Allow compact IPv6 addresses in IP6TABLES() rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -391,13 +391,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
 
-	    $g_ring_bell
+	    printf '\a'
 
 	    packet_log 40
 
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		printf 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -1007,13 +1007,6 @@ show_raw() {
     $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 
-show_rawpost() {
-    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t rawpost -L $g_ipt_options | $output_filter
-}
-
 show_mangle() {
     echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
     echo
@@ -1161,6 +1154,38 @@ show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
 }
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
+show_ipsec() {
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+}
+
+show_ipsec_command() {
+    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
+    show_ipsec
+}
 
 #
 # Show Command Executor
@@ -1232,7 +1257,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t
 
 			    case $2 in
-				mangle|nat|filter|raw|rawpost)
+				mangle|nat|filter|raw)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1286,10 +1311,6 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
-	rawpost)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_rawpost $g_pager
-	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1427,6 +1448,10 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
+	ipsec)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_ipsec_command $g_pager
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1674,11 +1699,6 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
     fi
 
-    if qt $g_tool -t rawpost -L -n; then
-	heading "Rawpost Table"
-	$g_tool -t rawpost -L $g_ipt_options
-    fi
-
     local count
     local max
 
@@ -1729,12 +1749,7 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    if qt mywhich setkey; then
-	heading "PFKEY SPD"
-	setkey -DP
-	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
-    fi
+    show_ipsec
 
     heading "/proc"
     show_proc /proc/version
@@ -1934,15 +1949,6 @@ read_yesno_with_timeout() {
     fi
 }
 
-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2743,7 +2749,6 @@ determine_capabilities() {
     CONNMARK_MATCH=
     XCONNMARK_MATCH=
     RAW_TABLE=
-    RAWPOST_TABLE=
     IPP2P_MATCH=
     OLD_IPP2P_MATCH=
     LENGTH_MATCH=
@@ -2800,6 +2805,7 @@ determine_capabilities() {
     TCPMSS_TARGET=
     WAIT_OPTION=
     CPU_FANOUT=
+    NETMAP_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2834,8 +2840,10 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -2995,7 +3003,6 @@ determine_capabilities() {
     fi
 
     qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
-    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
 
     if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3221,7 +3228,6 @@ report_capabilities_unsorted() {
     report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
     [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
     report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
     report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
     [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
     report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3301,6 +3307,7 @@ report_capabilities_unsorted() {
     report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
+    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3350,7 +3357,6 @@ report_capabilities_unsorted1() {
     report_capability1 CONNMARK_MATCH
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
-    report_capability1 RAWPOST_TABLE
     report_capability1 IPP2P_MATCH
     report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
@@ -3407,6 +3413,7 @@ report_capabilities_unsorted1() {
     report_capability1 TCPMSS_TARGET
     report_capability1 WAIT_OPTION
     report_capability1 CPU_FANOUT
+    report_capability1 NETMAP_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -4299,8 +4306,9 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
     fi
 
+    echo "   [ show | list | ls ] ipsec"
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
     ecko "   [ show | list | ls ] macro <macro>"
     ecko "   [ show | list | ls ] macros"
     echo "   [ show | list | ls ] nfacct"
@@ -4374,7 +4382,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_options=
 
     VERBOSE=
     VERBOSITY=1
@@ -4544,26 +4551,6 @@ shorewall_cli() {
 
     banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
 
-    case $(echo -e) in
-	-e*)
-	    g_ring_bell="echo \a"
-	    g_echo_e="echo"
-	    ;;
-	*)
-	    g_ring_bell="echo -e \a"
-	    g_echo_e="echo -e"
-	    ;;
-    esac
-
-    case $(echo -n "Testing") in
-	-n*)
-	    g_echo_n=
-	    ;;
-	*)
-	    g_echo_n=-n
-	    ;;
-    esac
-
     COMMAND=$1
 
     case "$COMMAND" in

Shorewall-core/lib.core

@@ -35,7 +35,7 @@ fatal_error() # $@ = Message
     exit 2
 }
 
-setup_product_environment() { # $1 -- if non-empty, source shorewallrc 
+setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
     g_basedir=${SHAREDIR}/shorewall
 
     g_sharedir="$SHAREDIR"/$PRODUCT
@@ -47,14 +47,12 @@ setup_product_environment() { # $1 -- if non-empty, source shorewallrc
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
-	    g_options=-l
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
-	    g_options=-6l
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
@@ -88,16 +86,32 @@ setup_product_environment() { # $1 -- if non-empty, source shorewallrc
 }
 
 set_default_product() {
-    if [ -f ${g_basedir}/version ]; then
-	PRODUCT=shorewall
-    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-	PRODUCT=shorewall-lite
-    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-	PRODUCT=shorewall6-lite
-    else
-	fatal_error "No Shorewall firewall product is installed"
-    fi
-}   
+    case $(basename $0) in
+	shorewall6)
+	    PRODUCT=shorewall6
+	    ;;
+	shorewall4)
+	    PRODUCT=shorewall
+	    ;;
+	shorewall-lite)
+	    PRODUCT=shorewall-lite
+	    ;;
+	shorewall6-lite)
+	    PRODUCT=shorewall6-lite
+	    ;;
+	*)
+	    if [ -f ${g_basedir}/version ]; then
+		PRODUCT=shorewall
+	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+		PRODUCT=shorewall-lite
+	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+		PRODUCT=shorewall6-lite
+	    else
+		fatal_error "No Shorewall firewall product is installed"
+	    fi
+	    ;;
+    esac
+}
 
