Improve the documentation surrounding DNS names.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 

Shorewall-core/configure.pl

@@ -173,7 +173,12 @@ my $outfile;
 
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+if ( $ENV{SOURCE_DATE_EPOCH} ) {
+    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
+} else {
+    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+}
+
 print $outfile "# rc file: $rcfilename\n#\n";
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

Shorewall-core/install.sh

@@ -22,64 +22,20 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
-
 PRODUCT=shorewall-core
 Product="Shorewall Core"
- 
+
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "       $ME -v"
+    echo "where <option> is one of"
-    echo "       $ME -h"
+    echo "  -h"
+    echo "  -v"
     exit $1
 }
 
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
     if cp -f $1 $2; then
@@ -98,16 +54,16 @@ install_file() # $1 = source $2 = target $3 = mode
     exit 1
 }
 
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -126,7 +82,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -148,14 +104,14 @@ done
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -169,7 +125,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
     esac
 
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
     usage 1
 fi
@@ -285,13 +241,12 @@ case "$HOST" in
     debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
     *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	fatal_error "Unknown HOST \"$HOST\""
-	exit 1;
 	;;
 esac
 
 if [ -z "$file" ]; then
-    if $HOST = linux; then
+    if [ $HOST = linux ]; then
 	file=shorewallrc.default
     else
 	file=shorewallrc.${HOST}
@@ -304,7 +259,8 @@ if [ -z "$file" ]; then
     echo "" >&2
     echo "Example:" >&2
     echo "" >&2
-    echo "   ./install.sh $file" &>2
+    echo "   ./install.sh $file" >&2
+    exit 1
 fi
 
 if [ -n "$DESTDIR" ]; then
@@ -315,45 +271,31 @@ if [ -n "$DESTDIR" ]; then
     fi
 fi
 
-echo "Installing Shorewall Core Version $VERSION"
+echo "Installing $Product Version $VERSION"
 
 #
 # Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
-chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
 
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
 
-mkdir -p ${DESTDIR}${CONFDIR}
+make_parent_directory ${DESTDIR}${CONFDIR} 0755
-chmod 755 ${DESTDIR}${CONFDIR}
 
-if [ -n "${SYSCONFDIR}" ]; then
+[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
-    mkdir -p ${DESTDIR}${SYSCONFDIR}
-    chmod 755 ${DESTDIR}${SYSCONFDIR}
-fi
 
 if [ -z "${SERVICEDIR}" ]; then
     SERVICEDIR="$SYSTEMD"
 fi
 
-if [ -n "${SERVICEDIR}" ]; then
+[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
-    mkdir -p ${DESTDIR}${SERVICEDIR}
-    chmod 755 ${DESTDIR}${SERVICEDIR}
-fi
 
-mkdir -p ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
-chmod 755 ${DESTDIR}${SBINDIR}
 
-if [ -n "${MANDIR}" ]; then
+[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
-    mkdir -p ${DESTDIR}${MANDIR}
-    chmod 755 ${DESTDIR}${MANDIR}
-fi
 
 if [ -n "${INITFILE}" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
-    chmod 755 ${DESTDIR}${INITDIR}
 
     if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -369,7 +311,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #
@@ -382,8 +324,14 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    case $f in
-    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+        *installer)
+            ;;
+        *)
+            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+            ;;
+    esac
 done
 
 if [ $SHAREDIR != /usr/share ]; then
@@ -398,11 +346,11 @@ fi
 if [ -n "$MANDIR" ]; then
     cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
+    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
 
     for f in *.8; do
 	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
@@ -419,7 +367,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
 if [ -z "${DESTDIR}" ]; then
     if [ $update -ne 0 ]; then
@@ -444,14 +392,20 @@ fi
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do
-	if [ $BUILD != apple ]; then
+        case $f in
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+            *installer)
-	else
+                ;;
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+            *)
-	fi
+                if [ $BUILD != apple ]; then
+                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+                else
+                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+                fi
+                ;;
+        esac
     done
 fi
 #
-#  Report Success
+# Report Success
 #
-echo "Shorewall Core Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"

Shorewall-core/lib.base

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50106
 
 if [ -z "$g_basedir" ]; then
     #
@@ -78,29 +78,6 @@ showchain() # $1 = name of chain
     fi
 }
 
