Correct/complete Scott Sumate's LOGFILE enhancement

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -191,6 +191,8 @@ setup_logread() {
 	else
 	    g_logread="logread"
 	fi
+    elif [ "$LOGFILE" = "systemd" ]; then
+	g_logread="journalctl -r"
     elif [ -r $LOGFILE ]; then
 	if qt mywhich tac; then
 	    g_logread="tac $LOGFILE"
@@ -731,12 +733,29 @@ list_zone() {
     done
 }
 
+option_error() {
+    fatal_error "The $COMMAND command does not accept this option: -$1"
+}
+
+too_many_arguments() {
+    fatal_error "Too many arguments: $1"
+}
+
+missing_argument() {
+    fatal_error "Missing argument"
+}
+
+missing_option_value() {
+    fatal_error "The $1 option requires a value"
+}
+
 version_command() {
     local finished
     finished=0
     local all
     all=
     local product
+    local compiletime
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -755,7 +774,7 @@ version_command() {
 			    option=${option#a}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -767,7 +786,7 @@ version_command() {
 	esac
     done
 
-    [ $# -gt 0 ] && usage 1
+    [ $# -gt 0 ] && too_many_arguments
 
     if [ -n "$all" ]; then
 	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -779,8 +798,16 @@ version_command() {
 	done
 
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
-	    $g_firewall version
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
+
+	    case $compiletime in
+		compiled\ *)
+		    echo "$g_firewall was $compiletime"
+		    ;;
+		*)
+		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
+		    ;;
+	    esac
 	fi
     else
 	echo $SHOREWALL_VERSION
@@ -1065,7 +1092,7 @@ show_connections() {
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
@@ -1078,7 +1105,7 @@ show_connections() {
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
     else
-	[ $# -gt 1 ] && usage 1
+	[ $# -gt 1 ] && too_many_arguments
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1199,7 +1226,7 @@ show_command() {
 			    option=${option#f}
 			    ;;
 			t)
-			    [ $# -eq 1 ] && usage 1
+			    [ $# -eq 1 ] && missing_option_value -t
 
 			    case $2 in
 				mangle|nat|filter|raw|rawpost)
@@ -1227,7 +1254,7 @@ show_command() {
 			    option=${option#b}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1249,37 +1276,37 @@ show_command() {
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
@@ -1302,7 +1329,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
@@ -1312,11 +1339,11 @@ show_command() {
 	    fi
 	    ;;
 	ip)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_routing_command $g_pager
 	    ;;
 	config)
@@ -1345,26 +1372,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    [ $g_family -eq 4 ] || usage 1
-	    [ $# -gt 1 ] && usage 1
+	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1373,22 +1400,22 @@ show_command() {
 	    fi
 	    ;;
 	event)
-	    [ $# -gt 1 ] || usage 1
+	    [ $# -gt 1 ] || too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_events $@
 	    ;;
 	events)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1404,12 +1431,12 @@ show_command() {
 	    	*)
 		    case $1 in
 			actions)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -ne 2 ] && usage 1
+			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
 				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1421,7 +1448,7 @@ show_command() {
 			    return
 			    ;;
 			macros)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_macros $g_pager
 			    return
 			    ;;
@@ -1432,7 +1459,7 @@ show_command() {
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
-		    [ $# -eq 1 ] || usage 1
+		    [ $# -eq 1 ] || too_many_arguments $2
 		    list_zone $1
 		    return;
                 fi
@@ -1507,6 +1534,49 @@ dump_filter_wrapper() {
     eval dump_filter $g_pager
 }
 
+show_status() {
+    local compiletime
+    local state
+
+    if product_is_started ; then
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
+	status=0
+    else
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
+	status=4
+    fi
+
+    if [ -f ${VARDIR}/state ]; then
+	state="$(cat ${VARDIR}/state)"
+	case $state in
+	    Stopped*|Closed*|Clear*)
+		status=3
+		;;
+	esac
+    else
+	state=Unknown
+    fi
+
+    if [ $VERBOSITY -ge 1 ]; then 
+	if [ -f $g_firewall ]; then
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
+
+	    case $compiletime in
+		compiled\ *)
+		    state="$state ($g_firewall $compiletime)"
+		    ;;
+		*)
+		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
+		    ;;
+	    esac
+	fi
+
+	echo "State:$state"
+	echo
+    fi
+
+}
+
 #
 # Dump Command Executor
 #
@@ -1546,7 +1616,7 @@ do_dump_command() {
 			    option=${option#c}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1565,7 +1635,7 @@ do_dump_command() {
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
 
