Correct additional issues with 'update'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -2522,21 +2522,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
+
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && missing_argument
+
     if product_is_started ; then
+	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
+	local dynexists
 
-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
+
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
+	fi
+
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 
 	[ -n "$g_nolock" ] || mutex_on
+
 	while [ $# -gt 1 ]; do
 	    shift
+
+	    allowed=''
+
 	    case $1 in
 		from)
 		    which='-s'
@@ -2549,29 +2574,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 		*)
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
 	done
+
 	[ -n "$g_nolock" ] || mutex_off
     else
 	error_message "ERROR: $g_product is not started"
@@ -3507,7 +3551,7 @@ blacklist_command() {
 	    ;;
     esac
 
-    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
 
     return 0
 }
@@ -4560,6 +4604,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
+		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
+		    #
+		    # It's a shell function -- call it
+		    #
+		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try

Shorewall-core/lib.common

@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                 return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u+w ${lockf}
-            echo $$ > ${lockf}
-            chmod u-w ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -813,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 

Shorewall-init/install.sh

@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
     fi
 else
     if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

Shorewall-lite/install.sh

@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     fi
 
     install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ ${SHAREDIR} != /usr/share ]; then

Shorewall-lite/manpages/shorewall-lite.xml

@@ -702,7 +702,9 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/ARP.pm

@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
 
     emit "exec 3>\${VARDIR}/.arptables-input";
 
-    my $date = localtime;
+    my $date = compiletime;
 
     unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
 
-    my $date = localtime;
+    my $date = compiletime;
 
     print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -5220,6 +5220,8 @@ sub do_user( $ ) {
 
     if ( supplied $2 ) {
 	$user  = $2;
+	$user =~ s/:$//;
+
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -8575,7 +8577,7 @@ sub create_netfilter_load( $ ) {
 
     enter_cat_mode;
 
-    my $date = localtime;
+    my $date = compiletime;
 
     unless ( $test ) {
 	emit_unindented '#';
@@ -8683,7 +8685,7 @@ sub preview_netfilter_load() {
 
     enter_cat_mode1;
 
-    my $date = localtime;
+    my $date = compiletime;
 
     print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
 
@@ -8919,7 +8921,7 @@ sub create_stop_load( $ ) {
     enter_cat_mode;
 
     unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';

Shorewall/Perl/Shorewall/Compiler.pm

@@ -90,7 +90,7 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 
@@ -600,7 +600,7 @@ EOF
 # Generate info_command()
 #
 sub compile_info_command() {
-    my $date = localtime;
+    my $date = compiletime;
 
     emit( "\n",
 	  "#",

Shorewall/Perl/Shorewall/Config.pm

@@ -84,6 +84,8 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
+
+                 compiletime
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -163,6 +165,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                        directive_callback
 		                       add_ipset
 		                       all_ipsets
+                                       transfer_permissions
 
 				       $product
 				       $Product
@@ -681,6 +684,8 @@ our %ipsets; # All required IPsets
 #
 our %filecache;
 
+our $compiletime;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -737,7 +742,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -1172,6 +1177,12 @@ sub initialize( $;$$) {
     %shorewallrc1 = %shorewallrc unless $shorewallrc1;
 
     add_variables %shorewallrc1;
+
+    $compiletime = `date`;
+
+    chomp $compiletime;
+
+    $compiletime =~ s/ +/ /g;
 }
 
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1184,6 +1195,10 @@ sub all_ipsets() {
     sort keys %ipsets;
 }
 
+sub compiletime() {
+    $compiletime;
+}
+
 #
 # Create 'currentlineinfo'
 #
@@ -3880,9 +3895,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 
 sub validate_level( $;$ ) {
     my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;
 
-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
+	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -5074,6 +5090,19 @@ sub update_default($$) {
     $config{$var} = $val unless defined $config{$var};
 }
 
+#
+# Transfer the permissions from an old .bak file to a newly-created file
+#
+sub transfer_permissions( $$ ) {
+    my ( $old, $new ) = @_;
+
+    my @stat = stat $old;
+
+    if ( @stat ) {
+	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
+    }
+}
+
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -5223,6 +5252,7 @@ EOF
 
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
+	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5737,6 +5767,24 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
     }
 
+    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
+
+    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
+
+    close_file;
+
+    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+
+    if ( $family == F_IPV6 ) {
+	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
+
+	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
+
+	close_file;
+
+	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+    }
+
     my $have_capabilities;
 
     if ( $export || $> != 0 ) {
@@ -6152,8 +6200,10 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
 	} else {
-	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
+	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
+    } else {
+	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
     default_yes_no 'REQUIRE_INTERFACE'          , '';