-#
-# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
-#
-
-iptablesbug()
-{
-    if [ $g_family -eq 4 ]; then
-	if qt mywhich awk ; then
-	    awk 'BEGIN           { sline=""; };\
-             /^-[jg]/            { print sline $0; next };\
-             /-m policy.*-[jg] / { print $0; next };\
-             /-m policy/         { sline=$0; next };\
-             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
-                                 { print ; sline="" }'
-        else
-	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
-	    cat
-	fi
-    else
-	cat
-    fi
-}
-
 #
 # Validate the value of RESTOREFILE
 #
@@ -1150,21 +1127,41 @@ show_macros() {
     done
 }
 
+show_an_action() {
+    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
+    cat ${directory}/action.$1
+}
+
 show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
+spd_filter() {
-{
+    #
-    awk \
+    # af   = Address Family (4 or 6)
-    'BEGIN            { skip=0; }; \
+    # afok = Address Family of entry matches af
-    /^src/            { skip=0; }; \
+    # p    = print the contents of A (entry is not empty)
-    /^src 0.0.0.0\/0/ { skip=1; }; \
+    # i    = Number of lines stored in A
-    /^src ::\/0/      { skip=1; }; \
+    #
-                      { if ( skip == 0 ) print; };'
+    awk -v af=$g_family \
+	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
+\
+	 /^src / { if (p) prnt( A, i );\
+		   afok = 1;\
+		   p	= 0;\
+		   i	= 0;\
+		   if ( af == 4 )\
+		       { if ( /:/ )  afok = 0; }\
+		   else\
+		       { if ( /\./ ) afok = 0; }\
+		 };\
+		 { if ( afok ) A[i++] = $0; };\
+	 /tmpl/	 { p = afok; };\
+\
+	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1177,7 +1174,8 @@ heading() {
 
 show_ipsec() {
     heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
+
     heading "PFKEY SAD"
     $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1458,12 +1456,27 @@ show_command() {
 		    ;;
 	    	*)
 		    case $1 in
+			action)
+			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
+			    [ $# -gt 2 ] && too_many_arguments $2
+
+			    for directory in $(split $CONFIG_PATH); do
+				if [ -f ${directory}/action.$2 ]; then
+				    eval show_an_action $2 $g_pager
+				    return
+				fi
+			    done
+
+			    echo "   WARNING: Action $2 not found" >&2
+			    return
+			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
+			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -1800,7 +1813,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -2773,7 +2786,7 @@ determine_capabilities() {
     GOTO_TARGET=
     LOGMARK_TARGET=
     IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
     ULOG_TARGET=
     NFLOG_TARGET=
     PERSISTENT_SNAT=
@@ -2806,6 +2819,8 @@ determine_capabilities() {
     WAIT_OPTION=
     CPU_FANOUT=
     NETMAP_TARGET=
+    NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2829,9 +2844,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
     if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
     fi
 
     chain=fooX$$
@@ -3137,12 +3154,15 @@ determine_capabilities() {
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
     qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
-    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
     qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
+    if qt $g_tool -A $chain -j NFLOG; then
+	NFLOG_TARGET=Yes
+	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
+    fi
 
     if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3298,9 +3318,11 @@ report_capabilities_unsorted() {
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3308,6 +3330,7 @@ report_capabilities_unsorted() {
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
+    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3414,6 +3437,8 @@ report_capabilities_unsorted1() {
     report_capability1 WAIT_OPTION
     report_capability1 CPU_FANOUT
     report_capability1 NETMAP_TARGET
+    report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3718,7 +3743,7 @@ ipcalc_command() {
 
     valid_address $address || fatal_error "Invalid IP address: $address"
     [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm
@@ -4267,12 +4292,17 @@ usage() # $1 = exit status
     echo "   reenable <interface>"
     ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+
+    if [ -n "$g_lite" ]; then
+	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    else
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4291,6 +4321,7 @@ usage() # $1 = exit status
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     ecko "   [ show | list | ls ] actions"
+    ecko "   [ show | list | ls ] action <action>"
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4393,7 +4424,10 @@ shorewall_cli() {
     finished=0
 
     while [ $finished -eq 0 ]; do
-	[ $# -eq 0 ] && usage 1
+	if [ $# -eq 0 ]; then
+	    setup_product_environment 1
+	    usage 1
+	fi
 	option=$1
 	case $option in
 	    -)
@@ -4523,10 +4557,6 @@ shorewall_cli() {
 	esac
     done
 
