Update blacklisting article:

- ipset-based blacklisting
- BLACKLIST policy and action

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -369,7 +369,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #

Shorewall-core/lib.cli

@@ -78,29 +78,6 @@ showchain() # $1 = name of chain
     fi
 }
 
-#
-# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
-#
-
-iptablesbug()
-{
-    if [ $g_family -eq 4 ]; then
-	if qt mywhich awk ; then
-	    awk 'BEGIN           { sline=""; };\
-             /^-[jg]/            { print sline $0; next };\
-             /-m policy.*-[jg] / { print $0; next };\
-             /-m policy/         { sline=$0; next };\
-             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
-                                 { print ; sline="" }'
-        else
-	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
-	    cat
-	fi
-    else
-	cat
-    fi
-}
-
 #
 # Validate the value of RESTOREFILE
 #
@@ -391,13 +368,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
 
-	    $g_ring_bell
+	    printf '\a'
 
 	    packet_log 40
 
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		printf 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -1007,13 +984,6 @@ show_raw() {
     $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 
-show_rawpost() {
-    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t rawpost -L $g_ipt_options | $output_filter
-}
-
 show_mangle() {
     echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
     echo
@@ -1157,10 +1127,47 @@ show_macros() {
     done
 }
 
+show_an_action() {
+    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
+    cat ${directory}/action.$1
+}
+
 show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
 }
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
+show_ipsec() {
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+}
+
+show_ipsec_command() {
+    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
+    show_ipsec
+}
 
 #
 # Show Command Executor
@@ -1182,10 +1189,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 10 ]; then
-		echo "   $macro  ${foo#\#}"
+	    if [ ${#macro} -gt 5 ]; then
+		printf "  $macro\t${foo#\#}\n"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		printf "  $macro\t\t${foo#\#}\n"
 	    fi
 	fi
     }
@@ -1232,7 +1239,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t
 
 			    case $2 in
-				mangle|nat|filter|raw|rawpost)
+				mangle|nat|filter|raw)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1286,10 +1293,6 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
-	rawpost)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_rawpost $g_pager
-	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1427,18 +1430,45 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
+	ipsec)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_ipsec_command $g_pager
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
 		    ;;
 	    	*)
 		    case $1 in
+			action)
+			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
+			    [ $# -gt 2 ] && too_many_arguments $2
+
+			    for directory in $(split $CONFIG_PATH); do
+				if [ -f ${directory}/action.$2 ]; then
+				    eval show_an_action $2 $g_pager
+				    return
+				fi
+			    done
+
+			    case $2 in
+				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
+				    echo "   WARNING: $2 is a built-in action" >&2
+				    ;;
+				*)
+				    echo "   WARNING: Action $2 not found" >&2
+				    ;;
+			    esac
+
+			    return
+			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
+			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -1579,19 +1609,6 @@ show_status() {
 
 }
 
-#
-# Don't dump empty SPD entries
-#
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
-}
-
 #
 # Dump Command Executor
 #
@@ -1687,11 +1704,6 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
     fi
 
-    if qt $g_tool -t rawpost -L -n; then
-	heading "Rawpost Table"
-	$g_tool -t rawpost -L $g_ipt_options
-    fi
-
     local count
     local max
 
@@ -1742,10 +1754,7 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
-    heading "PFKEY SAD"
-    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+    show_ipsec
 
     heading "/proc"
     show_proc /proc/version
@@ -1945,15 +1954,6 @@ read_yesno_with_timeout() {
     fi
 }
 
-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2754,7 +2754,6 @@ determine_capabilities() {
     CONNMARK_MATCH=
     XCONNMARK_MATCH=
     RAW_TABLE=
-    RAWPOST_TABLE=
     IPP2P_MATCH=
     OLD_IPP2P_MATCH=
     LENGTH_MATCH=
@@ -2811,6 +2810,7 @@ determine_capabilities() {
     TCPMSS_TARGET=
     WAIT_OPTION=
     CPU_FANOUT=
+    NETMAP_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2845,8 +2845,10 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -3006,7 +3008,6 @@ determine_capabilities() {
     fi
 
     qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
-    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
 
     if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3232,7 +3233,6 @@ report_capabilities_unsorted() {
     report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
     [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
     report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
     report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
     [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
     report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3312,6 +3312,7 @@ report_capabilities_unsorted() {
     report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
+    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3361,7 +3362,6 @@ report_capabilities_unsorted1() {
     report_capability1 CONNMARK_MATCH
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
-    report_capability1 RAWPOST_TABLE
     report_capability1 IPP2P_MATCH
     report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
@@ -3418,6 +3418,7 @@ report_capabilities_unsorted1() {
     report_capability1 TCPMSS_TARGET
     report_capability1 WAIT_OPTION
     report_capability1 CPU_FANOUT
+    report_capability1 NETMAP_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -4295,6 +4296,7 @@ usage() # $1 = exit status
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     ecko "   [ show | list | ls ] actions"
+    ecko "   [ show | list | ls ] action <action>"
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4310,8 +4312,9 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
     fi
 
+    echo "   [ show | list | ls ] ipsec"
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
     ecko "   [ show | list | ls ] macro <macro>"
     ecko "   [ show | list | ls ] macros"
     echo "   [ show | list | ls ] nfacct"
@@ -4385,7 +4388,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_options=
 
     VERBOSE=
     VERBOSITY=1
@@ -4555,26 +4557,6 @@ shorewall_cli() {
 
     banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
 
-    case $(echo -e) in
-	-e*)
-	    g_ring_bell="echo \a"
-	    g_echo_e="echo"
-	    ;;
-	*)
-	    g_ring_bell="echo -e \a"
-	    g_echo_e="echo -e"
-	    ;;
-    esac
-
-    case $(echo -n "Testing") in
-	-n*)
-	    g_echo_n=
-	    ;;
-	*)
-	    g_echo_n=-n
-	    ;;
-    esac
-
     COMMAND=$1
 
     case "$COMMAND" in

Shorewall-core/lib.core

@@ -47,14 +47,12 @@ setup_product_environment() { # $1 = if non-empty, source shorewallrc again now
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
-	    g_options=-l
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
-	    g_options=-6l
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
@@ -378,25 +376,6 @@ resolve_file() # $1 = file name
     esac
 }
 
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp

Shorewall-core/manpages/shorewall.xml

@@ -665,7 +665,7 @@
       <arg><option>-l</option></arg>
 
       <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
 
       <arg><arg choice="plain"
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -685,6 +685,31 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg choice="plain"><option>{actions|macros}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>action</option><arg
+      choice="plain"><replaceable>action</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -695,7 +720,7 @@
       <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -749,7 +774,7 @@
 
       <arg><option>-x</option></arg>
 
-      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|raw</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -882,10 +907,11 @@
   <refsect1>
     <title>Description</title>
 
-    <para>The shorewall utility is used to control the Shoreline Firewall
-    (Shorewall), Shorewall Firewall 6 (Shorewall6), Shorewall Firewall Lite
-    (Shorewall-lite) and Shorewall Firewall 6 Lite (Shorewall6-lite). The
-    utility may be accessed under four different names:</para>
+    <para>Beginning with Shorewall 5.1.0, the <command>shorewall</command>
+    utility is used to control the Shoreline Firewall (Shorewall), Shorewall
+    Firewall 6 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and
+    Shorewall Firewall 6 Lite (Shorewall6-lite). The utility may be accessed
+    under four different names:</para>
 
     <variablelist>
       <varlistentry>
@@ -928,6 +954,11 @@
         </listitem>
       </varlistentry>
     </variablelist>
+
+    <para>Prior to Shorewall 5.1.0, these four commands were implemented as
+    four separate program, each of which controlled only a single firewall
+    package. This manpage serves to document both the Shorewall 5.1 and
+    Shorewall 5.0 CLI.</para>
   </refsect1>
 