 # Not configured Error
 #
@@ -362,25 +376,6 @@ resolve_file() # $1 = file name
     esac
 }
 
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp

Shorewall-core/uninstall.sh

@@ -81,7 +81,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall-init/init.debian.sh

@@ -104,7 +104,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
@@ -125,7 +125,7 @@ shorewall_start () {
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 
-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "
 
       if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +142,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.fedora.sh

@@ -64,7 +64,7 @@ start () {
 	return 6 #Not configured
     fi
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +99,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir

Shorewall-init/init.openwrt.sh

@@ -89,7 +89,7 @@ start () {
     local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +114,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.sh

@@ -81,7 +81,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.suse.sh

@@ -93,7 +93,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +114,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/install.sh

@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
     #
     if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+	file=~/.shorewallrc
      else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
     fi

Shorewall-init/shorewall-init

@@ -64,7 +64,7 @@ shorewall_start () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +92,7 @@ shorewall_stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/uninstall.sh

@@ -126,7 +126,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall-lite/init.debian.sh

@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
+      printf "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall-lite/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall-lite/install.sh

@@ -379,6 +379,7 @@ delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -429,15 +430,6 @@ elif [ $HOST = gentoo ]; then
     # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
     perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #
@@ -502,6 +494,14 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
+    mkdir -p ${DESTDIR}${MANDIR}/man8/
+
+    for f in *.8; do
+	gzip -c $f > $f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    done
+
     cd ..
 
     echo "Man Pages Installed"
@@ -529,7 +529,11 @@ fi
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
-delete_file ${DESTDIR}${SBINDIR}/$PRODUCT
+
+#
+#  Creatae the symbolic link for the CLI
+#
+ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here

Shorewall-lite/manpages/shorewall-lite.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-lite</refentrytitle>
+
+    <manvolnum>8</manvolnum>
+
+    <refmiscinfo>Administrative Commands</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>shorewall-lite</refname>
+
+    <refpurpose>Administration tool for Shoreline Firewall Lite
+    (Shorewall-lte)</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable> [
+      <replaceable>command-arguments</replaceable> ]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The shorewall-lite utility is used to control the Shoreline Firewall
+    Lite (Shorewall-lite).</para>
+
+    <para>Beginning with Shorewall 5.1.0, <command>shorewall6-lite</command>
+    is a symbolic link pointing to the <ulink
+    url="/manpages/shorewall.html">shorewall</ulink>(8) executable who
+    executes the <replaceable>command</replaceable> as if its
+    <option>-6</option> and <option>-l</option> options had been
+    specified.</para>
+  </refsect1>
+</refentry>

Shorewall-lite/uninstall.sh

@@ -125,7 +125,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall/Perl/Shorewall/Chains.pm

@@ -120,7 +120,6 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
-		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
-				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -418,7 +416,6 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
-our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -759,13 +756,11 @@ sub initialize( $$$ ) {
     ( $family, my $hard, $export ) = @_;
 
     %chain_table = ( raw    =>  {},
-		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
 
     $raw_table     = $chain_table{raw};
-    $rawpost_table = $chain_table{rawpost};
     $nat_table     = $chain_table{nat};
     $mangle_table  = $chain_table{mangle};
     $filter_table  = $chain_table{filter};
@@ -1195,9 +1190,16 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 
 #
@@ -2757,14 +2759,6 @@ sub ensure_raw_chain($) {
     $chainref;
 }
 
-sub ensure_rawpost_chain($) {
-    my $chain = $_[0];
-
-    my $chainref = ensure_chain 'rawpost', $chain;
-    $chainref->{referenced} = 1;
-    $chainref;
-}
-
 #
 # Add a builtin chain
 #
@@ -2963,8 +2957,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3027,8 +3019,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3332,7 +3322,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
 
@@ -4251,7 +4241,6 @@ sub valid_tables() {
     my @table_list;
 
     push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
-    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
     push @table_list, 'filter'; #MUST BE LAST!!!
@@ -8932,7 +8921,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
 
 	    $chains{$table} = {} unless $chains{$table};
 
@@ -8961,7 +8950,7 @@ sub create_chainlist_reload($) {
 
 	enter_cat_mode;
 
-	for $table ( qw(raw rawpost nat mangle filter) ) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 
 	    next unless $tableref;

Shorewall/Perl/Shorewall/Config.pm

@@ -389,7 +389,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
-		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -413,6 +412,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  TCPMSS_TARGET   => 'TCPMSS Target',
                  WAIT_OPTION     => 'iptables --wait option',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
+                 NETMAP_TARGET   => 'NETMAP Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -980,7 +980,6 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
-	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1037,6 +1036,7 @@ sub initialize( $;$$) {
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
+	       NETMAP_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2001,6 +2001,21 @@ sub find_writable_file($) {
     "$config_path[0]$filename";
 }
 
+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2059,7 +2074,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
     my ($list, $type ) = @_;
 
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
 
     my @list1 = split /:/, $list;
     my @list2;
@@ -2096,6 +2111,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2261,21 +2277,6 @@ sub split_columns( $ ) {
     @list2;
 }
 
-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();
 