-    if [ $# -eq 0 ]; then
-	usage 1
-    fi
-
     setup_product_environment 1
 
    [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
     local modulename
     modulename=$1
+    shift
+    local moduleoptions
+    moduleoptions=$*
     local modulefile
     local suffix
 
     if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		shift
+		case $moduleloader in
-
+		    insmod)
-		for suffix in $MODULE_SUFFIX ; do
+			for directory in $moduledirectories; do
-		    for directory in $moduledirectories; do
+			    for modulefile in $directory/${modulename}.*; do
-			modulefile=$directory/${modulename}.${suffix}
+				if [ -f $modulefile ]; then
-
+				    insmod $modulefile $moduleoptions
-			if [ -f $modulefile ]; then
+				    return
-			    case $moduleloader in
+				fi
-				insmod)
+			    done
-				    insmod $modulefile $*
+			done
-				    ;;
+			;;
-				*)
+		    *)
-				    modprobe $modulename $*
+			modprobe -q $modulename $moduleoptions
-				    ;;
+			;;
-			    esac
+		esac
-			    break 2
-			fi
-		    done
-		done
 	    fi
 	fi
     elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
+	case $moduleloader in
-
+	    insmod)
-	for suffix in $MODULE_SUFFIX ; do
+		for directory in $moduledirectories; do
-	    for directory in $moduledirectories; do
+		    for modulefile in $directory/${modulename}.*; do
-		modulefile=$directory/${modulename}.${suffix}
+			if [ -f $modulefile ]; then
-
+			    insmod $modulefile $moduleoptions
-		if [ -f $modulefile ]; then
+			    return
-		    case $moduleloader in
+			fi
-			insmod)
+		    done
-			    insmod $modulefile $*
+		done
-			    ;;
+		;;
-			*)
+	    *)
-			    modprobe $modulename $*
+		modprobe -q $modulename $moduleoptions
-			    ;;
+		;;
-		    esac
+	esac
-		    break 2
-		fi
-	    done
-	done
     fi
 }
 
@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)

Shorewall-core/lib.core

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
 
-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108
 
 #
 # Fatal Error

Shorewall-core/lib.installer

@@ -0,0 +1,89 @@
+#
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products installer.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+make_parent_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}

Shorewall-core/lib.uninstaller

@@ -0,0 +1,106 @@
+#
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products uninstaller.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -f $1 -o -L $1 ] ; then
+            rm -f $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_directory() # $1 = directory to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -d $1 ] ; then
+            rm -rf $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_file_with_wildcard() # $1 = file with wildcard to remove
+{
+    if [ -n "$1" ] ; then
+        for f in $1; do
+            if [ -d $f ] ; then
+                rm -rf $f
+                echo "$f Removed"
+            elif [ -f $f -o -L $f ] ; then
+                rm -f $f
+                echo "$f Removed"
+            fi
+        done
+    fi
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}

Shorewall-core/manpages/shorewall.xml

@@ -432,6 +432,33 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6][-lite]</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>reload</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option><arg><option>-d</option></arg></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><option>-C</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -685,6 +712,31 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg choice="plain"><option>{actions|macros}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>action</option><arg
+      choice="plain"><replaceable>action</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -695,7 +747,7 @@
       <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1891,10 +1943,11 @@
 
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
-        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
+        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        [ <replaceable>system</replaceable> ]</term>
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
@@ -1930,6 +1983,9 @@
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
 
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">start</emphasis> command succeeds, then the
           remote Shorewall-lite configuration is saved by executing <emphasis
@@ -2415,12 +2471,23 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">action
+              <replaceable>action</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Lists the named action file. Available on Shorewall and
+                Shorewall6 only.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">actions</emphasis></term>
 
               <listitem>
                 <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
+                standard and user-defined). Available on Shorewall and
+                Shorewall6 only.</para>
               </listitem>
             </varlistentry>
 
@@ -3106,6 +3173,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/</para>
+
+    <para>/etc/shorewall6/</para>
   </refsect1>
 
   <refsect1>
@@ -3115,13 +3184,18 @@
     url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall-core/shorewall

@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
+#
+# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
+# options
+#
 PRODUCT=shorewall
 
 #

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)

Shorewall-core/shorewallrc.default

@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
-HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
+HOST=linux                              #Generic Linux
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.

