listitem>
        <para><ulink
-        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
+        url="manpages/shorewall-routes.html">shorewall-routes</ulink>
+        (5)</para>
      </listitem>

      <listitem>
        <para><ulink
-        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
-        (5)</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
-        (5)</para>
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
      </listitem>
    </itemizedlist>

@@ -2227,6 +2223,20 @@ SSH(ACCEPT)    net:$MYIP      $FW

    <programlisting>   ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
      from /etc/shorewall/rules (line 45)</programlisting>
+
+    <para>In Shorewall 5.0.8, ?WARNING and ?INFO directives were added.</para>
+
+    <programlisting>?WARNING <replaceable>message</replaceable>
+?INFO <replaceable>message</replaceable></programlisting>
+
+    <para>?WARNING message produces a standard Shorewall WARNING: message,
+    while ?INFO produces a similar message which is prefaced by INFO: rather
+    than WARNING:. Both write the message to STDERR. The message is also
+    written to the STARTUP_LOG, if any, provided that the command is
+    <command>start</command>, <command>try</command>,
+    <command>restart</command>, <command>reload</command>,
+    <command>refresh</command>, or one of the <command>safe</command>-*
+    commands.</para>
  </section>

  <section id="Embedded">
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -109,8 +109,8 @@

      <listitem>
        <para>In the event that the subnet address might change while
-        Shorewall is started, you need to arrange for a <quote>shorewall
-        refresh</quote> command to be executed when a new dynamic IP address
+        Shorewall is started, you need to arrange for a <command>shorewall
+        reload</command> command to be executed when a new dynamic IP address
        gets assigned to the interface. Check your DHCP client's
        documentation.</para>
      </listitem>
Author	SHA1	Message	Date
Tom Eastep	5fbc5f1430	Apply Paul Gear's patch for Ubuntu 16.04 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-02 07:26:10 -07:00
Tom Eastep	cae7c5d300	Fix link Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-01 10:44:12 -07:00
Tom Eastep	bba851117a	Correct typo in manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-01 10:44:01 -07:00
Matt Darfeuille	91702f094d	patches and request Tom, Some patches for the trunk repo(fixes.patch): Patch1: Fix a typo in the path being printed for the standard actions file. Patch2: Will only install the shorewall's manpages if the variable MANDIR is none-empty(I did it only for the sake of completeness)! Patch3: Will only install the shorewall-lite's manpages if the variable MANDIR is none-empty. Patch4: Correct multiple product name's typos in shorewall-init/install.sh. Patch5: Remove ~/.shorewallrc when shorewall-core is uninstalled. And two other patches for the release repo(changelog-1.patch): Patch1: Changed restart to reload for the line: 'Update DHCP article(refresh -> restart). Patch2: Rephrased the line for the newly added ?WARNING and ?INFO directives. Request: Could the date of the compiled firewall script also be displayed when 'shorewall status' is executed? -Matt -------------- Enclosure number 2 ---------------- >From a5ae24bbe9b25aefdbcc4d7c8e5d013a36b03078 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Sat, 23 Apr 2016 14:44:19 +0200 Subject: [PATCH 1/5] Fix typo in printed path for standard actions file Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-28 16:42:52 -07:00
Tom Eastep	49c94bc5ec	Fix Shorewall6 init.sh Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-28 16:42:32 -07:00
Tom Eastep	67c2587890	Correct typos in the Events article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-25 16:09:10 -07:00
Tom Eastep	f6b7eb4ea0	Correct handling of persistent provider with no IP address Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-25 12:27:00 -07:00
Tom Eastep	f16e3f1fbe	Issue warning when enable/disable won't work correctly Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-19 10:42:50 -07:00
Tom Eastep	71bd7a4647	Update the STARTUP_LOG description in shorewall[6].conf - Update list of commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-19 07:49:37 -07:00
Tom Eastep	ab95607f5f	Document ?WARNING and ?INFO Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-18 14:47:08 -07:00
