Correct 'show macros'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -391,13 +391,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
 
-	    $g_ring_bell
+	    printf '\a'
 
 	    packet_log 40
 
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		printf 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -1207,10 +1207,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 10 ]; then
-		echo "   $macro  ${foo#\#}"
+	    if [ ${#macro} -gt 5 ]; then
+		printf "  $macro\t${foo#\#}\n"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		printf "  $macro\t\t${foo#\#}\n"
 	    fi
 	fi
     }
@@ -4382,7 +4382,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_options=
 
     VERBOSE=
     VERBOSITY=1
@@ -4552,26 +4551,6 @@ shorewall_cli() {
 
     banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
 
-    case $(echo -e) in
-	-e*)
-	    g_ring_bell="echo \a"
-	    g_echo_e="echo"
-	    ;;
-	*)
-	    g_ring_bell="echo -e \a"
-	    g_echo_e="echo -e"
-	    ;;
-    esac
-
-    case $(echo -n "Testing") in
-	-n*)
-	    g_echo_n=
-	    ;;
-	*)
-	    g_echo_n=-n
-	    ;;
-    esac
-
     COMMAND=$1
 
     case "$COMMAND" in

Shorewall-core/lib.core

@@ -47,14 +47,12 @@ setup_product_environment() { # $1 = if non-empty, source shorewallrc again now
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
-	    g_options=-l
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
-	    g_options=-6l
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
@@ -378,25 +376,6 @@ resolve_file() # $1 = file name
     esac
 }
 
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp

Shorewall-core/manpages/shorewall.xml

@@ -984,6 +984,64 @@
           Shorewall is not installed or when the command is
           <command>shorewall-lite</command> or
           <command>shorewall6-lite</command>.</para>
+
+          <para>With all four firewall products (Shorewall, Shorewall6,
+          Shorewall-lite and Shorewall6-lite) installed, the following table
+          shows the correspondence between the name used to invoke the command
+          and the <command>shorewall</command> command with the above three
+          options.</para>
+
+          <table border="1">
+            <caption>All four products installed</caption>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall</command> or <command>shorewall
+              -4</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall6</command></td>
+
+              <td><command>shorewall -6</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall-lite</command></td>
+
+              <td><command>shorewall -l</command> or <command>shorewall
+              -4l</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall6-lite</command></td>
+
+              <td><command>shorewall -6l</command></td>
+            </tr>
+          </table>
+
+          <para>The next table shows the correspondence when only
+          Shorewall-lite and Shorewall6-lite are installed.</para>
+
+          <table border="1">
+            <caption>Only Shorewall-lite and Shorewall6-lite
+            installed</caption>
+
+            <tr>
+              <td><command>shorewall-lite</command></td>
+
+              <td><command>shorewall</command>, <command>shorewall
+              -4</command> or <command>shorewall -4l</command></td>
+            </tr>
+
+            <tr>
+              <td><command>shorewall6-lite</command></td>
+
+              <td><command>shorewall -6</command> or <command>shorewall
+              -6l</command></td>
+            </tr>
+          </table>
         </listitem>
       </varlistentry>
 

Shorewall-init/init.debian.sh

@@ -104,7 +104,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
@@ -125,7 +125,7 @@ shorewall_start () {
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 
-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "
 
       if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +142,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.fedora.sh

@@ -64,7 +64,7 @@ start () {
 	return 6 #Not configured
     fi
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +99,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir

Shorewall-init/init.openwrt.sh

@@ -89,7 +89,7 @@ start () {
     local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +114,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.sh

@@ -81,7 +81,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.suse.sh

@@ -93,7 +93,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +114,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/shorewall-init

@@ -64,7 +64,7 @@ shorewall_start () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +92,7 @@ shorewall_stop () {
     local PRODUCT
     local STATEDIR
 
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall-lite/init.debian.sh

@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
+      printf "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall-lite/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall-lite/install.sh

@@ -430,15 +430,6 @@ elif [ $HOST = gentoo ]; then
     # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
     perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #

Shorewall/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall/Perl/Shorewall/Config.pm

@@ -2001,6 +2001,21 @@ sub find_writable_file($) {
     "$config_path[0]$filename";
 }
 
+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2059,7 +2074,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
     my ($list, $type ) = @_;
 
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
 
     my @list1 = split /:/, $list;
     my @list2;
@@ -2096,6 +2111,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2261,21 +2277,6 @@ sub split_columns( $ ) {
     @list2;
 }
 
-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();
 
 #
@@ -6805,7 +6806,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
 
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;

Shorewall/Perl/Shorewall/Rules.pm

@@ -2893,7 +2893,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2906,7 +2906,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -4510,7 +4510,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4526,7 +4526,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;

Shorewall/Perl/prog.footer

@@ -130,6 +130,8 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 
+[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
+
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/configfiles/shorewall.conf

@@ -99,7 +99,7 @@ RESTOREFILE=restore
 
 SHOREWALL_SHELL=/bin/sh
 
-SUBSYSLOCK=
+SUBSYSLOCK=/var/lock/subsys/shorewall
 
 TC=
 

Shorewall/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall firewall\": "
+      printf "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall firewall\" rules: "
+      printf "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,21 +109,21 @@ shorewall_stop () {
 
 # reload the firewall
 shorewall_reload () {
-  echo -n "Reloading \"Shorewall firewall\": "
+  printf "Reloading \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 
 reload() {
-    echo -n $"Reloading Shorewall: "
+    printf $"Reloading Shorewall: "
     $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall/install.sh

@@ -1042,15 +1042,6 @@ fi
 
 cd ..
 