Shorewall-core/shorewallrc.openwrt

@@ -1,8 +1,8 @@
 #
-# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+# OpenWRT Shorewall 5.0 rc file
-#
-# Input: host=openwrt
 #
+BUILD=                                 #Default is to detect the build system
+HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.

Shorewall-core/uninstall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Core Modules
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,63 +26,75 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
-PRODUCT="shorewall-core"
+PRODUCT=shorewall-core
 Product="Shorewall Core"
- 
+
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
     exit $1
 }
 
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Uninstaller Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
     elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -92,11 +104,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
     esac
 
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
     usage 1
 fi
@@ -104,20 +116,26 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
     INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling Shorewall Core $VERSION"
+echo "Uninstalling $Product $VERSION"
 
-rm -rf ${SHAREDIR}/shorewall
+if [ -n "${MANDIR}" ]; then
-rm -f ~/.shorewallrc
+    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
-
+    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
-echo "Shorewall Core Uninstalled"
+fi
 
+remove_directory ${SHAREDIR}/shorewall
+remove_file ~/.shorewallrc
 
+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"

Shorewall-init/default.debian.systemd

@@ -0,0 +1,21 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF

Shorewall-init/default.debian.sysvinit

@@ -0,0 +1,27 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF

Shorewall-init/init.debian.sh

@@ -159,8 +159,9 @@ shorewall_stop () {
 
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
       else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
       fi
 

Shorewall-init/init.fedora.sh

@@ -66,6 +66,10 @@ start () {
 
     printf "Initializing \"Shorewall-based firewalls\": "
 
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
     for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
@@ -120,6 +124,15 @@ stop () {
     done
 
     if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
     else

Shorewall-init/init.openwrt.sh

@@ -126,7 +126,9 @@ stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 }

Shorewall-init/init.sh

@@ -116,7 +116,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 

Shorewall-init/init.suse.sh

@@ -126,7 +126,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 }

Shorewall-init/install.sh

@@ -27,58 +27,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=xxx #The Build script inserts the actual version.
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "       $ME -v"
+    echo "where <option> is one of"
-    echo "       $ME -h"
+    echo "  -h"
-    echo "       $ME -n"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
-fatal_error() 
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
     if cp -f $1 $2; then
@@ -97,23 +60,16 @@ install_file() # $1 = source $2 = target $3 = mode
     exit 1
 }
 
-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 0755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-require() 
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -134,7 +90,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -159,17 +115,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
-    #
-    # Load packager's settings if any
-    #
     if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-     else
+        . $file || fatal_error "Can not load the RC file: $file"
-	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
 elif [ $# -eq 1 ]; then
     file=$1
@@ -177,11 +133,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
     esac
 
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
     usage 1
 fi
@@ -298,12 +254,10 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
     linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	fatal_error "Shorewall-init is not supported on this system"
-	exit 1
 	;;
     *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	fatal_error "Unsupported HOST distribution: \"$HOST\""
-	exit 1;
 	;;
 esac
 
@@ -315,30 +269,27 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
     
-    make_directory ${DESTDIR}${INITDIR} 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi
 
-echo "Installing Shorewall Init Version $VERSION"
+echo "Installing $Product Version $VERSION"
 
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-if [ -n "$DESTDIR" ]; then
+[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
 
 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
     install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
     
@@ -357,25 +308,21 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 
 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
     install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
-	mkdir -p ${DESTDIR}${SBINDIR}
+    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
-        chmod 0755 ${DESTDIR}${SBINDIR}
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
-    fi
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
-    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
 
 #
 # Install logrotate file
@@ -388,55 +335,53 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
 
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
-	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
     elif [ $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
     fi
 
-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
-	if [ -n "${DESTDIR}" ]; then
+	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
-	    mkdir -p ${DESTDIR}${ETC}/default
-	fi
 
-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
-	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
-	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
     fi
 
     IFUPDOWN=ifupdown.debian.sh
 else
     if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
 
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on openwrt
+		# Not implemented on OpenWRT
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
     fi
@@ -458,13 +403,13 @@ if [ $HOST != openwrt ]; then
 
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 
-    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
 
-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
     install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 
@@ -483,8 +428,8 @@ case $HOST in
     suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
 	    fi
 