     [ -n "$g_debugging" ] && set -x
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
     clear_term
     echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
     echo
@@ -1760,7 +1830,7 @@ restore_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error
 			    ;;
 		    esac
 		done
@@ -1780,7 +1850,7 @@ restore_command() {
 	validate_restorefile '<restore file>'
 	;;
     *)
-	usage 1
+	too_many_arguments $2
 	;;
     esac
 
@@ -2386,7 +2456,7 @@ hits_command() {
 			    option=${option#t}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2398,7 +2468,7 @@ hits_command() {
 	esac
     done
 
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
 
     clear_term
     echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2454,21 +2524,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
+
     [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && usage 1
+    [ $# -eq 1 ] && missing_argument
+
     if product_is_started ; then
+	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
+	local dynexists
 
-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
+
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
+	fi
+
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 
 	[ -n "$g_nolock" ] || mutex_on
+
 	while [ $# -gt 1 ]; do
 	    shift
+
+	    allowed=''
+
 	    case $1 in
 		from)
 		    which='-s'
@@ -2481,29 +2576,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 		*)
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
 	done
+
 	[ -n "$g_nolock" ] || mutex_off
     else
 	error_message "ERROR: $g_product is not started"
@@ -2525,8 +2639,6 @@ logwatch_command() {
 	    -*)
 		option=${option#-}
 
-		[ -z "$option" ] && usage 1
-
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -2546,7 +2658,7 @@ logwatch_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2565,7 +2677,7 @@ logwatch_command() {
     elif [ $# -eq 0 ]; then
 	logwatch 30
     else
-	usage 1
+	too_many_arguments $2
     fi
 }
 
@@ -3309,36 +3421,6 @@ report_capabilities1() {
     report_capabilities_unsorted1 | sort
 }
 
-show_status() {
-    if product_is_started ; then
-	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
-	status=0
-    else
-	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
-	status=4
-    fi
-
-    if [ -f ${VARDIR}/state ]; then
-	state="$(cat ${VARDIR}/state)"
-	case $state in
-	    Stopped*|Closed*|Clear*)
-		status=3
-		;;
-	esac
-    else
-	state=Unknown
-    fi
-
-    if [ $VERBOSITY -ge 1 ]; then 
-	if [ -f $g_firewall ]; then
-	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
-	fi
-	echo "State:$state"
-	echo
-    fi
-
-}
-
 interface_status() {
     case $(cat $1) in
 	0)
@@ -3392,7 +3474,7 @@ status_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3404,7 +3486,7 @@ status_command() {
 	esac
     done
 
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || missing_argument
 
     [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
@@ -3471,7 +3553,7 @@ blacklist_command() {
 	    ;;
     esac
 
-    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
 
     return 0
 }
@@ -3498,7 +3580,7 @@ save_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3518,7 +3600,7 @@ save_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
 	esac
 
@@ -3537,6 +3619,9 @@ save_command() {
 
 forget_command() {
     case $# in
+	0)
+	    missing_argument
+	    ;;
 	1)
 	    ;;
 	2)
@@ -3544,7 +3629,7 @@ forget_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -3566,7 +3651,7 @@ ipcalc_command() {
     local address
     local vlsm
 
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
 
     if [ $# -eq 2 ]; then
 	address=${2%/*}
@@ -3574,13 +3659,15 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
+    elif [ $# -eq 0 ]; then
+	missing_argument
     else
-	usage 1
+	too_many_arguments $4
     fi
 
     valid_address $address || fatal_error "Invalid IP address: $address"
-    [ -z "$vlsm" ] && usage 2
-    [ "x$address" = "x$vlsm" ] && usage 2
+    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm
@@ -3594,7 +3681,7 @@ ipcalc_command() {
 iprange_command() {
     local range
 
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
 
     range=''
 
@@ -3612,15 +3699,19 @@ iprange_command() {
 	    ip_range $range
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid ip range: $range"
 	    ;;
     esac
 }
 
 ipdecimal_command() {
-    [ $# -eq 2 ] || usage 1
+    if [ $# eq 1 ]; then
+	missing_argument
+    else
+	[ $# -eq 2 ] || too_many_arguments $3
+    fi
 
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
 
     case $2 in
 	*.*.*.*)
@@ -3928,7 +4019,7 @@ start_command() {
 			    option=${option%p}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3944,7 +4035,7 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
     esac
 
@@ -3988,7 +4079,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -4004,7 +4095,7 @@ restart_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
     esac
 
@@ -4220,7 +4311,8 @@ shorewall_cli() {
 		while [ -n "$option" ]; do
 		    case $option in
 			c)
-			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1
+			    [ $# -eq 1 ]     && missing_option_value -c
+			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
 