-#
-# Install the  Makefiles
-#
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-
-if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-fi
 #
 # Install the Action files
 #

Shorewall/lib.cli-std

@@ -1229,13 +1229,13 @@ safe_commands() {
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
-	echo -n "Do you want to accept the new firewall configuration? [y/n] "
+	printf "Do you want to accept the new firewall configuration? [y/n] "
 
 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1546,16 +1546,8 @@ remote_reload_command() # $* = original arguments less the command.
     file=$(resolve_file $g_shorewalldir/firewall)
 
     g_export=Yes
-    #
-    # Determine the remote CLI program
-    #
-    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)
 
-    if [ -n "$temp" ]; then
-	program=$sbindir/${PRODUCT}-lite
-    else
-	program="$sbindir/shorewall $g_options"
-    fi
+    program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR
     #

Shorewall/manpages/shorewall-interfaces.xml

@@ -774,7 +774,7 @@ loc     eth2            -</programlisting>
                 iptables and kernel. It provides a more efficient alternative
                 to the <option>sfilter</option> option below. It performs a
                 function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do now use
+                but works with Multi-ISP configurations that do not use
                 balanced routes.</para>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall.conf.xml

@@ -2570,9 +2570,19 @@ INLINE          -       -       -       ;; -j REJECT
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
           stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For RedHat and OpenSuSE, this
-          should be set to /var/lock/subsys/shorewall. For Debian, the value
-          is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall (var/lock/subsys/shorewall-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall (/run/lock/shorewall-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 

Shorewall/modules.essential

@@ -25,6 +25,8 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
+loadmodule nf_nat
+loadmodule nf_nat_ipv4
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp

Shorewall/modules.xtables

@@ -31,6 +31,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
+loadmodule xt_nat
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev

Shorewall6-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall6-lite show vardir)
-SHAREDIR=/usr/share/shorewall6-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall6-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall6-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall6-lite/init.debian.sh

@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 Lite firewall\": "
+  printf "Starting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 Lite firewall\": "
+      printf "Stopping \"Shorewall6 Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall6 Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 Lite firewall\": "
+  printf "Restarting \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 Lite firewall\": "
+  printf "Refreshing \"Shorewall6 Lite firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6-lite/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6-lite/shorewall6-lite.service

@@ -2,6 +2,7 @@
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2017 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
@@ -14,7 +15,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall -6l $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall -6l $OPTIONS stop
 ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
 

Shorewall6/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/Makefile
-#
-# Reload Shorewall6 if config files are updated.
-
-SWBIN	?= /sbin/shorewall6 -q
-CONFDIR	?= /etc/shorewall6
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall6/configfiles/shorewall6.conf

@@ -169,7 +169,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall6_start () {
-  echo -n "Starting \"Shorewall6 firewall\": "
+  printf "Starting \"Shorewall6 firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall6 firewall\": "
+      printf "Stopping \"Shorewall6 firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
+      printf "Clearing all \"Shorewall6 firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,14 +109,14 @@ shorewall6_stop () {
 
 # restart the firewall
 shorewall6_restart () {
-  echo -n "Restarting \"Shorewall6 firewall\": "
+  printf "Restarting \"Shorewall6 firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall6_refresh () {
-  echo -n "Refreshing \"Shorewall6 firewall\": "
+  printf "Refreshing \"Shorewall6 firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall6/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall6/manpages/shorewall6.conf.xml

@@ -2204,10 +2204,20 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
-          stops. Creating and removing this file allows Shorewall6 to work
-          with your distribution's initscripts. For RedHat, this should be set
-          to /var/lock/subsys/shorewall6. For Debian, the value is
-          /var/lock/shorewall6 and in LEAF it is /var/run/shorewall.</para>
+          stops. Creating and removing this file allows Shorewall to work with
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall6 (var/lock/subsys/shorewall6-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall6 (/run/lock/shorewall6-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 

Shorewall6/modules.essential

@@ -21,6 +21,8 @@ loadmodule ip6table_mangle
 loadmodule ip6table_raw
 loadmodule xt_conntrack
 loadmodule nf_conntrack_ipv6
+loadmodule nf_nat
+loadmodule nf_nat_ipv6
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ip6t_REJECT

docs/Anatomy.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Anatomy of Shorewall 5.0</title>
+    <title>Anatomy of Shorewall 5.0/5.1</title>
 