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -518,17 +463,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/shorewall-init; then
+		if insserv ${INITDIR}/$PRODUCT; then
-		    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-		    echo "$PRODUCT will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -549,31 +494,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable shorewall-init.service; then
+		if systemctl enable ${PRODUCT}.service; then
-		    echo "Shorewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
+		if insserv ${INITDIR}/$PRODUCT ; then
-		    echo "Shorewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
+		if chkconfig --add $PRODUCT ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    echo "$Product will start automatically at boot"
-		    chkconfig --list shorewall-init
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add shorewall-init default; then
+		if rc-update add $PRODUCT default; then
-		    echo "Shorewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/shorewall-init enabled; then
+		if /etc/init.d/$PRODUCT enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -587,11 +532,11 @@ else
     if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
+		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
 	    fi
 
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
-	    echo "Shorewall Init will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	fi
     fi
 fi
@@ -602,8 +547,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
     case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -614,19 +559,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		fi
 	    done
 	    ;;
     esac
 fi
 #
-#  Report Success
+# Report Success
 #
 echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init

@@ -104,7 +104,9 @@ shorewall_stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 

Shorewall-init/uninstall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Init
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,62 +26,34 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
 finished=0
 configure=1
 
@@ -118,16 +90,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
     esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
     elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -137,72 +110,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
     esac
 
-    . $file || exit 1
+    . $file || fatal_error "Can not load the RC file: $file"
 else
     usage 1
 fi
 
-if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+echo "Uninstalling $Product $VERSION"
-
-echo "Uninstalling Shorewall Init $VERSION"
 
 [ -n "$SANDBOX" ] && configure=0
 
-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
 
-if [ -f "$INITSCRIPT" ]; then
+remove_file  ${SBINDIR}/$PRODUCT
+
+FIREWALL=${CONFDIR}/init.d/$PRODUCT
+
+if [ -f "$FIREWALL" ]; then
     if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ]; then
+	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/shorewall-init enabled; then
+	    if /etc/init.d/$PRODUCT enabled; then
-		/etc/init.d/shorewall-init disable
+		/etc/init.d/$PRODUCT disable
 	    fi
-	elif mywhich updaterc.d ; then
-	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $INITSCRIPT
+            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $INITSCRIPT)
+	    chkconfig --del $(basename $FIREWALL)
 	fi
     fi
 
-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi
 
-if [ -z "${SERVICEDIR}" ]; then
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
-    SERVICEDIR="$SYSTEMD"
-fi
 
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    rm -f $SERVICEDIR/shorewall-init.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi
 
 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 fi
 
-remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/default/$PRODUCT
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file ${CONFDIR}/sysconfig/$PRODUCT
 
 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
 
@@ -227,10 +200,11 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 fi
 
-rm -f  ${SBINDIR}/shorewall-init
+remove_directory ${SHAREDIR}/$PRODUCT
-rm -rf ${SHAREDIR}/shorewall-init
+remove_directory ${LIBEXECDIR}/$PRODUCT
-rm -rf ${LIBEXECDIR}/shorewall-init
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
-
-echo "Shorewall Init Uninstalled"
-
 
+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"

Shorewall-lite/default.debian.systemd

@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF

Shorewall-lite/default.debian.sysvinit

@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following varible to 1 in order to allow Shorewall-lite to start
+# set the following variable to 1 in order to allow Shorewall-lite to start
 
 startup=0
 
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Startup options
+# Global start/restart/reload/stop options
 #
 OPTIONS=""
 
@@ -30,6 +30,16 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #

Shorewall-lite/install.sh

@@ -22,62 +22,19 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "       $ME -v"
+    echo "where <option> is one of"
-    echo "       $ME -h"
+    echo "  -h"
-    echo "       $ME -n"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
     if cp -f $1 $2; then
@@ -96,19 +53,6 @@ install_file() # $1 = source $2 = target $3 = mode
     exit 1
 }
 
-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
@@ -122,6 +66,11 @@ else
     Product="Shorewall6 Lite"
 fi
 
+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -168,12 +117,14 @@ done
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc
+	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -183,11 +134,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
     esac
 
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
     usage 1
 fi
@@ -318,8 +269,7 @@ case "$HOST" in
     linux)
 	;;
     *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	fatal_error "ERROR: Unknown HOST \"$HOST\""
-	exit 1;
 	;;
 esac
 
@@ -331,7 +281,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
 
-    make_directory ${DESTDIR}${INITDIR} 755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 
 else
     if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -371,25 +321,20 @@ fi
 
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
-[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
+[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
 