Shorewall/Perl/Shorewall/Misc.pm

@@ -200,6 +200,7 @@ sub remove_blacklist( $ ) {
     if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
+	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
     }
 }
@@ -302,12 +303,13 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -393,7 +395,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
 	my $seq  = 0;
-	my $date = localtime;
+	my $date = compiletime;
 
 	my ( $stoppedrules, $fn1 );
 
@@ -401,6 +403,7 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -421,7 +424,7 @@ EOF
 
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -649,9 +652,15 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
-	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
+
+	my $outputref;
+	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
+	incr_cmd_level( $outputref );
+	add_ijump( $outputref, j => 'DOCKER' );
+	decr_cmd_level( $outputref );
+	add_commands( $outputref, 'fi' );
     }
 
     add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -860,13 +869,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 
-	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
-		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+
+		my ( $in, $out ) = split /:/, $setting;
+
+		if ( $in  == 1 ) {
+		    #
+		    # src
+		    #
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		} elsif ( $in == 2 ) {
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
+
+		if ( $out == 2 ) {
+		    #
+		    # dst
+		    #
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
 	    }
 	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}

Shorewall/Perl/Shorewall/Raw.pm

@@ -368,12 +368,19 @@ sub setup_conntrack($) {
     if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
+	my $fn1 = find_writable_file 'conntrack';
 
-	if ( $fn ) {
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	if ( -f $fn1 ) {
+	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    #
+	    # Transfer permissions from the existing notrack file
+	    #
+	    transfer_permissions( $fn, $fn1 );
 
 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file

Shorewall/Perl/Shorewall/Rules.pm

@@ -4749,10 +4749,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
     }
 
-    unless ( ( $chain || $default_chain ) == OUTPUT ) {
-	fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
-    }
-
     if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@@ -4795,6 +4791,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
     }
+
     #
     # Call the command's processing function
     #
@@ -4805,12 +4802,23 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    if ( $chain == ACTIONCHAIN ) {
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
 		$chainref->{allowedchains} &= $commandref->{allowedchains};
+		$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
 	    } else {
+		#
+		# Inline within one of the standard chains
+		#
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+		unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		    fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+		}
 	    }
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+	    }
+
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}
 
@@ -4976,6 +4984,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
+			if ( supplied $mark && $command eq 'IPMARK' ) {
+			    my @params = split ',', $mark;
+			    $params[1] = '0xff' unless supplied $params[1];
+			    $params[2] = '0x00' unless supplied $params[2];
+			    $params[3] = '0'    unless supplied $params[3];
+			    $mark = join ',', @params;
+			}
 		    } else {
 			$mark = '';
 		    }
@@ -4986,7 +5001,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
     }
 	
-    $command = ( $command ? "$command($mark)" : $mark ) . $designator;
+    $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
     my $line = ( $family == F_IPV6 ?
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );

Shorewall/Perl/Shorewall/Tc.pm

@@ -352,7 +352,7 @@ sub process_simple_device() {
 	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
 
@@ -2166,7 +2166,7 @@ sub convert_tos($$) {
     if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2234,13 +2234,19 @@ sub convert_tos($$) {
     }
 }
 
-sub open_mangle_for_output() {
+sub open_mangle_for_output( $ ) {
+    my ($fn ) = @_;
     my ( $mangle, $fn1 );
 
     if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
     } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	#
+	# Transfer permissions from the existing tcrules file to the new mangle file
+	#
+	transfer_permissions( $fn, $fn1 );
+
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2326,13 +2332,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 
 		first_entry(
 			    sub {
-				my $date = localtime;
+				my $date = compiletime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2376,7 +2382,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output;
+		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}

Shorewall/Perl/Shorewall/Zones.pm

@@ -337,6 +337,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -387,6 +388,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -1191,6 +1193,7 @@ sub process_interface( $$ ) {
     my %options;
 
     $options{port} = 1 if $port;
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
 
     my $hostoptionsref = {};
 
@@ -1234,6 +1237,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
+		} elsif ( $option eq 'nodbl' ) {
+		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1256,6 +1261,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
+		} elsif ( $option eq 'dbl' ) {
+		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
+
+		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
+		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1906,7 +1916,7 @@ sub verify_required_interfaces( $ ) {
 
     my $returnvalue = 0;
 