 #
@@ -4318,6 +4319,22 @@ sub Masquerade_Tgt() {
     $result;
 }
 
+sub Netmap_Target() {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    my $result = '';
+    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
+
+    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
+	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
+	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
+
+    }
+
+    $result;
+}
+
 sub Udpliteredirect() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4516,10 +4533,6 @@ sub Raw_Table() {
     qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 
-sub Rawpost_Table() {
-    qt1( "$iptables $iptablesw -t rawpost -L -n" );
-}
-
 sub Old_IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
@@ -4911,6 +4924,7 @@ our %detect_capability =
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
+      NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
       NFACCT_MATCH => \&NFAcct_Match,
       NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4926,7 +4940,6 @@ our %detect_capability =
       POLICY_MATCH => \&Policy_Match,
       PPTP_HELPER => \&PPTP_Helper,
       RAW_TABLE => \&Raw_Table,
-      RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
@@ -5054,7 +5067,6 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5096,6 +5108,7 @@ sub determine_capabilities() {
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
+	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';

Shorewall/Perl/Shorewall/Misc.pm

@@ -1679,12 +1679,6 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 
-	if ( have_capability 'RAWPOST_TABLE' ) {
-	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
-	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
-	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
-	}
-
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
     }
     #

Shorewall/Perl/Shorewall/Nat.pm

@@ -790,88 +790,39 @@ sub setup_netmap() {
 
 		my @rule = do_iproto( $proto, $dport, $sport );
 
-		unless ( $type =~ /:/ ) {
-		    my @rulein;
-		    my @ruleout;
+		my @rulein;
+		my @ruleout;
 
-		    $net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		$net1 = validate_net $net1, 0;
+		$net2 = validate_net $net2, 0;
 
-		    if ( $interfaceref->{root} ) {
-			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		    } else {
-			@rulein  = imatch_source_dev( $interface );
-			@ruleout = imatch_dest_dev( $interface );
-			$interface = $interfaceref->{name};
-		    }
+		if ( $interfaceref->{root} ) {
+		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		} else {
+		    @rulein  = imatch_source_dev( $interface );
+		    @ruleout = imatch_dest_dev( $interface );
+		    $interface = $interfaceref->{name};
+		}
 
-		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
 
-		    if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-					  j => 'NETMAP' ,
-					  "--to $net2",
-					  $net1 ,
-					  @rulein  ,
-					  imatch_source_net( $net3 ) );
-		    } elsif ( $type eq 'SNAT' ) {
-			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-					   j => 'NETMAP' ,
-					   "--to $net2" ,
-					   $net1 ,
-					   @ruleout ,
-					   imatch_dest_net( $net3 ) );
-		    } else {
-			fatal_error "Invalid type ($type)";
-		    }
-		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
-		    my ( $target , $chain ) = ( $1, $2 );
-		    my $table = 'raw';
-		    my @match;
-
-		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
-
-		    $net2 = validate_net $net2, 0;
-
-		    unless ( $interfaceref->{root} ) {
-			@match = imatch_dest_dev(  $interface );
-			$interface = $interfaceref->{name};
-		    }
-
-		    if ( $chain eq 'P' ) {
-			$chain = prerouting_chain $interface;
-			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
-		    } elsif ( $chain eq 'O' ) {
-			$chain = output_chain $interface;
-		    } else {
-			$chain = postrouting_chain $interface;
-			$table = 'rawpost';
-		    }
-
-		    my $chainref = ensure_chain( $table, $chain );
-
-
-		    if ( $target eq 'DNAT' ) {
-			dest_iexclusion( $chainref ,
-					 j => 'RAWDNAT' ,
-					 "--to-dest $net2" ,
-					 $net1 ,
-					 imatch_source_net( $net3 ) ,
-					 @rule ,
-					 @match
-				       );
-		    } else {
-			source_iexclusion( $chainref ,
-					   j  => 'RAWSNAT' ,
-					   "--to-source $net2" ,
-					   $net1 ,
-					   imatch_dest_net( $net3 ) ,
-					   @rule ,
-					   @match );
-		    }
+		if ( $type eq 'DNAT' ) {
+		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+				      j => 'NETMAP' ,
+				      "--to $net2",
+				      $net1 ,
+				      @rulein  ,
+				      imatch_source_net( $net3 ) );
+		} elsif ( $type eq 'SNAT' ) {
+		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+				       j => 'NETMAP' ,
+				       "--to $net2" ,
+				       $net1 ,
+				       @ruleout ,
+				       imatch_dest_net( $net3 ) );
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid TYPE ($type)";
+		    fatal_error "Invalid type ($type)";
 		}
 
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";

Shorewall/Perl/Shorewall/Raw.pm

@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
 
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;

Shorewall/Perl/Shorewall/Rules.pm

@@ -640,7 +640,8 @@ sub process_a_policy1($$$$$$$) {
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+
+    $intrazone  ||= $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
@@ -765,25 +766,28 @@ sub process_a_policy() {
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
-    my $intrazone;
+    my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $intrazone = $clients =~ /.*,.*\+$/) {
-	$clients =~ s/\+$//;
+    if ( $clientlist = ( $clients =~ /,/ ) ) {
+	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $servers =~ /.*,.*\+$/ ) {
-	$servers =~ s/\+$//;
-	$intrazone = 1;
+    if ( $serverlist = ( $servers =~ /,/ ) ) {
+	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
     fatal_error 'SOURCE must be specified' if $clients eq '-';
     fatal_error 'DEST must be specified'   if $servers eq '-';
     fatal_error 'POLICY must be specified' if $policy  eq '-';
 
-    for my $client ( split_list( $clients, 'zone' ) ) {
-	for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+    if ( $clientlist || $serverlist ) {
+	for my $client ( split_list( $clients, 'zone' ) ) {
+	    for my $server ( split_list( $servers, 'zone' ) ) {
+		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
+	    }
 	}
+    } else {
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
     }
 }
 