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-mkdir -p ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
-mkdir -p ${DESTDIR}${VARDIR}
+make_parent_directory ${DESTDIR}${VARDIR} 0755
-
-chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 
 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
 fi
 
 if [ -n "$INITFILE" ]; then
@@ -410,9 +355,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 
 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -441,8 +386,14 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+        case $f in
-	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+            *installer)
+                ;;
+            *)
+                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+                ;;
+        esac
     fi
 done
 
@@ -470,12 +421,12 @@ if [ -f modules ]; then
 fi
 
 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
     echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
 
@@ -486,19 +437,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
     cd manpages
 
-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
 
     for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
-    mkdir -p ${DESTDIR}${MANDIR}/man8/
+    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
 
     for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
@@ -508,7 +459,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi
 
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
     echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 
@@ -516,7 +467,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -539,10 +490,7 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    if [ ${DESTDIR} ]; then
+    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
-	chmod 755 ${DESTDIR}${SYSCONFDIR}
-    fi
 
     install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
     echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -610,6 +558,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi
 
 #
-#  Report Success
+# Report Success
 #
 echo "$Product Version $VERSION Installed"

Shorewall-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall-lite/shorewall-lite.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall-lite/uninstall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Lite
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,9 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
-PRODUCT=shorewall-lite
-Product="Shorewall Lite"
 
 usage() # $1 = exit status
 {
@@ -41,46 +39,27 @@ usage() # $1 = exit status
     exit $1
 }
 
-fatal_error()
+#
-{
+# Change to the directory containing this script
-    echo "   ERROR: $@" >&2
+#
-    exit 1
+cd "$(dirname $0)"
-}
 
-qt()
+if [ -f shorewall-lite.service ]; then
-{
+    PRODUCT=shorewall-lite
-    "$@" >/dev/null 2>&1
+    Product="Shorewall Lite"
-}
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi
 
-split() {
+#
-    local ifs
+# Source common functions
-    ifs=$IFS
+#
-    IFS=:
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
 
+#
+# Parse the run line
+#
 finished=0
 configure=1
 
@@ -97,7 +76,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -117,16 +96,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
     esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
     elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -136,46 +116,50 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
     esac
 
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
     usage 1
 fi
 
-if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling Shorewall Lite $VERSION"
+echo "Uninstalling $Product $VERSION"
 
 [ -n "$SANDBOX" ] && configure=0
 
 if [ $configure -eq 1 ]; then
     if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	shorewall-lite clear
+	${SBINDIR}/$PRODUCT clear
+    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/$PRODUCT clear
     fi
 fi
 
-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+remove_file ${SBINDIR}/$PRODUCT
+
+if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
-	    /etc/init.d/shorewall-lite disable
+	    /etc/init.d/$PRODUCT disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
     else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
     fi
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
@@ -183,10 +167,10 @@ fi
 
 if [ -f "$FIREWALL" ]; then
     if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
+	if mywhich insserv ; then
-	    updaterc.d shorewall-lite remove
-	elif mywhich insserv ; then
             insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -195,26 +179,29 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
 
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    rm -f $SERVICEDIR/shorewall-lite.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi
 
-rm -f ${SBINDIR}/shorewall-lite
+remove_directory ${CONFDIR}/$PRODUCT
+remove_directory ${VARDIR}
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
 
-rm -rf ${CONFDIR}/shorewall-lite
+if [ -n "$SYSCONFDIR" ]; then
-rm -rf ${VARDIR}
+    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
-rm -rf ${SHAREDIR}/shorewall-lite
+fi
-rm -rf ${LIBEXECDIR}/shorewall-lite
-rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-rm -f  ${SYSCONFDIR}/shorewall-lite
 
 if [ -n "${MANDIR}" ]; then
-    rm -f ${MANDIR}/man5/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
-    rm -f ${MANDIR}/man8/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
 fi
 
-echo "Shorewall Lite Uninstalled"
+#
-
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -12,6 +12,8 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -30,9 +32,10 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts and multicasts
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/Actions/action.A_REJECT

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.A_REJECT!