   <refsect1>
@@ -949,10 +980,10 @@
         <term><option>-4</option></term>
 
         <listitem>
-          <para>Causes the command to operate on the Shorewall configuration
-          or the Shorewall-lite configuration. It is the default when either
-          of those products is installed and when the command is
-          <command>shorewall</command> or
+          <para>Added in Shorewall 5.1.0. Causes the command to operate on the
+          Shorewall configuration or the Shorewall-lite configuration. It is
+          the default when either of those products is installed and when the
+          command is <command>shorewall</command> or
           <command>shorewall-lite</command>.</para>
         </listitem>
       </varlistentry>
@@ -961,9 +992,9 @@
         <term><option>-6</option></term>
 
         <listitem>
-          <para>Causes the command to operate on the Shorewall6 or
-          Shorewall6-lite configuration. It is the default when only
-          Shorewall6-lite is installed and when the command is
+          <para>Added in Shorewall 5.1.0. Causes the command to operate on the
+          Shorewall6 or Shorewall6-lite configuration. It is the default when
+          only Shorewall6-lite is installed and when the command is
           <command>shorewall6</command> or
           <command>shorewall6-lite</command>.</para>
         </listitem>
@@ -973,10 +1004,69 @@
         <term><option>-l</option></term>
 
         <listitem>
-          <para>Causes the command to operate on either Shorewall-lite or
-          Shorewall-6 lite and is the default when Shorewall is not installed
-          or when the command is <command>shorewall-lite</command> or
+          <para>Added in Shorewall 5.1.0. Causes the command to operate on
+          either Shorewall-lite or Shorewall-6 lite and is the default when
+          Shorewall is not installed or when the command is
+          <command>shorewall-lite</command> or
           <command>shorewall6-lite</command>.</para>
+
+          <para>With all four firewall products (Shorewall, Shorewall6,
+          Shorewall-lite and Shorewall6-lite) installed, the following table
+          shows the correspondence between the name used to invoke the command
+          and the <command>shorewall</command> command with the above three
+          options.</para>
+
+          <table border="1">
+            <caption>All four products installed</caption>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall</command> or <command>shorewall
+              -4</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall6</command></td>
+
+              <td><command>shorewall -6</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall-lite</command></td>
+
+              <td><command>shorewall -l</command> or <command>shorewall
+              -4l</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall6-lite</command></td>
+
+              <td><command>shorewall -6l</command></td>
+            </tr>
+          </table>
+
+          <para>The next table shows the correspondence when only
+          Shorewall-lite and Shorewall6-lite are installed.</para>
+
+          <table border="1">
+            <caption>Only Shorewall-lite and Shorewall6-lite
+            installed</caption>
+
+            <tr>
+              <td><command>shorewall-lite</command></td>
+
+              <td><command>shorewall</command>, <command>shorewall
+              -4</command> or <command>shorewall -4l</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall6-lite</command></td>
+
+              <td><command>shorewall -6</command> or <command>shorewall
+              -6l</command></td>
+            </tr>
+          </table>
         </listitem>
       </varlistentry>
 
@@ -2350,12 +2440,23 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">action
+              <replaceable>action</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Lists the named action file. Available on Shorewall and
+                Shorewall6 only.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">actions</emphasis></term>
 
               <listitem>
                 <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
+                standard and user-defined). Available on Shorewall and
+                Shorewall6 only.</para>
               </listitem>
             </varlistentry>
 
@@ -2388,7 +2489,7 @@
             <varlistentry>
               <term>[-<option>b</option>] [-<option>x</option>]
               [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}]
               [ <emphasis>chain</emphasis>... ]</term>
 
               <listitem>
@@ -2496,6 +2597,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.0. Displays the contents of the
+                IPSEC <firstterm>Security Policy Database</firstterm> (SPD)
+                and <firstterm>Security Association Database</firstterm>
+                (SAD). SAD keys are not displayed.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>[-<option>m</option>] <emphasis
               role="bold">log</emphasis></term>

Shorewall-init/init.debian.sh

@@ -104,7 +104,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
@@ -125,7 +125,7 @@ shorewall_start () {
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 
-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "
 
       if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +142,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.fedora.sh

@@ -64,7 +64,7 @@ start () {
 	return 6 #Not configured
     fi
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +99,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir

Shorewall-init/init.openwrt.sh

@@ -89,7 +89,7 @@ start () {
     local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +114,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.sh

@@ -81,7 +81,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.suse.sh

@@ -93,7 +93,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +114,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/shorewall-init

@@ -64,7 +64,7 @@ shorewall_start () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +92,7 @@ shorewall_stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall-lite/init.debian.sh

@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
+      printf "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall-lite/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall-lite/install.sh

@@ -430,15 +430,6 @@ elif [ $HOST = gentoo ]; then
     # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
     perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #

Shorewall/Actions/action.A_Drop

@@ -12,6 +12,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
+?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #

Shorewall/Actions/action.A_REJECT

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.A_REJECT!

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.BLACKLIST

@@ -0,0 +1,50 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOGLEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
+   ?if ! "$SW_DBL_IPSET"
+   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+   ?endif
+
+   DEFAULTS -,DROP,-
+   #
+   # Add to the blacklist
+   #
+   ?if passed(@3)
+       ADD($SW_DBL_IPSET:src:@3)
+   ?elsif $SW_DBL_TIMEOUT
+       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+   ?else
+       ADD($SW_DBL_IPSET:src)
+   ?endif
+   #
+   # Dispose of the packet if asked
+   #
+   ?if passed(@2)
+      @2
+   ?endif
+?endif

Shorewall/Actions/action.Drop

@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.

Shorewall/Actions/action.Reject

@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.

Shorewall/Macros/macro.BLACKLIST

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.blacklist
-#
-# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif

Shorewall/Macros/macro.Drop

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Drop
-#
-# This macro generates the same rules as the Drop default action
-# It is used in place of action.Drop when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Drop	net	all
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' DROP
-#
-DROP	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-DROP	-	-	udp	135,445
-DROP	-	-	udp	137:139
-DROP	-	-	udp	1024:	137
-DROP	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Macros/macro.Reject

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Reject
-#
-# This macro generates the same rules as the Reject default action
-# It is used in place of action.Reject when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Reject	loc	fw
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' REJECT
-#
-REJECT	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-REJECT	-	-	udp	135,445
-REJECT	-	-	udp	137:139
-REJECT	-	-	udp	1024:	137
-REJECT	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall/Perl/Shorewall/Chains.pm

@@ -120,7 +120,6 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
-		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
-				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -418,7 +416,6 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
-our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -759,13 +756,11 @@ sub initialize( $$$ ) {
     ( $family, my $hard, $export ) = @_;
 
     %chain_table = ( raw    =>  {},
-		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
 
     $raw_table     = $chain_table{raw};
-    $rawpost_table = $chain_table{rawpost};
     $nat_table     = $chain_table{nat};
     $mangle_table  = $chain_table{mangle};
     $filter_table  = $chain_table{filter};
@@ -1196,12 +1191,15 @@ sub compatible( $$ ) {
     }
     #
     # Don't combine chains where each specifies
-    #    '-m policy'
-    #    ( --multiport and ( --dport or --sport or -m multiport ) )
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
     #
     return ! ( $ref1->{policy} && $ref2->{policy} ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
-		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} || $ref1->{multiport} ) ) ) );
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 
 #
@@ -2761,14 +2759,6 @@ sub ensure_raw_chain($) {
     $chainref;
 }
 
-sub ensure_rawpost_chain($) {
-    my $chain = $_[0];
-
-    my $chainref = ensure_chain 'rawpost', $chain;
-    $chainref->{referenced} = 1;
-    $chainref;
-}
-
 #
 # Add a builtin chain
 #
@@ -2967,8 +2957,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3031,8 +3019,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3336,7 +3322,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
 