Tom Eastep	f9bbca8b05	Expand the list of commands that write to STARTUP_LOG - add the safe-* commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-18 14:16:13 -07:00
Tom Eastep	0faf3b6db1	Send INFO messages to STDERR rather than STDOUT	2016-04-18 13:59:29 -07:00
Tom Eastep	3253c882e9	Merge branch '5.0.8'	2016-04-18 12:36:28 -07:00
Tom Eastep	5212dba7cb	Add an ESTABLISHED,RELATED rule for docker0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-18 10:13:05 -07:00
Tom Eastep	35a22eedac	Reword error message when tcclass MARK is too large Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-18 10:06:04 -07:00
Tom Eastep	2b7ef0fe32	Update the tcclasses manpage to discuss fw mark filter priority - Also correct default priorities for tos= and tcp-ack Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-18 09:18:48 -07:00
Tom Eastep	b53de922d1	Catch 0 in the MARK column of the tcclasses file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-18 08:50:10 -07:00
Matt Darfeuille	365ffaf645	questions On 17 Apr 2016 at 7:45, Tom Eastep wrote: > On 04/17/2016 06:23 AM, Matt Darfeuille wrote: > > >> Tom, I neglected the git part of that request!(sorry): > >> > >> Could changes be also made in the git code repo that take for account > >> case insensitive system?: > >> > >> What I suggest doing is using the deprecated extension when the case > >> of a file is changed in the code so git wouldn't show 'Modified: ...' > >> and simply modifying shorewall/install.sh to strip the file from the > >> deprecated extension and then copying it to the deprecated directory. > >> > >> In other words: when changing the case of a file tracked by git could > >> case-insensitivity platform be taken in to account? > >> > >> -Matt > >> > >> P.S. I'll test SW_LOGGERTAG tomorrow!!!:) > > > > Or do you have a better solution, if no, I could do the changes to > > shorewall/install.sh!? > > Sure -- go ahead. We'll do it in the master branch, though, since I've > now created a 5.0.8 branch for the upcoming release. > > > > > You might want to apply the attached patch to changelog.txt in the > > release repo! > > > > Applied -- thanks! > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > Attached as case.patch are 3 patches: 1 and 2 simply rename the deprecated files(adding .deprecated) Patch 3 will modify Shorewall/install.sh to reflect the new naming scheme! I didn't have the time to test SW_LOGGERTAG but will do so in the coming days!!!:) -Matt -------------- Enclosure number 1 ---------------- From 2ecd761b414af61c5854d6427fb9ec8ab1365c7b Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Sun, 17 Apr 2016 18:34:40 +0200 Subject: [PATCH 1/3] Rename macro.SNMPTrap to macro.SNMPTrap.deprecated Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-17 13:50:17 -07:00
Tom Eastep	ae852b513d	Correct indentation issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-17 10:23:18 -07:00
Tom Eastep	9611b588e3	Use a uniform format for log timestamps Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-16 09:52:35 -07:00
Tom Eastep	eb95532248	Enable compiler logging on reload and restart Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-16 09:52:17 -07:00
Tom Eastep	fb8dbcf44b	Use a uniform format for log timestamps Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-16 09:49:38 -07:00
Tom Eastep	62a14aab28	Enable compiler logging on reload and restart Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-16 09:37:42 -07:00
Tom Eastep	335f2968f8	Implement ?INFO and ?WARNING Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-16 09:20:09 -07:00
Tom Eastep	32f888a7d4	Add an ENVIRONMENT section to the CLI manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-15 15:41:55 -07:00
Tom Eastep	c725372639	Correct logging of 'reloaded' message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-15 14:46:21 -07:00
Tom Eastep	524838ae47	Implement $SW_LOGGERTAG Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-15 14:29:51 -07:00
Tom Eastep	549af8b402	Update config files where address and gateway variables can be used Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-15 10:51:39 -07:00
Tom Eastep	6aa0ecae4f	Re-factor the code for saving/loading ipsets Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-14 15:15:47 -07:00
Tom Eastep	434e042494	Add the deprecated/ directories to the CONFIG_PATH Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-14 14:17:06 -07:00