@@ -2059,17 +2063,17 @@ sub process_action(\$\$$) {
 
 	    for my $proto (split_list( $protos, 'Protocol' ) ) {
 		process_snat1( $chainref,
-				   $action,
-				   $source,
-				   $dest,
-				   $proto,
-				   $port,
-				   $ipsec,
-				   $mark,
-				   $user,
-				   $condition,
-				   $origdest,
-				   $probability,
+			       $action,
+			       $source,
+			       $dest,
+			       $proto,
+			       $port,
+			       $ipsec,
+			       $mark,
+			       $user,
+			       $condition,
+			       $origdest,
+			       $probability,
 		    );
 	    }
 	}
@@ -2082,6 +2086,12 @@ sub process_action(\$\$$) {
 
     pop_open;
 
+    unless ( @{$chainref->{rules}} ) {
+	my $file = find_file( $action );
+
+	fatal_error "File action.${action} is empty and file $action exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes" if -f $file;
+    }
+
     #
     # Pop the action parameters
     #
@@ -2883,7 +2893,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2896,7 +2906,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -4500,7 +4510,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4516,7 +4526,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4955,6 +4965,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		     do_dscp( $dscp ) .
 		     state_match( $state ) .
 		     do_time( $time ) .
+		     do_condition( $condition, $chainref->{name} ) .
 		     ( $ttl ? "-t $ttl " : '' ) .
 		     $raw_matches ,
 		     $source ,

Shorewall/Perl/lib.runtime

@@ -526,13 +526,6 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
     done
 
-    qt1 $g_tool -t rawpost -F
-    qt1 $g_tool -t rawpost    -X
-
-    for chain in POSTROUTING; do
-	qt1 $g_tool -t rawpost -P $chain ACCEPT
-    done
-
     qt1 $g_tool -t nat    -F
     qt1 $g_tool -t nat    -X
 
@@ -582,9 +575,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
 	    '*'mangle)
 		table=mangle
 		;;

Shorewall/Perl/prog.footer

@@ -130,6 +130,8 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 
+[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
+
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/configfiles/shorewall.conf

@@ -99,7 +99,7 @@ RESTOREFILE=restore
 
 SHOREWALL_SHELL=/bin/sh
 
-SUBSYSLOCK=
+SUBSYSLOCK=/var/lock/subsys/shorewall
 
 TC=
 

Shorewall/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall firewall\": "
+      printf "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall firewall\" rules: "
+      printf "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,21 +109,21 @@ shorewall_stop () {
 
 # reload the firewall
 shorewall_reload () {
-  echo -n "Reloading \"Shorewall firewall\": "
+  printf "Reloading \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 
 reload() {
-    echo -n $"Reloading Shorewall: "
+    printf $"Reloading Shorewall: "
     $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall/install.sh

@@ -175,7 +175,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else
@@ -464,7 +463,6 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli
 	delete_file ${DESTDIR}/usr/share/shorewall6/lib.common
 	delete_file ${DESTDIR}/usr/share/shorewall6/wait4ifup
-	delete_file ${DESTDIR}/${SBINDIR}/shorewall6
     fi
 
     delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.header6
@@ -1044,18 +1042,11 @@ fi
 
 cd ..
 
-#
-# Install the  Makefiles
-#
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-
-if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-fi
 #
 # Install the Action files
 #
+cd Actions
+
 for f in action.* ; do
     case $f in
 	*.deprecated)
@@ -1068,8 +1059,10 @@ for f in action.* ; do
 	    ;;
     esac
 done
-
-cd Macros
+#
+# Now the Macros
+#
+cd ../Macros
 
 for f in macro.* ; do
     case $f in
@@ -1101,6 +1094,10 @@ if [ $PRODUCT = shorewall6 ]; then
     # Symbolically link 'functions' to lib.base
     #
     ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
+    #
+    # And create a sybolic link for the CLI
+    #
+    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
 
 if [ -d Perl ]; then
@@ -1183,15 +1180,13 @@ for f in *.5; do
     echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 
-if [ $PRODUCT = shorewall ]; then
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
 
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-fi
+for f in *.8; do
+    gzip -9c $f > $f.gz
+    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+done
 
 cd ..
 

Shorewall/lib.cli-std

@@ -1229,13 +1229,13 @@ safe_commands() {
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
-	echo -n "Do you want to accept the new firewall configuration? [y/n] "
+	printf "Do you want to accept the new firewall configuration? [y/n] "
 
 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1546,16 +1546,8 @@ remote_reload_command() # $* = original arguments less the command.
     file=$(resolve_file $g_shorewalldir/firewall)
 
     g_export=Yes
-    #
-    # Determine the remote CLI program
-    #
-    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)
 
-    if [ -n "$temp" ]; then
-	program=$sbindir/${PRODUCT}-lite
-    else
-	program="$sbindir/shorewall $g_options"
-    fi
+    program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR
     #

Shorewall/manpages/shorewall-netmap.xml

@@ -41,38 +41,18 @@
       <varlistentry>
         <term><emphasis role="bold">TYPE</emphasis> - <emphasis
         role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}[:{P|O|T}</emphasis>]</term>
+        role="bold">SNAT}</emphasis></term>
 
         <listitem>
-          <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
-          optionally followed by :P, :O or :T to perform <firstterm>stateless
-          NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
-          support</firstterm> in your kernel and iptables (see the output of
-          <command>shorewall show capabilities</command>).</para>
+          <para>Must be DNAT or SNAT</para>
 
-          <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
+          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
+          its destination address rewritten to the corresponding address in
+          NET2.</para>
 