@@ -4255,7 +4241,6 @@ sub valid_tables() {
     my @table_list;
 
     push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
-    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
     push @table_list, 'filter'; #MUST BE LAST!!!
@@ -8936,7 +8921,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
 
 	    $chains{$table} = {} unless $chains{$table};
 
@@ -8965,7 +8950,7 @@ sub create_chainlist_reload($) {
 
 	enter_cat_mode;
 
-	for $table ( qw(raw rawpost nat mangle filter) ) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 
 	    next unless $tableref;

Shorewall/Perl/Shorewall/Config.pm

@@ -389,7 +389,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
-		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -413,6 +412,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  TCPMSS_TARGET   => 'TCPMSS Target',
                  WAIT_OPTION     => 'iptables --wait option',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
+                 NETMAP_TARGET   => 'NETMAP Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.1.1-RC1",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -816,6 +816,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
+	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -904,6 +905,7 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
+	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -980,7 +982,6 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
-	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1037,6 +1038,7 @@ sub initialize( $;$$) {
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
+	       NETMAP_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2001,6 +2003,21 @@ sub find_writable_file($) {
     "$config_path[0]$filename";
 }
 
+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2059,7 +2076,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
     my ($list, $type ) = @_;
 
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
 
     my @list1 = split /:/, $list;
     my @list2;
@@ -2096,6 +2113,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2261,21 +2279,6 @@ sub split_columns( $ ) {
     @list2;
 }
 
-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();
 
 #
@@ -2709,13 +2712,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
-    my ( $first, $val, $rest ) = @_;
+sub join_parts( $$$$ ) {
+    my ( $first, $val, $rest, $just_expand ) = @_;
 
     $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
-			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
+					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
     join( '', $first, $val, $rest );
 }
 
@@ -2768,7 +2771,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
 
-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
     }
 
@@ -2779,7 +2782,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest );
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
     }
@@ -2851,7 +2854,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -3039,6 +3042,12 @@ sub process_compiler_directive( $$$$ ) {
 			      $linenumber ) unless $omitting;
 	  } ,
 
+	  REQUIRE => sub() {
+	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
+	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
+	      require_capability( $expression, "The $actparams{action} action", 's' );
+	  } ,
+
 	);
 
     if ( my $function = $directives{$keyword} ) {
@@ -3752,7 +3761,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -4318,6 +4327,22 @@ sub Masquerade_Tgt() {
     $result;
 }
 
+sub Netmap_Target() {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    my $result = '';
+    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
+
+    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
+	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
+	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
+
+    }
+
+    $result;
+}
+
 sub Udpliteredirect() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4516,10 +4541,6 @@ sub Raw_Table() {
     qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 
-sub Rawpost_Table() {
-    qt1( "$iptables $iptablesw -t rawpost -L -n" );
-}
-
 sub Old_IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
@@ -4911,6 +4932,7 @@ our %detect_capability =
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
+      NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
       NFACCT_MATCH => \&NFAcct_Match,
       NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4926,7 +4948,6 @@ our %detect_capability =
       POLICY_MATCH => \&Policy_Match,
       PPTP_HELPER => \&PPTP_Helper,
       RAW_TABLE => \&Raw_Table,
-      RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
@@ -5054,7 +5075,6 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5096,6 +5116,7 @@ sub determine_capabilities() {
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
+	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5266,6 +5287,13 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
+
+    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
+	update_default( 'BALANCE_PROVIDERS', 'No' );
+    } else {
+	update_default( 'BALANCE_PROVIDERS', 'Yes' );
+    }
+
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
     update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
@@ -6273,6 +6301,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6289,6 +6318,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6329,6 +6360,9 @@ sub get_configuration( $$$$ ) {
 
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6336,6 +6370,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
+    add_variables( %variables );
+
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6603,11 +6639,12 @@ sub get_configuration( $$$$ ) {
     default 'RESTOREFILE'           , 'restore';
     default 'DROP_DEFAULT'          , 'Drop';
     default 'REJECT_DEFAULT'        , 'Reject';
+    default 'BLACKLIST_DEFAULT'     , 'Drop';
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
 
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
@@ -6793,7 +6830,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1679,12 +1679,6 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 
-	if ( have_capability 'RAWPOST_TABLE' ) {
-	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
-	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
-	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
-	}
-
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
     }
     #

Shorewall/Perl/Shorewall/Nat.pm

@@ -790,88 +790,39 @@ sub setup_netmap() {
 
 		my @rule = do_iproto( $proto, $dport, $sport );
 
-		unless ( $type =~ /:/ ) {
-		    my @rulein;
-		    my @ruleout;
+		my @rulein;
+		my @ruleout;
 
-		    $net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		$net1 = validate_net $net1, 0;
+		$net2 = validate_net $net2, 0;
 
-		    if ( $interfaceref->{root} ) {
-			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		    } else {
-			@rulein  = imatch_source_dev( $interface );
-			@ruleout = imatch_dest_dev( $interface );
-			$interface = $interfaceref->{name};
-		    }
+		if ( $interfaceref->{root} ) {
+		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		} else {
+		    @rulein  = imatch_source_dev( $interface );
+		    @ruleout = imatch_dest_dev( $interface );
+		    $interface = $interfaceref->{name};
+		}
 
-		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
 
-		    if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-					  j => 'NETMAP' ,
-					  "--to $net2",
-					  $net1 ,
-					  @rulein  ,
-					  imatch_source_net( $net3 ) );
-		    } elsif ( $type eq 'SNAT' ) {
-			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-					   j => 'NETMAP' ,
-					   "--to $net2" ,
-					   $net1 ,
-					   @ruleout ,
-					   imatch_dest_net( $net3 ) );
-		    } else {
-			fatal_error "Invalid type ($type)";
-		    }
-		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
-		    my ( $target , $chain ) = ( $1, $2 );
-		    my $table = 'raw';
-		    my @match;
-
-		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
-
-		    $net2 = validate_net $net2, 0;
-
-		    unless ( $interfaceref->{root} ) {
-			@match = imatch_dest_dev(  $interface );
-			$interface = $interfaceref->{name};
-		    }
-
-		    if ( $chain eq 'P' ) {
-			$chain = prerouting_chain $interface;
-			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
-		    } elsif ( $chain eq 'O' ) {
-			$chain = output_chain $interface;
-		    } else {
-			$chain = postrouting_chain $interface;
-			$table = 'rawpost';
-		    }
-
-		    my $chainref = ensure_chain( $table, $chain );
-
-
-		    if ( $target eq 'DNAT' ) {
-			dest_iexclusion( $chainref ,
-					 j => 'RAWDNAT' ,
-					 "--to-dest $net2" ,
-					 $net1 ,
-					 imatch_source_net( $net3 ) ,
-					 @rule ,
-					 @match
-				       );
-		    } else {
-			source_iexclusion( $chainref ,
-					   j  => 'RAWSNAT' ,
-					   "--to-source $net2" ,
-					   $net1 ,
-					   imatch_dest_net( $net3 ) ,
-					   @rule ,
-					   @match );
-		    }
+		if ( $type eq 'DNAT' ) {
+		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+				      j => 'NETMAP' ,
+				      "--to $net2",
+				      $net1 ,
+				      @rulein  ,
+				      imatch_source_net( $net3 ) );
+		} elsif ( $type eq 'SNAT' ) {
+		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+				       j => 'NETMAP' ,
+				       "--to $net2" ,
+				       $net1 ,
+				       @ruleout ,
+				       imatch_dest_net( $net3 ) );
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid TYPE ($type)";
+		    fatal_error "Invalid type ($type)";
 		}
 
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";

Shorewall/Perl/Shorewall/Providers.pm

@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -603,19 +603,37 @@ sub process_a_provider( $ ) {
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
 