 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
@@ -4235,7 +4327,7 @@ shorewall_cli() {
 			    shift
 			    ;;
 			e*)
-			    [ -n "$g_lite" ] && usage 1
+			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
 			    g_export=Yes
 			    option=${option#e}
 			    ;;
@@ -4297,7 +4389,7 @@ shorewall_cli() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -4362,7 +4454,7 @@ shorewall_cli() {
 	    start_command $@
 	    ;;
 	stop|clear)
-	    [ $# -ne 1 ] && usage 1
+	    [ $# -ne 1 ] && too_many_arguments $2
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4419,7 +4511,7 @@ shorewall_cli() {
     	    dump_command $@
 	    ;;
 	hits)
-	    [ $g_family -eq 6 ] && usage 1
+	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4437,19 +4529,19 @@ shorewall_cli() {
 	drop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
@@ -4514,6 +4606,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
+		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
+		    #
+		    # It's a shell function -- call it
+		    #
+		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
@@ -4522,7 +4619,7 @@ shorewall_cli() {
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
-		usage 1
+		missing_argument
 	    fi
 	    ;;
 	help)
@@ -4540,7 +4637,7 @@ shorewall_cli() {
 	    noiptrace_command $@
 	    ;;
 	savesets)
-	    [ $# -eq 1 ] || usage 1
+	    [ $# -eq 1 ] || too_many_arguments $2
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
@@ -4549,7 +4646,7 @@ shorewall_cli() {
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
 	    else
-		usage 1
+		fatal_error "Invalid command: $COMMAND"
 	    fi
 	    ;;
     esac

Shorewall-core/lib.common

@@ -712,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
     if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
     else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
     fi
 }
 
@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                 return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u+w ${lockf}
-            echo $$ > ${lockf}
-            chmod u-w ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -813,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 

Shorewall-core/shorewallrc.suse

@@ -7,15 +7,15 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/uninstall.sh

@@ -117,6 +117,7 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"
 
 rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc
 
 echo "Shorewall Core Uninstalled"
 

Shorewall-init/init.debian.sh

@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network

Shorewall-init/install.sh

@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
+		/etc/init.d/$PRODUCT enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
     fi
 else
     if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

Shorewall-lite/init.debian.sh

@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,10 +92,11 @@ shorewall_start () {
 
 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall-lite/install.sh

@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #
 
-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
     cd manpages
 
     mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     fi
 
     install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ ${SHAREDIR} != /usr/share ]; then

Shorewall-lite/manpages/shorewall-lite.xml

@@ -702,7 +702,9 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/ARP.pm

@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
 
     emit "exec 3>\${VARDIR}/.arptables-input";
 
-    my $date = localtime;
+    my $date = compiletime;
 
     unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
 
-    my $date = localtime;
+    my $date = compiletime;
 
     print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -5220,6 +5220,8 @@ sub do_user( $ ) {
 
     if ( supplied $2 ) {
 	$user  = $2;
+	$user =~ s/:$//;
+
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -8575,7 +8577,7 @@ sub create_netfilter_load( $ ) {
 
     enter_cat_mode;
 
-    my $date = localtime;
+    my $date = compiletime;
 
     unless ( $test ) {
 	emit_unindented '#';
@@ -8683,7 +8685,7 @@ sub preview_netfilter_load() {
 
     enter_cat_mode1;
 
-    my $date = localtime;
+    my $date = compiletime;
 
     print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
 
@@ -8919,7 +8921,7 @@ sub create_stop_load( $ ) {
     enter_cat_mode;
 
     unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';

Shorewall/Perl/Shorewall/Compiler.pm

@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy lib.runtime and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
 
     }
@@ -596,6 +596,21 @@ EOF
 
 }
 
+#
+# Generate info_command()
+#
+sub compile_info_command() {
+    my $date = compiletime;
+
+    emit( "\n",
+	  "#",
+	  "# Echo the date and time when this script was compiled along with the Shorewall version",
+	  "#",
+	  "info_command() {" ,
+	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
+	  "}\n" );
+}   
+
 #
 #  The Compiler.
 #
@@ -922,6 +937,10 @@ sub compiler {
 	#
 	compile_updown;
 	#
+	# Echo the compilation time and date
+	#
+	compile_info_command unless $test;
+	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

Shorewall/Perl/Shorewall/Config.pm

@@ -84,6 +84,8 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
+
+                 compiletime
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -163,6 +165,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                        directive_callback
 		                       add_ipset
 		                       all_ipsets
+                                       transfer_permissions
 