-          <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If DNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE and addressed to NET1 has its destination address
-          rewritten to the corresponding address in NET2.</para>
-
-          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
-
-          <para>If SNAT:P, traffic entering via INTERFACE with a destination
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If SNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE with a source address in NET1 has it's source address
-          rewritten to the corresponding address in NET2.</para>
+          <para>If SNAT, traffic leaving INTERFACE with a source address in
+          NET1 has it's source address rewritten to the corresponding address
+          in NET2.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -2570,9 +2570,19 @@ INLINE          -       -       -       ;; -j REJECT
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
           stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For RedHat and OpenSuSE, this
-          should be set to /var/lock/subsys/shorewall. For Debian, the value
-          is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall (var/lock/subsys/shorewall-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall (/run/lock/shorewall-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 

Shorewall/modules.essential

@@ -25,6 +25,8 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
+loadmodule nf_nat
+loadmodule nf_nat_ipv4
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp

Shorewall/modules.xtables

@@ -31,6 +31,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
+loadmodule xt_nat
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev

Shorewall/uninstall.sh

@@ -28,6 +28,7 @@
 
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
+Product=Shorewall
 
 usage() # $1 = exit status
 {
@@ -127,7 +128,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall6-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall6-lite show vardir)
-SHAREDIR=/usr/share/shorewall6-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall6-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall6-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall6-lite/init.debian.sh

@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 Lite firewall\": "
+  printf "Starting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 Lite firewall\": "
+      printf "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 Lite firewall\": "
+  printf "Restarting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 Lite firewall\": "
+  printf "Refreshing \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6-lite/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-lite</refentrytitle>
+
+    <manvolnum>8</manvolnum>
+
+    <refmiscinfo>Administrative Commands</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>shorewall6-lite</refname>
+
+    <refpurpose>Administration tool for Shoreline Firewall 6 Lite
+    (Shorewall6-lite)</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable> [
+      <replaceable>command-arguments</replaceable> ]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The shorewall6-lite utility is used to control the Shoreline
+    Firewall 6 Lite (Shorewall6-lite).</para>
+
+    <para>Beginning with Shorewall 5.1.0, <command>shorewall6-lite</command>
+    is a symbolic link pointing to the <ulink
+    url="/manpages/shorewall.html">shorewall</ulink>(8) executable who
+    executes the <replaceable>command</replaceable> as if its
+    <option>-6</option> and <option>-l</option> options had been
+    specified.</para>
+  </refsect1>
+</refentry>

Shorewall6-lite/uninstall.sh

@@ -126,7 +126,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall6/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/Makefile
-#
-# Reload Shorewall6 if config files are updated.
-
-SWBIN	?= /sbin/shorewall6 -q
-CONFDIR	?= /etc/shorewall6
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall6/configfiles/shorewall6.conf

@@ -169,7 +169,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 firewall\": "
+  printf "Starting \"Shorewall6 firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 firewall\": "
+      printf "Stopping \"Shorewall6 firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
+      printf "Clearing all \"Shorewall6 firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,14 +109,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 firewall\": "
+  printf "Restarting \"Shorewall6 firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 firewall\": "
+  printf "Refreshing \"Shorewall6 firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6/manpages/shorewall6-netmap.xml

@@ -29,8 +29,8 @@
     addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
 
     <warning>
-      <para>To use this file, your kernel and ip6tables must have RAWPOST
-      table support included.</para>
+      <para>To use this file, your kernel and ip6tables must have NETMAP
+      support included.</para>
     </warning>
 
     <para>The columns in the file are as follows (where the column name is
@@ -41,7 +41,7 @@
       <varlistentry>
         <term><emphasis role="bold">TYPE</emphasis> - <emphasis
         role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}:{P|O|T}</emphasis></term>
+        role="bold">SNAT}</emphasis></term>
 
         <listitem>
           <para>Must be DNAT or SNAT followed by :P, :O or :T to perform
@@ -50,29 +50,13 @@
           iptables (see the output of <command>shorewall6 show
           capabilities</command>).</para>
 
-          <para>If DNAT:P, traffic entering INTERFACE and addressed to NET1
-          has its destination address rewritten to the corresponding address
-          in NET2.</para>
+          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
+          its destination address rewritten to the corresponding address in
+          NET2.</para>
 
-          <para>If SNAT:T, traffic leaving INTERFACE with a source address in
+          <para>If SNAT, traffic leaving INTERFACE with a source address in
           NET1 has it's source address rewritten to the corresponding address
           in NET2.</para>
-
-          <para>If DNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE and addressed to NET1 has its destination address
-          rewritten to the corresponding address in NET2.</para>
-
-          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
-
-          <para>If SNAT:P, traffic entering via INTERFACE with a destination
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If SNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE with a source address in NET1 has it's source address
-          rewritten to the corresponding address in NET2.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -2204,10 +2204,20 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
-          stops. Creating and removing this file allows Shorewall6 to work
-          with your distribution's initscripts. For RedHat, this should be set
-          to /var/lock/subsys/shorewall6. For Debian, the value is
-          /var/lock/shorewall6 and in LEAF it is /var/run/shorewall.</para>
+          stops. Creating and removing this file allows Shorewall to work with
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall6 (var/lock/subsys/shorewall6-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall6 (/run/lock/shorewall6-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6</refentrytitle>
+
+    <manvolnum>8</manvolnum>
+
+    <refmiscinfo>Administrative Commands</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>shorewall6</refname>
+
+    <refpurpose>Administration tool for Shoreline Firewall 6
+    (Shorewall6)</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable> [
+      <replaceable>command-arguments</replaceable> ]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The shorewall6 utility is used to control the Shoreline Firewall 6
+    (Shorewall6).</para>
+
+    <para>Beginning with Shorewall 5.1.0, <command>shorewall6</command> is a
+    symbolic link pointing to the <ulink
+    url="/manpages/shorewall.html">shorewall</ulink>(8) executable who
+    executes the <replaceable>command</replaceable> as if its
+    <option>-6</option> option had been specified.</para>
+  </refsect1>
+</refentry>