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.A_Reject.deprecated

@@ -11,6 +11,8 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
@@ -25,10 +27,11 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts so they don't clutter up the log
+# Drop Broadcasts and multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# (these must *not* be rejected).
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/Actions/action.AllowICMPs

@@ -0,0 +1,45 @@
+#
+# Shorewall -- /usr/share/shorewall/action.AllowICMPs
+#
+# This action ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS ACCEPT
+
+?if __IPV4
+    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?else
+?COMMENT Needed ICMP types (RFC4890)
+
+    @1	-		-	ipv6-icmp	destination-unreachable
+    @1	-		-	ipv6-icmp	packet-too-big
+    @1	-		-	ipv6-icmp	time-exceeded
+    @1	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	router-solicitation
+    @1	-		-	ipv6-icmp	router-advertisement
+    @1	-		-	ipv6-icmp	neighbour-solicitation
+    @1	-		-	ipv6-icmp	neighbour-advertisement
+    @1	-		-	ipv6-icmp	137	# Redirect
+    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
+    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
+    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+?endif

Shorewall/Actions/action.BLACKLIST

@@ -0,0 +1,50 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOG_LEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
+   ?if ! "$SW_DBL_IPSET"
+   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+   ?endif
+
+   DEFAULTS -,DROP,-
+   #
+   # Add to the blacklist
+   #
+   ?if passed(@3)
+       ADD($SW_DBL_IPSET:src:@3)
+   ?elsif $SW_DBL_TIMEOUT
+       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+   ?else
+       ADD($SW_DBL_IPSET:src)
+   ?endif
+   #
+   # Dispose of the packet if asked
+   #
+   ?if passed(@2)
+      @2
+   ?endif
+?endif

Shorewall/Actions/action.Broadcast

@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+# Broadcast[([<action>|[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,31 +29,37 @@
 DEFAULTS DROP,-
 
 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
-?begin perl;
+    ?begin perl;
 
-use Shorewall::IPAddrs;
+    use strict;
-use Shorewall::Config;
+    use Shorewall::IPAddrs;
-use Shorewall::Chains;
+    use Shorewall::Config;
+    use Shorewall::Chains;
 
-my ( $action )         = get_action_params( 1 );
+    my ( $action, $audit ) = get_action_params( 2 );
-my $chainref           = get_action_chain;
+    my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $level, $tag )    = get_action_logging;
 
-add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
 
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    my $target             = require_audit ( $action , $audit );
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 
-1;
+    if ( $family == F_IPV4 ) {
+        add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } elsif ($family == F_IPV6 ) {
+        add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
 
-?end perl;
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    1;
+
+    ?end perl;
 ?endif

Shorewall/Actions/action.Drop.deprecated

@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The default DROP common rules
+# The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,6 +28,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 
 ?if passed(@1)
     ?if @1 eq 'audit'
@@ -58,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/Actions/action.DropDNSrep

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/action.DropDNSrep
+#
+# This macro silently drops DNS UDP replies that are in the New state
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS DROP
+@1	-	-	udp	-	53 { comment="Late DNS Replies" }

Shorewall/Actions/action.FIN

@@ -0,0 +1,33 @@
+#
+# Shorewall -- /usr/share/shorewall/action.FIN
+#
+# FIN Action
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# FIN[([<action>])]
+#
+# Default action is ACCEPT
+#
+###############################################################################
+
+DEFAULTS ACCEPT,-
+
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH

Shorewall/Actions/action.GlusterFS

@@ -13,9 +13,9 @@
 DEFAULTS 2,0
 
 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
+    ?error Invalid value (@1) for the GlusterFS Bricks argument
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
+    ?error Invalid value (@2) for the GlusterFS IB argument
 ?endif
 
 #ACTION		SOURCE		DEST		PROTO	DPORT

Shorewall/Actions/action.IfEvent

@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {
 
 $duration .= '--rttl ' if $command & $TTL_OPT;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
+    $action = 'ACCEPT';
+}
+
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
 

Shorewall/Actions/action.Limit

@@ -0,0 +1,70 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Limit
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Limit(<recent-set>,<num-connections>,<timeout>)
+#
+###############################################################################
+
+DEFAULTS -,-,-
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref        = get_action_chain;
+my @param           = get_action_params(3);
+my ( $level, $tag ) = get_action_logging;
+
+@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
+
+fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
+
+my $set   = $param[0];
+
+for ( @param[1,2] ) {
+    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $param[1] + 1;
+
+require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
+
+add_irule $chainref, recent => "--name $set --set";
+
+if ( $level ne '' ) {
+    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
+    add_ijump $xchainref, j => 'DROP';
+    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
+} else {
+    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
+}
+
+add_ijump $chainref, j => 'ACCEPT';
+
+1;
+
+?end perl