     <authorgroup>
       <author>
@@ -26,6 +26,8 @@
 
       <year>2015</year>
 
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -49,7 +51,9 @@
       <listitem>
         <para><emphasis role="bold">Shorewall Core</emphasis>. This package
         contains the core Shorewall shell libraries and is required to install
-        any of the other packages.</para>
+        any of the other packages. Beginning with Shorewall 5.1.0, it also
+        includes the Command Line Interface (CLI) program common to all of the
+        packages.</para>
       </listitem>
 
       <listitem>
@@ -83,11 +87,12 @@
       </listitem>
 
       <listitem>
-        <para>Shorewall-init. An add-on to any of the above packages that
-        allows the firewall state to be altered in reaction to interfaces
-        coming up and going down. Where Upstart is not being used, this
-        package can also be configured to place the firewall in a safe state
-        prior to bringing up the network interfaces.</para>
+        <para><emphasis role="bold">Shorewall-init</emphasis>. An add-on to
+        any of the above packages that allows the firewall state to be altered
+        in reaction to interfaces coming up and going down. Where Upstart is
+        not being used, this package can also be configured to place the
+        firewall in a safe state prior to bringing up the network
+        interfaces.</para>
       </listitem>
     </orderedlist>
   </section>
@@ -101,10 +106,7 @@
     class="directory">/etc/shorewall</filename>,
     <filename>/etc/init.d</filename> and <filename
     class="directory">/var/lib/shorewall/</filename>. These are described in
-    the sub-sections that follow. Since Shorewall 4.5.2, each of these
-    directories is now relocatable using the <ulink
-    url="Install.htm#idp8774904608">configure scripts included with Shorewall
-    Core</ulink>.</para>
+    the sub-sections that follow. </para>
 
     <important>
       <para>Since Shorewall 4.5.2, each of these directories is now
@@ -189,7 +191,7 @@
         </listitem>
 
         <listitem>
-          <para><filename>Macros/*</filename> - The standard Shorewall <ulink
+          <para><filename>macro.*</filename> - The standard Shorewall <ulink
           url="Macros.html">macros</ulink>.</para>
         </listitem>
 
@@ -236,8 +238,8 @@
     </section>
 
     <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename> or
@@ -349,9 +351,13 @@
     <section id="sbin6">
       <title>/sbin ($SBINDIR)</title>
 
-      <para>The <filename>/sbin/shorewall6</filename> shell program is used to
-      interact with Shorewall6. See <ulink
-      url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
+      <para>Prior to Shorewall 5.1.0, the
+      <filename>/sbin/shorewall6</filename> shell program is used to interact
+      with Shorewall6. See <ulink
+      url="manpages6/shorewall6.html">shorewall6</ulink>(8). Beginning with
+      Shorewall 5.1.0, <filename>/sbin/shorewall6</filename> is a symbolic
+      link to <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="share-shorewall6">
@@ -432,15 +438,15 @@
     </section>
 
     <section id="etc-shorewall6">
-      <title>/etc/shorewall6 (${CONFDIR}/</title>
+      <title>/etc/shorewall6 (${CONFDIR}/shorewall6)</title>
 
       <para>This is where the modifiable IPv6 configuration files are
       installed.</para>
     </section>
 
-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+    <section id="init6">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall6</filename> or
@@ -543,16 +549,19 @@
     in the sub-sections that follow.</para>
 
     <section id="sbin-lite">
-      <title>/sbin ($SBINDIR_</title>
+      <title>/sbin ($SBINDIR)</title>
 
       <para>The <filename>/sbin/shorewall-lite</filename> shell program is
       used to interact with Shorewall lite. See <ulink
-      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
+      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8). Beginning
+      with Shorewall 5.1.0, <filename>/sbin/shorewall-lite</filename> is a
+      symbolic link to <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall-lite</filename> or
@@ -743,20 +752,16 @@
 
       <para>The <filename>/sbin/shorewall6-lite</filename> shell program is
       use to interact with Shorewall lite. See <ulink
-      url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).</para>
+      url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).
+      Beginning with Shorewall 5.1.0,
+      <filename>/sbin/shorewall6</filename>-lite is a symbolic link to
+      <filename>/sbin/shorewall</filename>. See <ulink
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
-    <section id="init-lite6">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
-
-      <para>An init script is installed here. Depending on the distribution,
-      it is named <filename>shorewall6-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
-    </section>
-
-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+    <section id="init-6lite">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+      /lib/systemd/system ($SERVICEDIR)</title>
 
       <para>An init script is installed here. Depending on the distribution,
       it is named <filename>shorewall</filename>6-lite or

docs/Shorewall-5.xml

@@ -22,6 +22,8 @@
 
       <year>2016</year>
 
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>