-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	fatal_error "'persistent' is not valid with 'local"    if $persistent;
-    } elsif ( $tproxy ) {
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	$mark = $globals{TPROXY_MARK};
+    unless ( $pseudo ) {
+	if ( $local ) {
+	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	    fatal_error "'track' not valid with 'local'"           if $track;
+	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
+	} elsif ( $tproxy ) {
+	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	    fatal_error "'track' not valid with 'tproxy'"          if $track;
+	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	    $mark = $globals{TPROXY_MARK};
+	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
+	    if ( $config{USE_DEFAULT_RT} ) {
+		if ( $rf ) {
+		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
+		} else {
+		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
+		}
+	    } else {
+		unless ( $balance ) {
+		    if ( $rf ) {
+			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
+		    } else {
+			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
+		    }
+		}
+	    }
+	}
     }
 
     my $val = 0;

Shorewall/Perl/Shorewall/Raw.pm

@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
 
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;

Shorewall/Perl/Shorewall/Rules.pm

@@ -233,6 +233,7 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
+	       SECTION_OPT          => 2048 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -246,6 +247,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
+		 section     => SECTION_OPT ,
     );
 
 our %reject_options;
@@ -309,11 +311,12 @@ sub initialize( $ ) {
     # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
     # in the %config hash when shorewall[6].conf was processed.
     #
-    %default_actions  = ( DROP     => 'none' ,
-		 	  REJECT   => 'none' ,
-			  ACCEPT   => 'none' ,
-			  QUEUE    => 'none' ,
-			  NFQUEUE  => 'none' ,
+    %default_actions  = ( DROP      => 'none' ,
+		 	  REJECT    => 'none' ,
+			  BLACKLIST => 'none' ,
+			  ACCEPT    => 'none' ,
+			  QUEUE     => 'none' ,
+			  NFQUEUE   => 'none' ,
 			);
     #
     # These are set to 1 as sections are encountered.
@@ -679,6 +682,8 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
+    } elsif ( $policy eq 'BLACKLIST' ) {
+	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
     }
 
     unless ( $clientwild || $serverwild ) {
@@ -817,24 +822,26 @@ sub process_policies()
     our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP   => undef,
+			  DROP	 => undef,
 			  CONTINUE => undef,
+			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
 
-    our %map = ( DROP_DEFAULT    => 'DROP' ,
-		 REJECT_DEFAULT  => 'REJECT' ,
-		 ACCEPT_DEFAULT  => 'ACCEPT' ,
-		 QUEUE_DEFAULT   => 'QUEUE' ,
-		 NFQUEUE_DEFAULT => 'NFQUEUE' );
+    our %map = ( DROP_DEFAULT      => 'DROP' ,
+		 REJECT_DEFAULT    => 'REJECT' ,
+		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
+		 ACCEPT_DEFAULT    => 'ACCEPT' ,
+		 QUEUE_DEFAULT     => 'QUEUE' ,
+		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
 
     my $zone;
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
 
 	unless ( $action eq 'none' ) {
@@ -951,7 +958,20 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
-	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	if ( $target eq 'BLACKLIST' ) {
+	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
+
+	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
+	    } else {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
+	    }
+
+	    $target = 'DROP';
+	} else {
+	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	}
+
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
     }
 }
@@ -2718,7 +2738,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Determine the validity of the action
     #
-    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
+    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
     if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -2893,7 +2913,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2906,7 +2926,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -3126,6 +3146,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Handle 'section' option
+	#
+	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#
@@ -4510,7 +4534,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4526,7 +4550,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4965,6 +4989,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		     do_dscp( $dscp ) .
 		     state_match( $state ) .
 		     do_time( $time ) .
+		     do_condition( $condition, $chainref->{name} ) .
 		     ( $ttl ? "-t $ttl " : '' ) .
 		     $raw_matches ,
 		     $source ,

Shorewall/Perl/Shorewall/Zones.pm

@@ -1275,6 +1275,7 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
+		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {

Shorewall/Perl/lib.runtime

@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -526,13 +526,6 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
     done
 
-    qt1 $g_tool -t rawpost -F
-    qt1 $g_tool -t rawpost    -X
-
-    for chain in POSTROUTING; do
-	qt1 $g_tool -t rawpost -P $chain ACCEPT
-    done
-
     qt1 $g_tool -t nat    -F
     qt1 $g_tool -t nat    -X
 
@@ -582,9 +575,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
 	    '*'mangle)
 		table=mangle
 		;;

Shorewall/Perl/prog.footer

@@ -130,6 +130,8 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 
+[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
+
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/Samples/Universal/shorewall.conf

@@ -108,6 +108,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -140,6 +141,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/one-interface/shorewall.conf

@@ -119,6 +119,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -151,6 +152,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -116,6 +116,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -148,6 +149,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -119,6 +119,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -151,6 +152,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/actions.std

@@ -9,44 +9,43 @@
 # Builtin Actions are:
 #
 ?if 0
-A_ACCEPT                        # Audits then accepts a connection request
-A_DROP                          # Audits then drops a connection request
-allowBcast		        # Silently Allow Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
-dropNotSyn		        # Silently Drop Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
-allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-Limit                           # Limit the rate of connections from each individual IP address
+allowBcast			# Silently Allow Broadcast/multicast
+dropBcast			# Silently Drop Broadcast/multicast
+dropNotSyn			# Silently Drop Non-syn TCP packets
+rejNotSyn			# Silently Reject Non-syn TCP packets
+allowinUPnP			# Allow UPnP inbound (to firewall) traffic
+forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit				# Limit the rate of connections from each individual IP address
 ?endif
 ###############################################################################
 #ACTION
-A_Drop 		                # Audited Default Action for DROP policy
-A_REJECT     noinline,logjump   # Audits then rejects a connection request
-A_REJECT!    inline             # Audits then rejects a connection request
-A_Reject	                # Audited Default action for REJECT policy
+A_Drop				# Audited Default Action for DROP policy
+A_REJECT     noinline,logjump	# Audits then rejects a connection request
+A_REJECT!    inline		# Audits then rejects a connection request
+A_Reject			# Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
-AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
-DNSAmp                          # Matches one-question recursive DNS queries
-Drop		                # Default Action for DROP policy
+AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
+AutoBLL	     noinline		# Helper for AutoBL
+BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+DNSAmp				# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-DropSmurfs   noinline           # Drop smurf packets
+DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED  #
+	     state=ESTABLISHED	#
 GlusterFS    inline		# Handles GlusterFS
-IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-             state=INVALID      #
+IfEvent	     noinline		# Perform an action based on an event
+Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
+	     state=INVALID	#
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject                          # Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
-             state=RELATED      #
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+Reject				# Default Action for REJECT policy
+Related	     inline,\		# Handles packets in the RELATED conntrack state
+	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit       # Handle packets with RST set
+RST	     inline,audit	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED    #
+TCPFlags			# Handle bad flag combinations.
+Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED	#

Shorewall/configfiles/shorewall.conf

@@ -99,7 +99,7 @@ RESTOREFILE=restore
 
 SHOREWALL_SHELL=/bin/sh
 
-SUBSYSLOCK=
+SUBSYSLOCK=/var/lock/subsys/shorewall
 
 TC=
 
@@ -108,6 +108,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -140,6 +141,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall firewall\": "
+      printf "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall firewall\" rules: "
+      printf "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,21 +109,21 @@ shorewall_stop () {
 
 # reload the firewall
 shorewall_reload () {
-  echo -n "Reloading \"Shorewall firewall\": "
+  printf "Reloading \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 
 reload() {
-    echo -n $"Reloading Shorewall: "
+    printf $"Reloading Shorewall: "
     $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall/install.sh

@@ -1042,18 +1042,11 @@ fi
 
 cd ..
 