Shorewall6/modules.essential

@@ -21,6 +21,8 @@ loadmodule ip6table_mangle
 loadmodule ip6table_raw
 loadmodule xt_conntrack
 loadmodule nf_conntrack_ipv6
+loadmodule nf_nat
+loadmodule nf_nat_ipv6
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ip6t_REJECT

Shorewall6/uninstall.sh

@@ -127,7 +127,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

docs/Anatomy.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Anatomy of Shorewall 5.0</title>
+    <title>Anatomy of Shorewall 5.0/5.1</title>
 
     <authorgroup>
       <author>
@@ -26,6 +26,8 @@
 
       <year>2015</year>
 
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -49,7 +51,9 @@
       <listitem>
         <para><emphasis role="bold">Shorewall Core</emphasis>. This package
         contains the core Shorewall shell libraries and is required to install
-        any of the other packages.</para>
+        any of the other packages. Beginning with Shorewall 5.1.0, it also
+        includes the Command Line Interface (CLI) program common to all of the
+        packages.</para>
       </listitem>
 
       <listitem>
@@ -83,11 +87,12 @@
       </listitem>
 
       <listitem>
-        <para>Shorewall-init. An add-on to any of the above packages that
-        allows the firewall state to be altered in reaction to interfaces
-        coming up and going down. Where Upstart is not being used, this
-        package can also be configured to place the firewall in a safe state
-        prior to bringing up the network interfaces.</para>
+        <para><emphasis role="bold">Shorewall-init</emphasis>. An add-on to
+        any of the above packages that allows the firewall state to be altered
+        in reaction to interfaces coming up and going down. Where Upstart is
+        not being used, this package can also be configured to place the
+        firewall in a safe state prior to bringing up the network
+        interfaces.</para>
       </listitem>
     </orderedlist>
   </section>
@@ -101,10 +106,7 @@
     class="directory">/etc/shorewall</filename>,
     <filename>/etc/init.d</filename> and <filename
     class="directory">/var/lib/shorewall/</filename>. These are described in
-    the sub-sections that follow. Since Shorewall 4.5.2, each of these
-    directories is now relocatable using the <ulink
-    url="Install.htm#idp8774904608">configure scripts included with Shorewall
-    Core</ulink>.</para>
+    the sub-sections that follow. </para>
 
     <important>
       <para>Since Shorewall 4.5.2, each of these directories is now
@@ -189,7 +191,7 @@
         </listitem>
 
         <listitem>
-          <para><filename>Macros/*</filename> - The standard Shorewall <ulink
+          <para><filename>macro.*</filename> - The standard Shorewall <ulink
           url="Macros.html">macros</ulink>.</para>
         </listitem>
 
@@ -236,8 +238,8 @@
     </section>
 
     <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename> or
@@ -349,9 +351,13 @@
     <section id="sbin6">
       <title>/sbin ($SBINDIR)</title>
 
-      <para>The <filename>/sbin/shorewall6</filename> shell program is used to
-      interact with Shorewall6. See <ulink
-      url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
+      <para>Prior to Shorewall 5.1.0, the
+      <filename>/sbin/shorewall6</filename> shell program is used to interact
+      with Shorewall6. See <ulink
+      url="manpages6/shorewall6.html">shorewall6</ulink>(8). Beginning with
+      Shorewall 5.1.0, <filename>/sbin/shorewall6</filename> is a symbolic
+      link to <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="share-shorewall6">
@@ -432,15 +438,15 @@
     </section>
 
     <section id="etc-shorewall6">
-      <title>/etc/shorewall6 (${CONFDIR}/</title>
+      <title>/etc/shorewall6 (${CONFDIR}/shorewall6)</title>
 
       <para>This is where the modifiable IPv6 configuration files are
       installed.</para>
     </section>
 
-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+    <section id="init6">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall6</filename> or
@@ -543,16 +549,19 @@
     in the sub-sections that follow.</para>
 
     <section id="sbin-lite">
-      <title>/sbin ($SBINDIR_</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall-lite</filename> shell program is
       used to interact with Shorewall lite. See <ulink
-      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
+      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8). Beginning
+      with Shorewall 5.1.0, <filename>/sbin/shorewall-lite</filename> is a
+      symbolic link to <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall-lite</filename> or
@@ -743,20 +752,16 @@
 
       <para>The <filename>/sbin/shorewall6-lite</filename> shell program is
       use to interact with Shorewall lite. See <ulink
-      url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).</para>
+      url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).
+      Beginning with Shorewall 5.1.0,
+      <filename>/sbin/shorewall6</filename>-lite is a symbolic link to
+      <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
-    <section id="init-lite6">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
-
-      <para>An init script is installed here. Depending on the distribution,
-      it is named <filename>shorewall6-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
-    </section>
-
-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+    <section id="init-6lite">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename>6-lite or

docs/IPSEC-2.6.xml

@@ -30,7 +30,11 @@
 
       <year>2006</year>
 
-      <holder>2009 Thomas M. Eastep</holder>
+      <year>2009</year>
+
+      <year>2016</year>
+
+      <holder>Thomas M. Eastep</holder>
     </copyright>
 