 				       $product
 				       $Product
@@ -681,6 +684,8 @@ our %ipsets; # All required IPsets
 #
 our %filecache;
 
+our $compiletime;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -737,7 +742,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -889,6 +894,7 @@ sub initialize( $;$$) {
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
+	  VERBOSE_MESSAGES => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1171,6 +1177,12 @@ sub initialize( $;$$) {
     %shorewallrc1 = %shorewallrc unless $shorewallrc1;
 
     add_variables %shorewallrc1;
+
+    $compiletime = `date`;
+
+    chomp $compiletime;
+
+    $compiletime =~ s/ +/ /g;
 }
 
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1183,6 +1195,10 @@ sub all_ipsets() {
     sort keys %ipsets;
 }
 
+sub compiletime() {
+    $compiletime;
+}
+
 #
 # Create 'currentlineinfo'
 #
@@ -2543,18 +2559,54 @@ sub directive_error( $$$ ) {
     fatal_error $_[0];
 }
 
-sub directive_warning( $$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
-    warning_message $warning;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+sub directive_warning( $$$$ ) {
+    if ( shift ) {
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+	( my $warning, $currentfilename, $currentlinenumber ) = @_;
+	warning_message $warning;
+	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+    } else {
+	our @localtime;
+
+	handle_first_entry if $first_entry;
+
+	$| = 1; #Reset output buffering (flush any partially filled buffers).
+
+	if ( $log ) {
+	    @localtime = localtime;
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    print $log  "   WARNING: $_[0]\n";
+	}
+
+	print STDERR "   WARNING: $_[0]\n";
+
+	$| = 0; #Re-allow output buffering
+    }
 }
 
-sub directive_info( $$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    ( my $info, $currentfilename, $currentlinenumber ) = @_;
-    info_message $info;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+sub directive_info( $$$$ ) {
+    if ( shift ) {
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+	( my $info, $currentfilename, $currentlinenumber ) = @_;
+	info_message $info;
+	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+    } else {
+	our @localtime;
+
+	handle_first_entry if $first_entry;
+
+	$| = 1; #Reset output buffering (flush any partially filled buffers).
+
+	if ( $log ) {
+	    @localtime = localtime;
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    print $log  "   INFO: $_[0]\n";
+	}
+
+	print STDERR "   INFO: $_[0]\n";
+
+	$| = 0; #Re-allow output buffering
+    }
 }
 
 #
@@ -2703,7 +2755,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2811,14 +2863,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2832,7 +2884,7 @@ sub process_compiler_directive( $$$$ ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			  } else {
-			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -2851,7 +2903,8 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 
 	  WARNING => sub() {
-	      directive_warning( evaluate_expression( $expression ,
+	      directive_warning( $config{VERBOSE_MESSAGES} ,
+		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
@@ -2860,7 +2913,28 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 
 	  INFO => sub() {
-	      directive_info( evaluate_expression( $expression ,
+	      directive_info( $config{VERBOSE_MESSAGES} ,
+			      evaluate_expression( $expression ,
+						   $filename ,
+						   $linenumber ,
+						   1 ),
+			      $filename ,
+			      $linenumber ) unless $omitting;
+	  } ,
+
+	  'WARNING!' => sub() {
+	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
+		                 evaluate_expression( $expression ,
+						      $filename ,
+						      $linenumber ,
+						      1 ),
+				 $filename ,
+				 $linenumber ) unless $omitting;
+	  } ,
+
+	  'INFO!' => sub() {
+	      directive_info( ! $config{VERBOSE_MESSAGES} ,
+			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
@@ -3821,9 +3895,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 
 sub validate_level( $;$ ) {
     my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;
 
-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
+	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -5015,6 +5090,19 @@ sub update_default($$) {
     $config{$var} = $val unless defined $config{$var};
 }
 
+#
+# Transfer the permissions from an old .bak file to a newly-created file
+#
+sub transfer_permissions( $$ ) {
+    my ( $old, $new ) = @_;
+
+    my @stat = stat $old;
+
+    if ( @stat ) {
+	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
+    }
+}
+
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -5164,6 +5252,7 @@ EOF
 
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
+	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5678,6 +5767,24 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
     }
 