-#
-# Install the  Makefiles
-#
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-
-if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-fi
 #
 # Install the Action files
 #
+cd Actions
+
 for f in action.* ; do
     case $f in
 	*.deprecated)
@@ -1066,8 +1059,10 @@ for f in action.* ; do
 	    ;;
     esac
 done
-
-cd Macros
+#
+# Now the Macros
+#
+cd ../Macros
 
 for f in macro.* ; do
     case $f in

Shorewall/lib.cli-std

@@ -443,20 +443,21 @@ compiler() {
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
-    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
-    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
-    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
-    [ -n "$g_export" ] && options="$options --export"
-    [ -n "$g_shorewalldir" ] && options="$options --directory=$g_shorewalldir"
-    [ -n "$g_timestamp" ] && options="$options --timestamp"
-    [ -n "$g_test" ] && options="$options --test"
-    [ -n "$g_preview" ] && options="$options --preview"
+
+    [ -n "$shorewallrc1" ]     && options="$options --shorewallrc1=${shorewallrc1}"
+    [ -n "$STARTUP_LOG" ]      && options="$options --log=$STARTUP_LOG"
+    [ -n "$LOG_VERBOSITY" ]    && options="$options --log_verbosity=$LOG_VERBOSITY";
+    [ -n "$g_export" ]         && options="$options --export"
+    [ -n "$g_shorewalldir" ]   && options="$options --directory=$g_shorewalldir"
+    [ -n "$g_timestamp" ]      && options="$options --timestamp"
+    [ -n "$g_test" ]           && options="$options --test"
+    [ -n "$g_preview" ]        && options="$options --preview"
     [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
-    [ -n "$g_confess" ] && options="$options --confess"
-    [ -n "$g_update" ] && options="$options --update"
-    [ -n "$g_annotate" ] && options="$options --annotate"
-    [ -n "$g_inline" ] && options="$options --inline"
+    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
+    [ -n "$g_confess" ]        && options="$options --confess"
+    [ -n "$g_update" ]         && options="$options --update"
+    [ -n "$g_annotate" ]       && options="$options --annotate"
+    [ -n "$g_inline" ]         && options="$options --inline"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -1229,13 +1230,13 @@ safe_commands() {
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
-	echo -n "Do you want to accept the new firewall configuration? [y/n] "
+	printf "Do you want to accept the new firewall configuration? [y/n] "
 
 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1546,16 +1547,8 @@ remote_reload_command() # $* = original arguments less the command.
     file=$(resolve_file $g_shorewalldir/firewall)
 
     g_export=Yes
-    #
-    # Determine the remote CLI program
-    #
-    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)
 
-    if [ -n "$temp" ]; then
-	program=$sbindir/${PRODUCT}-lite
-    else
-	program="$sbindir/shorewall $g_options"
-    fi
+    program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR
     #

Shorewall/manpages/shorewall-actions.xml

@@ -191,6 +191,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified. </para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -205,9 +224,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-interfaces.xml

@@ -762,6 +762,13 @@ loc     eth2            -</programlisting>
                     </listitem>
                   </itemizedlist>
                 </note>
+
+                <para>Beginning with Shorewall 5.1.1, when
+                <option>routefilter</option> is set to a non-zero value, the
+                <option>logmartians</option> option is also implicitly set. If
+                you actually want route filtering without logging, then you
+                must also specify <option>logmartians=0</option> after
+                <option>routefilter</option>.</para>
               </listitem>
             </varlistentry>
 
@@ -774,7 +781,7 @@ loc     eth2            -</programlisting>
                 iptables and kernel. It provides a more efficient alternative
                 to the <option>sfilter</option> option below. It performs a
                 function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do now use
+                but works with Multi-ISP configurations that do not use
                 balanced routes.</para>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall-netmap.xml

@@ -41,38 +41,18 @@
       <varlistentry>
         <term><emphasis role="bold">TYPE</emphasis> - <emphasis
         role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}[:{P|O|T}</emphasis>]</term>
+        role="bold">SNAT}</emphasis></term>
 
         <listitem>
-          <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
-          optionally followed by :P, :O or :T to perform <firstterm>stateless
-          NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
-          support</firstterm> in your kernel and iptables (see the output of
-          <command>shorewall show capabilities</command>).</para>
+          <para>Must be DNAT or SNAT</para>
 
-          <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
+          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
+          its destination address rewritten to the corresponding address in
+          NET2.</para>
 
-          <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If DNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE and addressed to NET1 has its destination address
-          rewritten to the corresponding address in NET2.</para>
-
-          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
-
-          <para>If SNAT:P, traffic entering via INTERFACE with a destination
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If SNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE with a source address in NET1 has it's source address
-          rewritten to the corresponding address in NET2.</para>
+          <para>If SNAT, traffic leaving INTERFACE with a source address in
+          NET1 has it's source address rewritten to the corresponding address
+          in NET2.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-policy.xml

@@ -115,6 +115,7 @@
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
         role="bold">REJECT</emphasis>|<emphasis
+        role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,6 +178,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 

Shorewall/manpages/shorewall-providers.xml

@@ -208,6 +208,16 @@
                 <option>balance=</option><replaceable>weight</replaceable>
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface.</para>
+
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -117,6 +117,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -176,6 +186,9 @@
 
             <member>REJECT_DEFAULT="Reject"</member>
 
+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
@@ -443,6 +456,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
+          determines whether the <option>balance</option> provider option (see
+          <ulink
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
+          <option>balance</option> option is assumed unless the
+          <option>fallback</option>, <option>loose</option>,
+          <option>load</option> or <option>tproxy</option> option is
+          specified. If this option is not set or is set to the empty value,
+          then the default value is the value of USE_DEFAULT_RT.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2570,9 +2601,19 @@ INLINE          -       -       -       ;; -j REJECT
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
           stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For RedHat and OpenSuSE, this
-          should be set to /var/lock/subsys/shorewall. For Debian, the value
-          is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall (var/lock/subsys/shorewall-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall (/run/lock/shorewall-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 
@@ -2821,8 +2862,12 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              <emphasis role="bold">loose</emphasis> is specified.</para>
+              <para>If running Shorewall 5.1.0 or earlier or if
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">balance</emphasis> provider option is
+              assumed unless the <option>fallback</option>,
+              <option>loose</option>, <option>load</option> or
+              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

Shorewall/modules.essential

@@ -25,6 +25,8 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
+loadmodule nf_nat
+loadmodule nf_nat_ipv4
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp

Shorewall/modules.xtables

@@ -31,6 +31,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
+loadmodule xt_nat
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev

Shorewall6-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall6-lite show vardir)
-SHAREDIR=/usr/share/shorewall6-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall6-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall6-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall6-lite/init.debian.sh

@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 Lite firewall\": "
+  printf "Starting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 Lite firewall\": "
+      printf "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 Lite firewall\": "
+  printf "Restarting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 Lite firewall\": "
+  printf "Refreshing \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6-lite/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6-lite/shorewall6-lite.service

@@ -2,6 +2,7 @@
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2017 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
@@ -14,7 +15,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall -6l $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall -6l $OPTIONS stop
 ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
 

Shorewall6/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/Makefile
-#
-# Reload Shorewall6 if config files are updated.
-
-SWBIN	?= /sbin/shorewall6 -q
-CONFDIR	?= /etc/shorewall6
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -106,6 +106,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -134,6 +135,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/configfiles/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -169,7 +172,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 firewall\": "
+  printf "Starting \"Shorewall6 firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 firewall\": "
+      printf "Stopping \"Shorewall6 firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
+      printf "Clearing all \"Shorewall6 firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,14 +109,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 firewall\": "
+  printf "Restarting \"Shorewall6 firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 firewall\": "
+  printf "Refreshing \"Shorewall6 firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6/manpages/shorewall6-actions.xml

@@ -192,6 +192,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -206,9 +225,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-netmap.xml

@@ -29,8 +29,8 @@
     addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
 
     <warning>
-      <para>To use this file, your kernel and ip6tables must have RAWPOST
-      table support included.</para>
+      <para>To use this file, your kernel and ip6tables must have NETMAP
+      support included.</para>
     </warning>
 