     <copyright>
@@ -71,8 +75,8 @@
   <important>
     <para>While this <emphasis role="bold">article shows configuration of
     IPsec using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
-    configuration is exactly the same when using OpenSwan</emphasis> or
-    FreeSwan.</para>
+    configuration is exactly the same when using OpenSwan</emphasis> <emphasis
+    role="bold">or any of the other Swan derivatives</emphasis>.</para>
   </important>
 
   <warning>
@@ -158,7 +162,7 @@
         from MASQUERADE/SNAT using existing entries. If you want to
         MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
         must include the appropriate indication in the IPSEC column in that
-        file. </para>
+        file.</para>
       </listitem>
 
       <listitem>
@@ -321,6 +325,14 @@ vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ips
 vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis></programlisting>
     </blockquote>
 
+    <para>If you want to keep things simple, you can simply not restrict the
+    set of addresses in the ipsec zones:</para>
+
+    <blockquote>
+      <programlisting>#ZONE             HOSTS                                OPTIONS
+vpn               eth0:0.0.0.0/o                       <emphasis role="bold">ipsec</emphasis></programlisting>
+    </blockquote>
+
     <para>Assuming that you want to give each local network free access to the
     remote network and vice versa, you would need the following
     <filename>/etc/shorewall/policy</filename> entries on each system:</para>
@@ -450,12 +462,12 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
         tunnel, then it is a good idea to set the MSS value for traffic from
         those hosts explicitly in the
         <filename>/etc/shorewall/zones</filename> file. For example, if hosts
-        in the <emphasis role="bold">sec</emphasis> zone access the Internet
+        in the <emphasis role="bold">vpn</emphasis> zone access the Internet
         through an ESP tunnel then the following entry would be
         appropriate:</para>
 
         <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
-sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
+vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
         <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
         that both the SYN and SYN,ACK packets have their MSS field
@@ -469,6 +481,36 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
     </blockquote>
   </section>
 
+  <section>
+    <title>IPCOMP and IPSEC</title>
+
+    <para>IPSEC can be configured to perform data compression. This is
+    accomplished by compressing the original IP packet, then encapsulating it
+    in an ipcomp (protocol 108) packet. That packet is then encrypted and
+    encapsulated within an ESP packet. Because of the extra protocol header
+    required for compression, short IP packets (such as default ping packets)
+    are not compressed. The Linux IP stack handles these uncompressed packets
+    by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
+    the remote gateway must be handled in Shorewall. The easiest way to
+    accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
+    zone to the $FW zone:</para>
+
+    <blockquote>
+      <programlisting>#ACTION         SOURCE         DEST       PROTO       DPORT ...
+ACCEPT          vpn            $FW        4</programlisting>
+    </blockquote>
+
+    <para>Note that the source IP address is these IPIP packets is that of the
+    remote peer, so the definition of the ipsec zone in <ulink
+    url="manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) must
+    include the peer.</para>
+
+    <para>Finally, when IPCOMP is used, it is recommended that the OPTIONS
+    column of the ipsec zone's entry in <ulink
+    url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) be left
+    empty.</para>
+  </section>
+
   <section id="RoadWarrior">
     <title>Mobile System (Road Warrior)</title>
 

docs/Shorewall-5.xml

@@ -20,6 +20,10 @@
     <copyright>
       <year>2015</year>
 
+      <year>2016</year>
+
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -37,8 +41,8 @@
   <section>
     <title>Introduction</title>
 
-    <para>There are currently two principle groups of changes that distinguish
-    Shorewall 5 from Shorewall 4:</para>
+    <para>There are currently three principle groups of changes that
+    distinguish Shorewall 5 from Shorewall 4:</para>
 
     <orderedlist>
       <listitem>
@@ -54,6 +58,13 @@
         commands have been renamed or the function that they perform has been
         changed.</para>
       </listitem>
+
+      <listitem>
+        <para>CLI unification - Beginning with Shorewall 5.1.0, there is a
+        single CLI program (<filename>/sbin/shorewall </filename>or
+        <filename>/usr/sbin/shorewall</filename> depending on your
+        distribution).</para>
+      </listitem>
     </orderedlist>
 
     <para>Each of these groups is described in more detail in the sections
@@ -120,6 +131,10 @@
         <listitem>
           <para>LEGACY_FASTSTART</para>
         </listitem>
+
+        <listitem>
+          <para>CHAIN_SCRIPTS (Removed in Shorewall 5.1).</para>
+        </listitem>
       </itemizedlist>
 
       <para>A compilation warning is issued when any of these options are
@@ -354,6 +369,57 @@
     </section>
   </section>
 