-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');
 
     if ( @$interfaces ) {
 	my $first = 1;
@@ -1972,7 +1982,7 @@ sub verify_required_interfaces( $ ) {
 
     }
 
-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );
 
     if ( @$interfaces ) {
 

Shorewall/Samples/Universal/shorewall.conf

@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall/Samples/one-interface/shorewall.conf

@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall/install.sh

@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     fi
 
     run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

Shorewall/lib.cli-std

@@ -493,13 +493,13 @@ compiler() {
 
     case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
     esac
     #

Shorewall/manpages/shorewall-interfaces.xml

@@ -306,6 +306,72 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>The normal setting for this option will be <emphasis
+                role="bold">dst</emphasis> or <emphasis
+                role="bold">none</emphasis> for internal interfaces and
+                <emphasis role="bold">src</emphasis> or <emphasis
+                role="bold">src-dst</emphasis> for Internet-facing
+                interfaces.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">destonly</emphasis></term>
 
@@ -348,7 +414,7 @@ loc     eth2            -</programlisting>
                       url="../bridge-Shorewall-perl.html">Shorewall-perl for
                       firewall/bridging</ulink>, then you need to include
                       DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
                       DHCP uses UDP ports 67 and 68.</para>
                     </note>
                   </listitem>
@@ -380,7 +446,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +517,8 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              <term><emphasis role="bold"><emphasis
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -493,7 +559,10 @@ loc     eth2            -</programlisting>
 
               <listitem>
                 <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -964,7 +964,9 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -679,7 +679,9 @@
           <para>Re-enables receipt of packets from hosts previously
           blacklisted by a <command>drop</command>,
           <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=No
+AUTOMAKE=Yes
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -237,6 +237,66 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked against the
+                      ipset).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">destonly</emphasis></term>
 
@@ -321,7 +381,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -370,7 +430,10 @@ loc     eth2            -</programlisting>
 
               <listitem>
                 <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -1658,7 +1658,7 @@
             <varlistentry>
               <term><emphasis role="bold">route</emphasis>, <emphasis
               role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">41</emphasis></term>
+              role="bold">43</emphasis></term>
 
               <listitem>
                 <para>IPv6 Route extension header.</para>

Shorewall6/manpages/shorewall6.xml

@@ -932,7 +932,9 @@
           blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
           role="bold">logdrop</emphasis>, <emphasis
           role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
         </listitem>
       </varlistentry>
 

docs/Dynamic.xml

@@ -95,6 +95,11 @@ rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
       <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
       specified, a single ipset is created; the ipset has the same name as the
       zone.</para>
+
+      <para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
+      a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
+      Making a dynamic zone a sub-zone of multiple other zones is also
+      supported.</para>
     </section>
 
     <section id="Adding">

docs/Shorewall-5.xml

@@ -301,8 +301,8 @@
 
       <para>COMMENT, FORMAT and SECTION Lines now require the leading question
       mark ("?"). In earlier releases, the question mark was optional. The
-      <command>shorewall[6] update -D</command> command will insert the
-      question marks for you.</para>
+      <command>shorewall[6] update -D</command> command in Shorewall 4.6 will
+      insert the question marks for you.</para>
     </section>
   </section>
 
@@ -359,7 +359,7 @@
 
     <para>It is strongly recommended that you first upgrade your installation
     to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13 is preferred.</para>
+    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
 
     <para>Once you are on that release, execute the <command>shorewall update
     -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -374,11 +374,11 @@
     likely won't start or work correctly until you do.</para>
 
     <para>The <command>update</command> command in Shorewall 5 has many fewer
-    options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
-    and <option>-s </option>options have been removed -- the updates triggered
-    by those options are now performed unconditionally. The <option>-i
-    </option>and <option>-A </option>options have been retained - both enable
-    checking for issues that could result if INLINE_MATCHES were to be set to
-    Yes.</para>
+    options. The <option>-b</option>, <option>-t</option>,
+    <option>-n</option>, <option>-D</option> and <option>-s </option>options
+    have been removed -- the updates triggered by those options are now
+    performed unconditionally. The <option>-i </option>and <option>-A
+    </option>options have been retained - both enable checking for issues that
+    could result if INLINE_MATCHES were to be set to Yes.</para>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -48,7 +48,7 @@
   <section id="Intro">
     <title>Introduction</title>
 
-    <para>Shorewall supports two different types of blackliisting; rule-based,
+    <para>Shorewall supports two different types of blacklisting; rule-based,
     static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
     controls the degree of blacklist filtering.</para>