     <para>The columns in the file are as follows (where the column name is
@@ -41,7 +41,7 @@
       <varlistentry>
         <term><emphasis role="bold">TYPE</emphasis> - <emphasis
         role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}:{P|O|T}</emphasis></term>
+        role="bold">SNAT}</emphasis></term>
 
         <listitem>
           <para>Must be DNAT or SNAT followed by :P, :O or :T to perform
@@ -50,29 +50,13 @@
           iptables (see the output of <command>shorewall6 show
           capabilities</command>).</para>
 
-          <para>If DNAT:P, traffic entering INTERFACE and addressed to NET1
-          has its destination address rewritten to the corresponding address
-          in NET2.</para>
+          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
+          its destination address rewritten to the corresponding address in
+          NET2.</para>
 
-          <para>If SNAT:T, traffic leaving INTERFACE with a source address in
+          <para>If SNAT, traffic leaving INTERFACE with a source address in
           NET1 has it's source address rewritten to the corresponding address
           in NET2.</para>
-
-          <para>If DNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE and addressed to NET1 has its destination address
-          rewritten to the corresponding address in NET2.</para>
-
-          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
-          NET1 has its destination address rewritten to the corresponding
-          address in NET2.</para>
-
-          <para>If SNAT:P, traffic entering via INTERFACE with a destination
-          address in NET1 has it's source address rewritten to the
-          corresponding address in NET2.</para>
-
-          <para>If SNAT:O, traffic originating on the firewall and leaving via
-          INTERFACE with a source address in NET1 has it's source address
-          rewritten to the corresponding address in NET2.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-policy.xml

@@ -114,7 +114,7 @@
         <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,6 +177,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 

Shorewall6/manpages/shorewall6-providers.xml

@@ -173,6 +173,16 @@
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface. Prior to Shorewall 5.0.13, only
                 one provider can specify this option.</para>
+
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -103,6 +103,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -164,6 +174,9 @@
 
             <member>REJECT_DEFAULT="Reject"</member>
 
+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
@@ -374,6 +387,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
+          determines whether the <option>balance</option> provider option (see
+          <ulink
+          url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
+          <option>balance</option> option is assumed unless the
+          <option>fallback</option>, <option>loose</option>,
+          <option>load</option> or <option>tproxy</option> option is
+          specified. If this option is not set or is set to the empty value,
+          then the default value is the value of USE_DEFAULT_RT.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2204,10 +2235,20 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
-          stops. Creating and removing this file allows Shorewall6 to work
-          with your distribution's initscripts. For RedHat, this should be set
-          to /var/lock/subsys/shorewall6. For Debian, the value is
-          /var/lock/shorewall6 and in LEAF it is /var/run/shorewall.</para>
+          stops. Creating and removing this file allows Shorewall to work with
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall6 (var/lock/subsys/shorewall6-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall6 (/run/lock/shorewall6-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 
@@ -2465,8 +2506,12 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              <emphasis role="bold">loose</emphasis> is specified.</para>
+              <para>If running Shorewall 5.1.0 or earlier or if
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">balance</emphasis> provider option is
+              assumed unless the <option>fallback</option>,
+              <option>loose</option>, <option>load</option> or
+              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

Shorewall6/modules.essential

@@ -21,6 +21,8 @@ loadmodule ip6table_mangle
 loadmodule ip6table_raw
 loadmodule xt_conntrack
 loadmodule nf_conntrack_ipv6
+loadmodule nf_nat
+loadmodule nf_nat_ipv6
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ip6t_REJECT

docs/Anatomy.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Anatomy of Shorewall 5.0</title>
+    <title>Anatomy of Shorewall 5.0/5.1</title>
 
     <authorgroup>
       <author>
@@ -26,6 +26,8 @@
 
       <year>2015</year>
 
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -49,7 +51,9 @@
       <listitem>
         <para><emphasis role="bold">Shorewall Core</emphasis>. This package
         contains the core Shorewall shell libraries and is required to install
-        any of the other packages.</para>
+        any of the other packages. Beginning with Shorewall 5.1.0, it also
+        includes the Command Line Interface (CLI) program common to all of the
+        packages.</para>
       </listitem>
 
       <listitem>
@@ -83,11 +87,12 @@
       </listitem>
 
       <listitem>
-        <para>Shorewall-init. An add-on to any of the above packages that
-        allows the firewall state to be altered in reaction to interfaces
-        coming up and going down. Where Upstart is not being used, this
-        package can also be configured to place the firewall in a safe state
-        prior to bringing up the network interfaces.</para>
+        <para><emphasis role="bold">Shorewall-init</emphasis>. An add-on to
+        any of the above packages that allows the firewall state to be altered
+        in reaction to interfaces coming up and going down. Where Upstart is
+        not being used, this package can also be configured to place the
+        firewall in a safe state prior to bringing up the network
+        interfaces.</para>
       </listitem>
     </orderedlist>
   </section>
@@ -101,10 +106,7 @@
     class="directory">/etc/shorewall</filename>,
     <filename>/etc/init.d</filename> and <filename
     class="directory">/var/lib/shorewall/</filename>. These are described in
-    the sub-sections that follow. Since Shorewall 4.5.2, each of these
-    directories is now relocatable using the <ulink
-    url="Install.htm#idp8774904608">configure scripts included with Shorewall
-    Core</ulink>.</para>
+    the sub-sections that follow. </para>
 
     <important>
       <para>Since Shorewall 4.5.2, each of these directories is now
@@ -189,7 +191,7 @@
         </listitem>
 
         <listitem>
-          <para><filename>Macros/*</filename> - The standard Shorewall <ulink
+          <para><filename>macro.*</filename> - The standard Shorewall <ulink
           url="Macros.html">macros</ulink>.</para>
         </listitem>
 
@@ -236,8 +238,8 @@
     </section>
 
     <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename> or
@@ -349,9 +351,13 @@
     <section id="sbin6">
       <title>/sbin ($SBINDIR)</title>
 
-      <para>The <filename>/sbin/shorewall6</filename> shell program is used to
-      interact with Shorewall6. See <ulink
-      url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
+      <para>Prior to Shorewall 5.1.0, the
+      <filename>/sbin/shorewall6</filename> shell program is used to interact
+      with Shorewall6. See <ulink
+      url="manpages6/shorewall6.html">shorewall6</ulink>(8). Beginning with
+      Shorewall 5.1.0, <filename>/sbin/shorewall6</filename> is a symbolic
+      link to <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="share-shorewall6">
@@ -432,15 +438,15 @@
     </section>
 
     <section id="etc-shorewall6">
-      <title>/etc/shorewall6 (${CONFDIR}/</title>
+      <title>/etc/shorewall6 (${CONFDIR}/shorewall6)</title>
 
       <para>This is where the modifiable IPv6 configuration files are
       installed.</para>
     </section>
 
-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+    <section id="init6">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall6</filename> or
@@ -543,16 +549,19 @@
     in the sub-sections that follow.</para>
 
     <section id="sbin-lite">
-      <title>/sbin ($SBINDIR_</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall-lite</filename> shell program is
       used to interact with Shorewall lite. See <ulink
-      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
+      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8). Beginning
+      with Shorewall 5.1.0, <filename>/sbin/shorewall-lite</filename> is a
+      symbolic link to <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall-lite</filename> or
@@ -743,20 +752,16 @@
 