+    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
+
+    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
+
+    close_file;
+
+    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+
+    if ( $family == F_IPV6 ) {
+	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
+
+	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
+
+	close_file;
+
+	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+    }
+
     my $have_capabilities;
 
     if ( $export || $> != 0 ) {
@@ -6093,8 +6200,10 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
 	} else {
-	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
+	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
+    } else {
+	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
     default_yes_no 'REQUIRE_INTERFACE'          , '';
@@ -6109,6 +6218,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
     default_yes_no 'MINIUPNPD'                  , '';
+    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -200,6 +200,7 @@ sub remove_blacklist( $ ) {
     if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
+	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
     }
 }
@@ -302,12 +303,13 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -393,7 +395,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
 	my $seq  = 0;
-	my $date = localtime;
+	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
 
@@ -401,6 +403,7 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -421,7 +424,7 @@ EOF
 
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -649,9 +652,15 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
-	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
+
+	my $outputref;
+	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
+	incr_cmd_level( $outputref );
+	add_ijump( $outputref, j => 'DOCKER' );
+	decr_cmd_level( $outputref );
+	add_commands( $outputref, 'fi' );
     }
 
     add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -860,13 +869,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 
-	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
-		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+
+		my ( $in, $out ) = split /:/, $setting;
+
+		if ( $in  == 1 ) {
+		    #
+		    # src
+		    #
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		} elsif ( $in == 2 ) {
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
+
+		if ( $out == 2 ) {
+		    #
+		    # dst
+		    #
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
 	    }
 	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}

Shorewall/Perl/Shorewall/Providers.pm

@@ -1096,7 +1096,7 @@ CEOF
 
     if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "persistent_${what}_${table}\n" );
+	    emit( "do_persistent_${what}_${table}\n" );
 	}
 
 	if ( $shared ) {

Shorewall/Perl/Shorewall/Raw.pm

@@ -368,12 +368,19 @@ sub setup_conntrack($) {
     if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
+	my $fn1 = find_writable_file 'conntrack';
 
-	if ( $fn ) {
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	if ( -f $fn1 ) {
+	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    #
+	    # Transfer permissions from the existing notrack file
+	    #
+	    transfer_permissions( $fn, $fn1 );
 
 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file

Shorewall/Perl/Shorewall/Rules.pm

@@ -4464,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	NFLOG      => {
+	    defaultchain  => 0,
+	    allowedchains => ALLCHAINS,
+	    minparams     => 0,
+	    maxparams     => 3,
+	    function      => sub () {
+		$target = validate_level( "NFLOG($params)" );
+	    }
+	},
+
 	RESTORE    => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
@@ -4739,10 +4749,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
     }
 
-    unless ( ( $chain || $default_chain ) == OUTPUT ) {
-	fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
-    }
-
     if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@@ -4785,6 +4791,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
     }
+
     #
     # Call the command's processing function
     #
@@ -4795,12 +4802,23 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    if ( $chain == ACTIONCHAIN ) {
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
 		$chainref->{allowedchains} &= $commandref->{allowedchains};
+		$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
 	    } else {
+		#
+		# Inline within one of the standard chains
+		#
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+		unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		    fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+		}
 	    }
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+	    }
+
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}
 
@@ -4966,6 +4984,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
+			if ( supplied $mark && $command eq 'IPMARK' ) {
+			    my @params = split ',', $mark;
+			    $params[1] = '0xff' unless supplied $params[1];
+			    $params[2] = '0x00' unless supplied $params[2];
+			    $params[3] = '0'    unless supplied $params[3];
+			    $mark = join ',', @params;
+			}
 		    } else {
 			$mark = '';
 		    }
@@ -4976,7 +5001,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
     }
 	
-    $command = ( $command ? "$command($mark)" : $mark ) . $designator;
+    $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
     my $line = ( $family == F_IPV6 ?
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );

Shorewall/Perl/Shorewall/Tc.pm

@@ -352,7 +352,7 @@ sub process_simple_device() {
 	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
 
@@ -2166,7 +2166,7 @@ sub convert_tos($$) {
     if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2234,13 +2234,19 @@ sub convert_tos($$) {
     }
 }
 
-sub open_mangle_for_output() {
+sub open_mangle_for_output( $ ) {
+    my ($fn ) = @_;
     my ( $mangle, $fn1 );
 
     if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
     } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	#
+	# Transfer permissions from the existing tcrules file to the new mangle file
+	#
+	transfer_permissions( $fn, $fn1 );
+
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2326,13 +2332,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 
 		first_entry(
 			    sub {
-				my $date = localtime;
+				my $date = compiletime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2376,7 +2382,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output;
+		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}

Shorewall/Perl/Shorewall/Zones.pm

@@ -337,6 +337,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -387,6 +388,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -1191,6 +1193,7 @@ sub process_interface( $$ ) {
     my %options;
 
     $options{port} = 1 if $port;
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
 
     my $hostoptionsref = {};
 
