Correct 'show macros'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1207,10 +1207,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 10 ]; then
-		echo "   $macro  ${foo#\#}"
+	    if [ ${#macro} -gt 5 ]; then
+		printf "  $macro\t${foo#\#}\n"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		printf "  $macro\t\t${foo#\#}\n"
 	    fi
 	fi
     }
@@ -4382,7 +4382,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_options=
 
     VERBOSE=
     VERBOSITY=1

Shorewall-core/lib.core

@@ -47,14 +47,12 @@ setup_product_environment() { # $1 = if non-empty, source shorewallrc again now
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
-	    g_options=-l
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
-	    g_options=-6l
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"

Shorewall-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall-lite/install.sh

@@ -430,15 +430,6 @@ elif [ $HOST = gentoo ]; then
     # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
     perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #

Shorewall/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall/Perl/Shorewall/Config.pm

@@ -2001,6 +2001,21 @@ sub find_writable_file($) {
     "$config_path[0]$filename";
 }
 
+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2059,7 +2074,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
     my ($list, $type ) = @_;
 
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
 
     my @list1 = split /:/, $list;
     my @list2;
@@ -2096,6 +2111,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2261,21 +2277,6 @@ sub split_columns( $ ) {
     @list2;
 }
 
-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();
 
 #
@@ -6805,7 +6806,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
 
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;

Shorewall/Perl/Shorewall/Rules.pm

@@ -2893,7 +2893,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2906,7 +2906,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -4510,7 +4510,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4526,7 +4526,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;

Shorewall/Perl/prog.footer

@@ -130,6 +130,8 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 
+[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
+
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/configfiles/shorewall.conf

@@ -99,7 +99,7 @@ RESTOREFILE=restore
 
 SHOREWALL_SHELL=/bin/sh
 
-SUBSYSLOCK=
+SUBSYSLOCK=/var/lock/subsys/shorewall
 
 TC=
 

Shorewall/install.sh

@@ -1042,15 +1042,6 @@ fi
 
 cd ..
 
-#
-# Install the  Makefiles
-#
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-
-if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-fi
 #
 # Install the Action files
 #

Shorewall/lib.cli-std

@@ -1546,16 +1546,8 @@ remote_reload_command() # $* = original arguments less the command.
     file=$(resolve_file $g_shorewalldir/firewall)
 
     g_export=Yes
-    #
-    # Determine the remote CLI program
-    #
-    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)
 
-    if [ -n "$temp" ]; then
-	program=$sbindir/${PRODUCT}-lite
-    else
-	program="$sbindir/shorewall $g_options"
-    fi
+    program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR
     #

Shorewall/manpages/shorewall-interfaces.xml

@@ -774,7 +774,7 @@ loc     eth2            -</programlisting>
                 iptables and kernel. It provides a more efficient alternative
                 to the <option>sfilter</option> option below. It performs a
                 function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do now use
+                but works with Multi-ISP configurations that do not use
                 balanced routes.</para>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall.conf.xml

@@ -2570,9 +2570,19 @@ INLINE          -       -       -       ;; -j REJECT
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
           stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For RedHat and OpenSuSE, this
-          should be set to /var/lock/subsys/shorewall. For Debian, the value
-          is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall (var/lock/subsys/shorewall-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall (/run/lock/shorewall-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/Makefile

@@ -1,18 +0,0 @@
-# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall6-lite show vardir)
-SHAREDIR=/usr/share/shorewall6-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall6-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall6-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF

Shorewall6-lite/shorewall6-lite.service

@@ -2,6 +2,7 @@
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2017 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
@@ -14,7 +15,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall -6l $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall -6l $OPTIONS stop
 ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
 

Shorewall6/Makefile

@@ -1,23 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/Makefile
-#
-# Reload Shorewall6 if config files are updated.
-
-SWBIN	?= /sbin/shorewall6 -q
-CONFDIR	?= /etc/shorewall6
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall6/configfiles/shorewall6.conf

@@ -169,7 +169,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -2204,10 +2204,20 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>This parameter should be set to the name of a file that the
           firewall should create if it starts successfully and remove when it
-          stops. Creating and removing this file allows Shorewall6 to work
-          with your distribution's initscripts. For RedHat, this should be set
-          to /var/lock/subsys/shorewall6. For Debian, the value is
-          /var/lock/shorewall6 and in LEAF it is /var/run/shorewall.</para>
+          stops. Creating and removing this file allows Shorewall to work with
+          your distribution's initscripts. For OpenSuSE, this should be set to
+          /var/lock/subsys/shorewall6 (var/lock/subsys/shorewall6-lite if
+          building for export). For Gentoo, it should be set to
+          /run/lock/shorewall6 (/run/lock/shorewall6-lite). For Redhat and
+          derivatives as well as Debian and derivatives, the pathname should
+          be omitted.</para>
+
+          <important>
+            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
+            SERVICEDIR is non-empty in
+            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
+            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
+          </important>
         </listitem>
       </varlistentry>