       <para>The <filename>/sbin/shorewall6-lite</filename> shell program is
       use to interact with Shorewall lite. See <ulink
-      url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).</para>
+      url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).
+      Beginning with Shorewall 5.1.0,
+      <filename>/sbin/shorewall6</filename>-lite is a symbolic link to
+      <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
-    <section id="init-lite6">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
-
-      <para>An init script is installed here. Depending on the distribution,
-      it is named <filename>shorewall6-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
-    </section>
-
-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+    <section id="init-6lite">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename>6-lite or

docs/IPSEC-2.6.xml

@@ -106,10 +106,10 @@
     traffic that is to be encrypted according to the contents of the SPD
     requires an appropriate SA to exist. SAs may be created manually using
     <command>setkey</command>(8) but most often, they are created by a
-    cooperative process involving the ISAKMP protocol and daemons such
-    as<command> racoon</command> or <command>isakmpd</command>. Incoming
-    traffic is verified against the SPD to ensure that no unencrypted traffic
-    is accepted in violation of the administrator's policies.</para>
+    cooperative process involving the ISAKMP protocol and a daemon included in
+    your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
+    Incoming traffic is verified against the SPD to ensure that no unencrypted
+    traffic is accepted in violation of the administrator's policies.</para>
 
     <para>There are three ways in which IPsec traffic can interact with
     Shorewall policies and rules:</para>
@@ -225,18 +225,11 @@
     of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
     security policies that select which traffic to encrypt/decrypt.</para>
 
-    <para>This article assumes the use of ipsec-tools (<ulink
-    url="http://ipsec-tools.sourceforge.net">http://ipsec-tools.sourceforge.net</ulink>).
-    As of this writing, I recommend that you run at least version 0.5.2.
-    Debian users, please note that there are separate Debian packages for
-    ipsec-tools and racoon although the ipsec-tools project releases them as a
-    single package.</para>
-
-    <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
-    url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
-    2005</ulink>. Be warned though that the presentation is based on Shorewall
-    2.2 and there are some differences in the details of how IPsec is
-    configured.</para>
+    <important>
+      <para>This article provides guidance regarding configuring Shorewall to
+      use with IPSEC. For configuring IPSEC itself, consult your IPSEC
+      product's documentation.</para>
+    </important>
   </section>
 
   <section id="GwFw">
@@ -360,155 +353,25 @@ $FW              vpn             ACCEPT</programlisting>
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
     </blockquote>
 
-    <para>Note that your Security Policies must also be set up to send traffic
-    between 134.28.54.2 and 206.162.148.9 through the tunnel (see
-    below).</para>
+    <warning>
+      <para>If you have hosts that access the Internet through an IPsec
+      tunnel, then it is a good idea to set the MSS value for traffic from
+      those hosts explicitly in the <filename>/etc/shorewall/zones</filename>
+      file. For example, if hosts in the <emphasis role="bold">vpn</emphasis>
+      zone access the Internet through an ESP tunnel then the following entry
+      would be appropriate:</para>
 
-    <para>Once you have these entries in place, restart Shorewall (type
-    shorewall restart); you are now ready to configure IPsec.</para>
-
-    <para>For full encrypted connectivity in this configuration (between the
-    subnets, between each subnet and the opposite gateway, and between the
-    gateways), you will need eight policies in
-    <filename>/etc/racoon/setkey.conf</filename>. For example, on gateway
-    A:</para>
-
-    <blockquote>
-      <programlisting># First of all flush the SPD and SAD databases
-spdflush;
-flush;
-
-# Add some SPD rules
-
-spdadd 192.168.1.0/24   10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 192.168.1.0/24   134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 206.162.148.9/32 134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 206.162.148.9/32 10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 10.0.0.0/8       192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
-spdadd 10.0.0.0/8       206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
-spdadd 134.28.54.2/32   192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
-spdadd 134.28.54.2/32   206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;</programlisting>
-    </blockquote>
-
-    <para>The <filename>setkey.conf</filename> file on gateway B would be
-    similar.</para>
-
-    <para>A sample <filename>/etc/racoon/racoon.conf</filename> file using
-    X.509 certificates might look like:</para>
-
-    <blockquote>
-      <programlisting>path certificates "/etc/certs" ;
-
-listen 
-{
-        isakmp 206.162.148.9;
-}
-
-remote 134.28.54.2
-{
-        exchange_mode main ;
-        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
-        verify_cert on;
-        my_identifier asn1dn ;
-        peers_identifier asn1dn ;
-        verify_identifier on ;
-        lifetime time 24 hour ;
-        proposal {
-                encryption_algorithm blowfish;
-                hash_algorithm sha1;
-                authentication_method rsasig ;
-                dh_group 2 ;
-        }
-}
-
-sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-
-sainfo address 206.162.148.9/32 any address 10.0.0.0/8 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-
-sainfo address 206.162.148.9/32 any address 134.28.54.2/32 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-
-sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}</programlisting>
-
-      <warning>
-        <para>If you have hosts that access the Internet through an IPsec
-        tunnel, then it is a good idea to set the MSS value for traffic from
-        those hosts explicitly in the
-        <filename>/etc/shorewall/zones</filename> file. For example, if hosts
-        in the <emphasis role="bold">vpn</emphasis> zone access the Internet
-        through an ESP tunnel then the following entry would be
-        appropriate:</para>
-
-        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+      <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
-        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
-        that both the SYN and SYN,ACK packets have their MSS field
-        adjusted.</para>
+      <para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
+      both the SYN and SYN,ACK packets have their MSS field adjusted.</para>
 
-        <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
-        isn't effective with the 2.6 native IPsec implementation because there
-        is no separate IPsec device with a lower mtu as there was under the
-        2.4 and earlier kernels.</para>
-      </warning>
-    </blockquote>
-  </section>
-
-  <section>
-    <title>IPCOMP and IPSEC</title>
-
-    <para>IPSEC can be configured to perform data compression. This is
-    accomplished by compressing the original IP packet, then encapsulating it
-    in an ipcomp (protocol 108) packet. That packet is then encrypted and
-    encapsulated within an ESP packet. Because of the extra protocol header
-    required for compression, short IP packets (such as default ping packets)
-    are not compressed. The Linux IP stack handles these uncompressed packets
-    by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
-    the remote gateway must be handled in Shorewall. The easiest way to
-    accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
-    zone to the $FW zone:</para>
-
-    <blockquote>
-      <programlisting>#ACTION         SOURCE         DEST       PROTO       DPORT ...
-ACCEPT          vpn            $FW        4</programlisting>
-    </blockquote>
-
-    <para>Note that the source IP address is these IPIP packets is that of the
-    remote peer, so the definition of the ipsec zone in <ulink
-    url="manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) must
-    include the peer.</para>
-
-    <para>Finally, when IPCOMP is used, it is recommended that the OPTIONS
-    column of the ipsec zone's entry in <ulink
-    url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) be left
-    empty.</para>
+      <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
+      isn't effective with the 2.6 native IPsec implementation because there
+      is no separate IPsec device with a lower mtu as there was under the 2.4
+      and earlier kernels.</para>
+    </warning>
   </section>
 