@@ -1234,6 +1237,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
+		} elsif ( $option eq 'nodbl' ) {
+		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1256,6 +1261,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
+		} elsif ( $option eq 'dbl' ) {
+		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
+
+		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
+		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1906,7 +1916,7 @@ sub verify_required_interfaces( $ ) {
 
     my $returnvalue = 0;
 
-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');
 
     if ( @$interfaces ) {
 	my $first = 1;
@@ -1972,7 +1982,7 @@ sub verify_required_interfaces( $ ) {
 
     }
 
-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );
 
     if ( @$interfaces ) {
 
@@ -2160,7 +2170,7 @@ sub process_host( ) {
     #
     $interface = '%vserver%' if $type & VSERVER;
 
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
 
     progress_message "   Host \"$currentline\" validated";
 

Shorewall/Perl/lib.runtime

@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.core
+# Functions imported from /usr/share/shorewall/lib.runtime
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }
 
 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface
 
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }
 
 #

Shorewall/Perl/prog.footer

@@ -25,6 +25,7 @@ usage() {
     echo "   savesets <file>"
     echo "   call <function> [ <parameter> ... ]"
     echo "   version"
+    echo "   info"
     echo
     echo "Options are:"
     echo
@@ -469,6 +470,10 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
+    info)
+	[ $# -ne 1 ] && usage 2
+	info_command
+	;;
     help)
 	[ $# -ne 1 ] && usage 2
 	usage 0

Shorewall/Samples/Universal/shorewall.conf

@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall/Samples/one-interface/shorewall.conf

@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -250,6 +250,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall/configfiles/shorewall.conf

@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall/init.debian.sh

@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,10 +97,11 @@ shorewall_start () {
 
 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -145,7 +146,7 @@ case "$1" in
   restart)
      shorewall_restart
      ;;
-  force0reload|reload)
+  force-reload|reload)
      shorewall_reload
      ;;
   status)

Shorewall/install.sh

@@ -514,7 +514,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
 
 cd configfiles
 
@@ -1177,6 +1177,8 @@ fi
 # Install the Man Pages
 #
 
+if [ -n "$MANDIR" ]; then
+
 cd manpages
 
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1196,6 +1198,7 @@ done
 cd ..
 
 echo "Man Pages Installed"
+fi
 
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
     run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
@@ -1212,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     fi
 
     run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

Shorewall/lib.cli-std

@@ -493,13 +493,13 @@ compiler() {
 
     case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
     esac
     #
@@ -604,7 +604,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -620,7 +620,8 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -634,7 +635,7 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -663,8 +664,6 @@ compile_command() {
 		shift
 		option=${option#-}
 
-		[ -z "$option" ] && usage 1
-
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -701,7 +700,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -723,7 +722,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -737,7 +736,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -791,7 +790,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -807,7 +806,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -820,7 +819,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -883,7 +882,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -899,7 +898,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -912,7 +911,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -977,7 +976,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -993,7 +992,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1008,7 +1007,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -1086,7 +1085,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1169,7 +1168,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1185,7 +1184,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1198,7 +1197,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
     esac
 
@@ -1286,7 +1285,7 @@ try_command() {
     timeout=
 
     handle_directory() {
-	[ -n "$g_shorewalldir" ] && usage 2
+	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1316,7 +1315,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1330,7 +1329,7 @@ try_command() {
 
     case $# in
 	0)
-	    usage 1
+	    missing_argument
 	    ;;
 	1)
 	    handle_directory $1
@@ -1341,7 +1340,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -1480,7 +1479,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1493,6 +1492,9 @@ remote_reload_command() # $* = original arguments less the command.
     done
 
     case $# in
+	0)
+	    missing_argument
+	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1502,7 +1504,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
     esac
 
@@ -1742,7 +1744,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid command: $COMMAND"
 	    ;;
     esac
 

Shorewall/manpages/shorewall-interfaces.xml

@@ -306,6 +306,72 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>The normal setting for this option will be <emphasis
+                role="bold">dst</emphasis> or <emphasis
+                role="bold">none</emphasis> for internal interfaces and
+                <emphasis role="bold">src</emphasis> or <emphasis
+                role="bold">src-dst</emphasis> for Internet-facing
+                interfaces.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">destonly</emphasis></term>
 
@@ -348,7 +414,7 @@ loc     eth2            -</programlisting>
                       url="../bridge-Shorewall-perl.html">Shorewall-perl for
                       firewall/bridging</ulink>, then you need to include
                       DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
                       DHCP uses UDP ports 67 and 68.</para>
                     </note>
                   </listitem>
@@ -380,7 +446,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +517,8 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              <term><emphasis role="bold"><emphasis
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -493,7 +559,10 @@ loc     eth2            -</programlisting>
 