+  <section>
+    <title>CLI Unification</title>
+
+    <para>Prior to Shorewall 5.1, there were four separate CLI
+    programs:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><filename>/sbin/shorewall </filename>or
+        <filename>/usr/sbin/shorewall</filename> depending on your
+        distribution. Packaged with Shorewall and used to control
+        Shorewall.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/sbin/shorewall6 </filename>or
+        <filename>/usr/sbin/shorewall6</filename> depending on your
+        distribution. Packaged with Shorewall6 and used to control
+        Shorewall6.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/sbin/shorewall-lite </filename>or
+        <filename>/usr/sbin/shorewall-lite</filename> depending on your
+        distribution. Packaged with Shorewall-lite and used to control
+        Shorewall-lite.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/sbin/shorewall6-lite </filename>or
+        <filename>/usr/sbin/shorewall6-lite</filename> depending on your
+        distribution. Packaged with Shorewall6-lite and used to control
+        Shorewall6-lite.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Each of these programs had their own (largely duplicated)
+    manpage.</para>
+
+    <para>Beginning with Shorewall 5.1, there is a single CLI program
+    (<filename>/sbin/shorewall</filename> or
+    <filename>/usr/sbin/shorewall</filename>) packaged with Shorewall-core.
+    The Shorewall6, Shorewall-lite and Shorewall6-lite packages create a
+    symbolic link to that program; the links are named shorewall6,
+    shorewall-lite and shorewall6-lite respectively. These symbolic links are
+    for backward compatibility only; all four products can be managed using
+    the single CLI program itself. The manpages shorewall6(8),
+    shorewall-lite(8) and shorewall6-lite(8) are skeletal and refer the reader
+    to shorewall(8).</para>
+  </section>
+
   <section>
     <title>Upgrading to Shorewall 5</title>
 
@@ -380,5 +446,125 @@
     performed unconditionally. The <option>-i </option>and <option>-A
     </option>options have been retained - both enable checking for issues that
     could result if INLINE_MATCHES were to be set to Yes.</para>
+
+    <section>
+      <title id="CHAIN_SCRIPTS">CHAIN_SCRIPTS Removal</title>
+
+      <para>Prior to the availability of ?[BEGIN] PERL .... ?END PERL, the
+      only way to create Perl code to insert rules into a chain was to use a
+      per-Chain script with the same name as the chain. The most common use of
+      these scripts was with Actions where an action A would have an empty
+      action.A file and then a file named A that contained Perl code. This was
+      a hack, at best, and has been deprecated since embedded Perl has been
+      available in action files.</para>
+
+      <para>In Shorewall 5.1, the compiler notices that action.A is empty and
+      looks for a file named A on the CONFIG_PATH. If that file is found, the
+      compiler raises a fatal error:</para>
+
+      <programlisting>    ERROR: File action.A is empty and file A exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes</programlisting>
+
+      <para>To resolve this issue, one of two approaches can be taken
+      depending on what the script A does.</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>If script A is simply inserting rules with ip[6]tables matches
+          and/or targets that Shorewall doesn't directly support, they can
+          probably be coded in the action.A file using the IP[6]TABLES action
+          and/or inline matches. For example, the following script
+          <filename>DNSDDOS</filename></para>
+
+          <programlisting>use Shorewall::Chains;
+
+add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP);
+add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" -j DROP);
+add_rule $chainref, q(-j ACCEPT);
+
+1;</programlisting>
+
+          <para>can be coded in <filename>action.DNSDDOS</filename> as:</para>
+
+          <programlisting>DROP    -       -       ;; -m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|"
+DROP    -       -       ;; -m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|"
+ACCEPT  -       -</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>The other approach is to simply convert A into embedded Perl
+          in action.A. Consider this <filename>SSHKnock</filename>
+          script:</para>
+
+          <programlisting>use Shorewall::Chains;
+
+if ( $level ) {
+    log_rule_limit( $level, 
+                    $chainref, 
+                    'SSHKnock',
+                    'ACCEPT',
+                    '',
+                    $tag,
+                    'add',
+                    '-p tcp --dport 22   -m recent --rcheck --name SSH ' );
+     log_rule_limit( $level,
+                     $chainref,
+                     'SSHKnock',
+                     'DROP',
+                     '',
+                     $tag,
+                     'add',
+                     '-p tcp --dport ! 22 ' );
+}
+add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );
+add_rule( $chainref, '-p tcp --dport 632 -m recent                        --name SSH --remove -j DROP' );
+add_rule( $chainref, '-p tcp --dport 633 -m recent                        --name SSH --set    -j DROP' );
+add_rule( $chainref, '-p tcp --dport 634 -m recent                        --name SSH --remove -j DROP' );
+1;</programlisting>
+
+          <para>Because this script uses the implicit $level and $tag
+          variables, it must remain in Perl. This mostly involves simply
+          moving the <filename>SSHKnock</filename> script into
+          <filename>action.SSHKnock</filename>, but requires some additional
+          code in <filename>action.SSHKnock</filename> as shown in <emphasis
+          role="bold">bold font</emphasis> below:</para>
+
+          <programlisting><emphasis role="bold">?begin perl</emphasis>
+
+<emphasis role="bold">use Shorewall::Config;</emphasis>
+use Shorewall::Chains;
+
+<emphasis role="bold">my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;</emphasis>
+
+if ( $level ) {
+    log_rule_limit( $level, 
+                    $chainref, 
+                    'SSHKnock',
+                    'ACCEPT',
+                    '',
+                    $tag,
+                    'add',
+                    '-p tcp --dport 22   -m recent --rcheck --name SSH ' );
+
+    log_rule_limit( $level,
+                    $chainref,
+                    'SSHKnock',
+                    'DROP',
+                    '',
+                    $tag,
+                    'add',
+                    '-p tcp --dport ! 22 ' );
+}
+
+add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );
+add_rule( $chainref, '-p tcp --dport 632 -m recent                        --name SSH --remove -j DROP' );
+add_rule( $chainref, '-p tcp --dport 633 -m recent                        --name SSH --set    -j DROP' );
+add_rule( $chainref, '-p tcp --dport 634 -m recent                        --name SSH --remove -j DROP' );
+1;
+
+<emphasis role="bold">?end perl</emphasis></programlisting>
+        </listitem>
+      </itemizedlist>
+    </section>
   </section>
 </article>