Tom Eastep	9fa0df2fd1	Move the code that generates zap_ipsets() to after save_ipsets() generation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-14 09:56:48 -07:00
Tom Eastep	074655d1bd	Fix AUTOMAKE and the start command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-14 09:43:21 -07:00
Tom Eastep	216bc715e8	Clean up V4/V5 ipset enforcement Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-14 09:00:38 -07:00
Tom Eastep	541ecb67b4	Update dhcp article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-13 17:36:56 -07:00
Tom Eastep	dbd42e1d5d	More ipset fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-12 16:29:13 -07:00
Tom Eastep	04ec8273ef	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-04-12 07:13:29 -07:00
Tuomo Soini	772f88b1fd	action.A_Reject: improve comment text Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-12 13:17:56 +03:00
Tuomo Soini	3e0b8c60a2	Reverse the order of ICMP and Broadcast checking in the default actions Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-12 10:12:29 +03:00
Tom Eastep	fc2b555cdb	Correct date formatting in startup_error() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 15:24:35 -07:00
Tom Eastep	16afd880b2	Reverse the order of ICMP and Broadcast checking in the default actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 11:16:46 -07:00
Tom Eastep	76a5841fcd	Reverse the order of Broadcast and ICMP checking in the default actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 10:47:11 -07:00
Tom Eastep	9758e8cdc5	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-04-11 10:41:44 -07:00
Tom Eastep	2cf3706864	Correct handling of a zone with two interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 10:32:26 -07:00
Tom Eastep	3028dafbac	Correct DBL 'src-dst' handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 09:13:17 -07:00
Tom Eastep	16a31c3d29	Make MINIUPNPD work with DOCKER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 09:02:44 -07:00
Tom Eastep	d3f377e915	Don't double-save the dynamic blacklisting ipset Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-11 08:37:39 -07:00
Tuomo Soini	54a5748395	macros: RedisCluster and RedisSentinel http://redis.io/topics/sentinel Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-11 14:39:21 +03:00
Tom Eastep	6c00f72f44	Create ipsets with the 'counters' option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-10 18:09:41 -07:00
Tom Eastep	8dc88898c8	Tidy up the output of 'shorewall[6][-lite] show bl' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-10 17:22:22 -07:00
Tom Eastep	deaaecdf1c	Add 'nodbl' interface option. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-10 16:09:39 -07:00
Tom Eastep	05e4049174	Ipset-based blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-10 16:07:56 -07:00
Tom Eastep	ef10515a42	Correct FASTACCEPT description Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-10 07:20:45 -07:00
Tom Eastep	5db6cb1b7d	Correct load_ipsets() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-09 16:07:10 -07:00
Tom Eastep	76c8917aa7	Add a sixth parameter to Drop and Reject Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-08 09:10:45 -07:00
Tom Eastep	be58d530c4	Document 'logjump' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-08 09:09:59 -07:00
Tom Eastep	321476fd51	Tweak terminating() implementation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-08 08:24:57 -07:00
Tom Eastep	bd6b32eb25	Add a progress message for REJECT_ACTION processing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-07 10:30:54 -07:00
Tom Eastep	4fdf54eca1	Tweak process_reject_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-07 10:02:48 -07:00
Tom Eastep	70bbd21b35	Ensure that the REJECT_ACTION is terminating Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-07 09:34:38 -07:00
Tom Eastep	87a9b95f73	Catch case where a transformed rule jumps to its own chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-07 08:58:50 -07:00
Tom Eastep	ecd7261365	Use -g when target is a terminating chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-07 08:48:36 -07:00
Tom Eastep	293cd1d66a	Always go to the reject chain rather than jump to it Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-06 09:14:06 -07:00
Tom Eastep	436b5d89ce	Correct comment - The chain will only exist if logging wasn't specified for the same disposition. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-06 08:50:29 -07:00