               <listitem>
                 <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-mangle.xml

@@ -504,7 +504,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
 
                     <member>0xc0a80403 LAND 0xFF = 0x03</member>
 
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                     1:103</member>
                   </simplelist>
                 </blockquote>
@@ -598,6 +598,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.9. Logs matching packets using
+                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>

Shorewall/manpages/shorewall-rules.xml

@@ -595,9 +595,32 @@
                 <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+                </para>
 
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>NFLOG is similar to<emphasis role="bold">
                 LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                 except that the log level is not changed when this ACTION is
                 used in an action or macro body and the invocation of that

Shorewall/manpages/shorewall.conf.xml

@@ -1354,7 +1354,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
       <varlistentry>
         <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
 
         <listitem>
           <para>This parameter tells the /sbin/shorewall program where to look
@@ -1364,7 +1364,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
           If not assigned or if assigned an empty value, /var/log/messages is
           assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+          Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
         </listitem>
       </varlistentry>
 
@@ -2508,7 +2511,7 @@ INLINE          -       -       -       ; -j REJECT
           role="bold">refresh</emphasis>, <emphasis
           role="bold">try</emphasis>, and <emphasis
           role="bold">safe-</emphasis>* command. Logging verbosity is
-          determined by the setting of LOG_VERBOSITY above. </para>
+          determined by the setting of LOG_VERBOSITY above.</para>
         </listitem>
       </varlistentry>
 
@@ -2864,6 +2867,20 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
+          produced by the ?INFO and ?WARNING directives include the filename
+          and linenumber of the directive. When set to No, that additional
+          information is omitted. The setting may be overridden on a directive
+          by directive basis by following ?INFO or ?WARNING with '!' (no
+          intervening white space).</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>

Shorewall/manpages/shorewall.xml

@@ -964,7 +964,9 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

Shorewall/uninstall.sh

@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/lib.runtime
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*

Shorewall6-lite/init.debian.sh

@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6-lite
@@ -92,10 +92,11 @@ shorewall6_start () {
 
 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 Lite firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -679,7 +679,9 @@
           <para>Re-enables receipt of packets from hosts previously
           blacklisted by a <command>drop</command>,
           <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -214,6 +214,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall6/configfiles/shorewall6.conf

@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No
 
+VERBOSE_MESSAGES=Yes
+
 WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No

Shorewall6/init.debian.sh

@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6
@@ -97,10 +97,11 @@ shorewall6_start () {
 
 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 firewall\": "
   if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
+      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -237,6 +237,66 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked against the
+                      ipset).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">destonly</emphasis></term>
 
@@ -321,7 +381,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -370,7 +430,10 @@ loc     eth2            -</programlisting>
 
               <listitem>
                 <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-mangle.xml

@@ -515,7 +515,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
 
                     <member>0xc0a80403 LAND 0xFF = 0x03</member>
 
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                     1:103</member>
                   </simplelist>
                 </blockquote>
@@ -609,6 +609,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.9. Logs matching packets using
+                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1. </para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>

Shorewall6/manpages/shorewall6-rules.xml

@@ -574,7 +574,29 @@
                 the next rule. See <ulink
                 url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>NFLOG is similar to<emphasis role="bold">
                 LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                 except that the log level is not changed when this ACTION is
                 used in an action or macro and the invocation of that action
@@ -1636,7 +1658,7 @@
             <varlistentry>
               <term><emphasis role="bold">route</emphasis>, <emphasis
               role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">41</emphasis></term>
+              role="bold">43</emphasis></term>
 
               <listitem>
                 <para>IPv6 Route extension header.</para>

Shorewall6/manpages/shorewall6.conf.xml

@@ -1166,7 +1166,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
       <varlistentry>
         <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
 
         <listitem>
           <para>This parameter tells the /sbin/shorewall6 program where to
@@ -1175,7 +1175,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           role="bold">logwatch</emphasis>, <emphasis role="bold">show
           log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
           If not assigned or if assigned an empty value, /var/log/messages is
-          assumed.</para>
+          assumed. Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
         </listitem>
       </varlistentry>
 
@@ -2506,6 +2508,20 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
+          produced by the ?INFO and ?WARNING directives include the filename
+          and linenumber of the directive. When set to No, that additional
+          information is omitted. The setting may be overridden on a directive
+          by directive basis by following ?INFO or ?WARNING with '!' (no
+          intervening white space).</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>