   <section id="RoadWarrior">
@@ -586,116 +449,7 @@ ipsec         net         206.162.148.9       vpn</programlisting>
         <programlisting>#ZONE             HOSTS                  OPTIONS
 vpn               eth0:0.0.0.0/0</programlisting>
       </blockquote>
-
-      <para>On system A, here are the IPsec files:</para>
-
-      <blockquote>
-        <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
-
-        <programlisting>path certificate "/etc/certs" ;
- 
-listen
-{
-        isakmp 206.162.148.9;
-}
- 
-remote <emphasis role="bold">anonymous</emphasis>
-{
-        exchange_mode main ;
-        <emphasis role="bold">generate_policy on</emphasis> ;
-        <emphasis role="bold">passive on</emphasis> ;
-        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
-        verify_cert on;
-        my_identifier asn1dn ;
-        peers_identifier asn1dn ;
-        verify_identifier on ;
-        lifetime time 24 hour ;
-        proposal {
-                encryption_algorithm blowfish ;
-                hash_algorithm sha1;
-                authentication_method rsasig ;
-                dh_group 2 ;
-        }
-}
- 
-sainfo <emphasis role="bold">anonymous</emphasis>
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}</programlisting>
-
-        <para><filename>/etc/racoon/setkey.conf</filename> - System A:</para>
-
-        <programlisting>flush;
-spdflush;</programlisting>
-      </blockquote>
-
-      <para>If system A is running kernel 2.6.10 or later then it must also be
-      running ipsec-tools (racoon) 0.5rc1 or later.</para>
-
-      <para>On the mobile system (system B), it is not possible to create a
-      static IPsec configuration because the IP address of the laptop's
-      Internet connection isn't static. I have created an 'ipsecvpn' script
-      and included in the tarball and in the RPM's documentation directory;
-      this script can be used to start and stop the connection.</para>
-
-      <para>The ipsecvpn script has some variable assignments at the top -- in
-      the above case, these would be as follows:</para>
-
-      <blockquote>
-        <programlisting>#
-# External Interface
-#
-INTERFACE=eth0
-#
-# Remote IPsec Gateway
-#
-GATEWAY=206.162.148.9
-#
-# Networks behind the remote gateway
-#
-NETWORKS="192.168.1.0/24"
-#
-# Directory where X.509 certificates are stored.
-#
-CERTS=/etc/certs
-#
-# Certificate to be used for this connection. The cert
-# directory must contain:
-#
-#     ${CERT}.pem     - the certificate
-#     ${CERT}_key.pem - the certificates's key
-#
-CERT=roadwarrior
-#
-#     The setkey binary
-#
-SETKEY=/usr/sbin/setkey
-#
-#     The racoon binary
-#
-RACOON=/usr/sbin/racoon</programlisting>
-      </blockquote>
-
-      <para>The ipsecvpn script can be installed in /etc/init.d/ but it is
-      probably best installed in /usr/local/sbin and run manually:</para>
-
-      <blockquote>
-        <para><command>ipsecvpn start </command># Starts the tunnel</para>
-
-        <para><command>ipsecvpn stop</command> # Stops the tunnel</para>
-      </blockquote>
     </example>
-
-    <warning>
-      <para>Although the ipsecvpn script allows you to specify multiple remote
-      NETWORKS as a space-separated list, SAs are created on the gateway only
-      during ISAKMP negotiation. So in practice, only the first remote network
-      accessed will be accessible from the roadwarrior.</para>
-    </warning>
   </section>
 
   <section id="RW-L2TP">
@@ -853,62 +607,7 @@ HTTPS(ACCEPT)   l2tp    $FW</programlisting>
     hosts in that network. In that case, IPsec transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
-    the ipsec-tools package. The files shown are from host 192.168.20.10; the
-    configuration of the other nodes is similar.</para>
-
-    <blockquote>
-      <para><filename>/etc/racoon/racoon.conf</filename>:</para>
-
-      <programlisting>path pre_shared_key "/etc/racoon/psk.txt" ;
-
-remote anonymous
-{
-        exchange_mode main ;
-        my_identifier address ;
-        lifetime time 24 hour ;
-        proposal {
-                encryption_algorithm blowfish ;
-                hash_algorithm sha1;
-                authentication_method pre_shared_key ;
-                dh_group 2 ;
-        }
-}
-
-sainfo anonymous
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-</programlisting>
-
-      <para><filename>/etc/racoon/setkey.conf</filename>:</para>
-
-      <programlisting># First of all flush the SPD database
-spdflush;
-
-# Add some SPD rules
-
-spdadd 192.168.20.10/32 192.168.20.20/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.20/require;
-spdadd 192.168.20.20/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.20-192.168.20.10/require;
-spdadd 192.168.20.10/32 192.168.20.30/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.30/require;
-spdadd 192.168.20.30/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.30-192.168.20.10/require;
-spdadd 192.168.20.10/32 192.168.20.40/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.40/require;
-spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.40-192.168.20.10/require;
-</programlisting>
-
-      <para><filename>/etc/racoon/psk.txt</filename>:</para>
-
-      <programlisting>192.168.20.20             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.20&gt;
-192.168.20.30             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.30&gt;
-192.168.20.40             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.40&gt;</programlisting>
-
-      <para>Note that the <emphasis role="bold">same key</emphasis>must be
-      used in both directions.</para>
-    </blockquote>
+    <para><graphic fileref="images/TransportMode.png"/></para>
 
     <para>Shorewall configuration goes as follows:</para>
 
@@ -973,75 +672,13 @@ all             all             REJECT          info</programlisting>
 ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
     above assumes that the name of your IPsec vpn zone is
     <emphasis>vpn</emphasis>.</para>
-  </section>
 
-  <section id="XP">
-    <title>IPsec and <trademark>Windows</trademark> XP</title>
-
-    <para>I have successfully configured my work laptop to use IPsec with
-    X.509 certificates for wireless IP communication when it is undocked at
-    home. I looked at dozens of sites and the one I found most helpful was
-    <ulink
-    url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
-    The instructions on that site are directed to students at UCLA but they
-    worked fine for me (once I followed them very carefully).</para>
-
-    <warning>
-      <para>The instructions found on the UCLA site are complex and do not
-      include any information on the generation of X.509 certificates. There
-      are lots of sites however that can tell you how to generate
-      certificates, including <ulink
-      url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
-
-      <para>One piece of information that may not be so easy to find is "How
-      do I generate a PKCS#12 certificate to import into Windows?". Here's the
-      openssl command that I used:</para>
-
-      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
-
-      <para>I was prompted for a password to associate with the certificate.
-      This password is entered on the Windows system during import.</para>
-
-      <para>In the above command:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para><filename>eastepnc6000.pem</filename> was the laptop's
-          certificate in PEM format.</para>
-        </listitem>
-
-        <listitem>
-          <para><filename>eastepnc6000_key.pem</filename> was the laptop's
-          private key (actually, it's the original signing request which
-          includes the private key).</para>
-        </listitem>
-
-        <listitem>
-          <para><filename>eastepnc6000.pfx</filename> is the PKCS#12 output
-          file.</para>
-        </listitem>
-
-        <listitem>
-          <para>"IPsec Cert for Home Wireless" is the friendly name for the
-          certificate.</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>I started to write an article about how to do this, complete with
-      graphics captured from my laptop. I gave up. I had captured 12 images
-      and hadn't really started yet. The Windows interface for configuring
-      IPsec is the worst GUI that I have ever used. What can be displayed on
-      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
-      different dialog boxes on Windows XP!!!</para>
-    </warning>
-  </section>
-
-  <section id="More">
-    <title>Source of Additional Samples</title>
-
-    <para>Be sure to check out the <filename
-    class="directory">src/racoon/samples</filename> subdirectory in the
-    ipsec-tools source tree. It has a wide variety of sample racoon
-    configuration files.</para>
+    <important>
+      <para>Note that this protocol 4 (IPIP) traffic appears to originate in
+      the vpn zone, but it's source IP address is that of the remote gateway.
+      As a consequence, that address must be included in the definition of the
+      remote zone. If you haven't done that, the traffic will be dropped in
+      the INPUT chain.</para>
+    </important>
   </section>
 </article>

docs/MultiISP.xml

@@ -484,6 +484,18 @@ fi</programlisting>
                         url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                       </note></para>
                   </important>
+
+                  <para>Prior to Shorewall 5.1.1, <emphasis
+                  role="bold">balance=1</emphasis> is the default when
+                  USE_DEFAULT_RT=Yes and neither the
+                  <option>fallback</option>, <option>loose</option>,
+                  <option>load</option> or <option>tproxy</option> option is
+                  specified. Beginning with Shorewall 5.1.1, <emphasis
+                  role="bold">balance=1</emphasis> is the default when both
+                  USE_DEFAULT_RT=Yes and BALANCE_PROVIDERS=Yes and neither the
+                  <option>fallback</option>, <option>loose</option>,
+                  <option>load</option> nor <option>tproxy</option> option is
+                  specified.</para>
                 </listitem>
               </varlistentry>