Shorewall6/manpages/shorewall6.xml

@@ -932,7 +932,9 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

docs/Anatomy.xml

@@ -61,7 +61,7 @@
       <listitem>
         <para><emphasis role="bold">Shorewall6</emphasis>. This package
         requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
       </listitem>
 
       <listitem>

docs/Documentation_Index.xml

@@ -74,7 +74,7 @@
   <section>
     <title>Documentation for Earlier Versions</title>
 
-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.4/4.6
+    <para><ulink url="4.6/Documentation_Index.html">Shorewall 4.4/4.6
     Documentation</ulink></para>
 
     <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2

docs/Dynamic.xml

@@ -95,6 +95,11 @@ rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
       <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
       specified, a single ipset is created; the ipset has the same name as the
       zone.</para>
+
+      <para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
+      a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
+      Making a dynamic zone a sub-zone of multiple other zones is also
+      supported.</para>
     </section>
 
     <section id="Adding">

docs/Events.xml

@@ -204,7 +204,7 @@
             <para>If the <replaceable>action</replaceable> involves logging,
             then this parameter specifies the disposition that will appear in
             the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally. The default is
+            is given, the log prefix is determined normally. The default is
             ACCEPT.</para>
           </listitem>
         </varlistentry>
@@ -258,7 +258,7 @@
             <para>If the <replaceable>action</replaceable> involves logging,
             then this parameter specifies the disposition that will appear in
             the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -404,7 +404,7 @@
             <para>If the <replaceable>action</replaceable> involves logging,
             then this parameter specifies the disposition that will appear in
             the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
           </listitem>
         </varlistentry>
       </variablelist>

docs/GettingStarted.xml

@@ -26,6 +26,8 @@
 
       <year>2011</year>
 
+      <year>2016</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -89,7 +91,9 @@
 
     <listitem>
       <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network. For
+      Redhat-specific install/configure information, see <ulink url="???">this
+      article </ulink>contributed by Digimer.</para>
     </listitem>
 
     <listitem>

docs/Introduction.xml

@@ -398,7 +398,7 @@ ACCEPT     net           $FW       tcp        22</programlisting>
       <listitem>
         <para><emphasis role="bold">Shorewall6</emphasis>. This package
         requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
       </listitem>
 
       <listitem>

docs/Shorewall-5.xml

@@ -301,8 +301,8 @@
 
       <para>COMMENT, FORMAT and SECTION Lines now require the leading question
       mark ("?"). In earlier releases, the question mark was optional. The
-      <command>shorewall[6] update -D</command> command will insert the
-      question marks for you.</para>
+      <command>shorewall[6] update -D</command> command in Shorewall 4.6 will
+      insert the question marks for you.</para>
     </section>
   </section>
 
@@ -359,7 +359,7 @@
 
     <para>It is strongly recommended that you first upgrade your installation
     to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13 is preferred.</para>
+    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
 
     <para>Once you are on that release, execute the <command>shorewall update
     -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -374,11 +374,11 @@
     likely won't start or work correctly until you do.</para>
 
     <para>The <command>update</command> command in Shorewall 5 has many fewer
-    options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
-    and <option>-s </option>options have been removed -- the updates triggered
-    by those options are now performed unconditionally. The <option>-i
-    </option>and <option>-A </option>options have been retained - both enable
-    checking for issues that could result if INLINE_MATCHES were to be set to
-    Yes.</para>
+    options. The <option>-b</option>, <option>-t</option>,
+    <option>-n</option>, <option>-D</option> and <option>-s </option>options
+    have been removed -- the updates triggered by those options are now
+    performed unconditionally. The <option>-i </option>and <option>-A
+    </option>options have been retained - both enable checking for issues that
+    could result if INLINE_MATCHES were to be set to Yes.</para>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -48,7 +48,7 @@
   <section id="Intro">
     <title>Introduction</title>
 
-    <para>Shorewall supports two different types of blackliisting; rule-based,
+    <para>Shorewall supports two different types of blacklisting; rule-based,
     static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
     controls the degree of blacklist filtering.</para>
 

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2013</year>
+      <year>2001-2016</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -35,9 +35,9 @@
   </articleinfo>
 
   <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 5.0 and
     later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
+    5.0.0 then please see the documentation for that
     release.</emphasis></para>
   </caution>
 

docs/shorewall_logging.xml

@@ -293,7 +293,7 @@ gateway:/etc/shorewall#                                               </programl
 
       <itemizedlist>
         <listitem>
-          <para>The first number specifies the netlink group (0-32). If
+          <para>The first number specifies the netlink group (0-65535). If
           omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
         </listitem>