Shorewall/Actions/action.Multicast

@@ -0,0 +1,56 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Multicast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Multicast[([<action>|-[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?if __ADDRTYPE
+    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
+?else
+    ?begin perl;
+
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;
+
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;
+
+    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';
+
+    my $target = require_audit ( $action , $audit );
+    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
+
+    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+    add_jump $chainref, $target, 0, $dest;
+
+    1;
+
+    ?end perl;
+?endif

Shorewall/Actions/action.Reject.deprecated

@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The default REJECT action common rules
+# The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,13 +20,14 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 
 ?if passed(@1)
     ?if @1 eq 'audit'
@@ -61,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/Actions/action.ResetEvent

@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {

Shorewall/Actions/action.SetEvent

@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {

Shorewall/Actions/action.TCPFlags

@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
+$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0

Shorewall/Actions/action.allowBcast

@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowBcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowBcast"
+    ?endif
+?else
+    Broadcast(ACCEPT)
+?endif

Shorewall/Actions/action.allowMcast

@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowMcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowMcast"
+    ?endif
+?else
+    Multicast(ACCEPT)
+?endif

Shorewall/Actions/action.allowinUPnP

@@ -0,0 +1,40 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowinUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowinUPnP[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_ACCEPT - - 17 1900
+	A_ACCEPT - -  6 49152
+    ?else
+	?error "Invalid argument (@1) to allowinUPnP"
+    ?endif
+?else
+    ACCEPT - - 17 1900
+    ACCEPT - -	6 49152
+?endif

Shorewall/Actions/action.dropBcast

@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcast"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+

Shorewall/Actions/action.dropBcasts

@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcasts
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcasts[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcasts"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+

Shorewall/Actions/action.dropMcast

@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropMcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropMcast"
+    ?endif
+?else
+    Multicast(DROP)
+?endif

Shorewall/Actions/action.dropNotSyn

@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropNotSyn[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_DROP {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to dropNotSyn"
+    ?endif
+?else
+    DROP {proto=6:!syn}
+?endif

Shorewall/Actions/action.forwardUPnP

@@ -0,0 +1,43 @@
+#
+# Shorewall -- /usr/share/shorewall/action.forwardUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# forwardUPnP
+#
+###############################################################################
+
+DEFAULTS -
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref = get_action_chain;
+
+set_optflags( $chainref, DONT_OPTIMIZE );
+
+add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+
+1;
+
+?end perl

Shorewall/Actions/action.rejNotSyn

@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.rejNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# rejNotSyn[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_REJECT {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to rejNotSyn"
+    ?endif
+?else
+    REJECT(tcp-reset) {proto=6:!syn}
+?endif
+

Shorewall/Macros/macro.AllowICMPs

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
-#
-# This macro ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Needed ICMP types
-
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded

Shorewall/Macros/macro.BLACKLIST

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.blacklist
-#
-# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif

Shorewall/Macros/macro.Drop

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Drop
-#
-# This macro generates the same rules as the Drop default action
-# It is used in place of action.Drop when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Drop	net	all
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' DROP
-#
-DROP	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-DROP	-	-	udp	135,445
-DROP	-	-	udp	137:139
-DROP	-	-	udp	1024:	137
-DROP	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Macros/macro.DropDNSrep

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
-#
-# This macro silently drops DNS UDP replies
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Late DNS Replies
-
-DEFAULT DROP
-PARAM	-	-	udp	-	53

Shorewall/Macros/macro.IPMI

@@ -15,6 +15,7 @@ PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS

Shorewall/Macros/macro.RDP

@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
+PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389

Shorewall/Macros/macro.Reject

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Reject
-#
-# This macro generates the same rules as the Reject default action
-# It is used in place of action.Reject when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Reject	loc	fw
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' REJECT
-#
-REJECT	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-REJECT	-	-	udp	135,445
-REJECT	-	-	udp	137:139
-REJECT	-	-	udp	1024:	137
-REJECT	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Makefile-lite

@@ -1,82 +0,0 @@
-#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Accounting.pm

@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
     my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     if ( $source eq 'any' || $source eq 'all' ) {
         $source = ALLIP;
     } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
     }
 
     if ( have_bridges && ! $asection ) {
@@ -519,9 +519,9 @@ sub setup_accounting() {
 
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 ( keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {

Shorewall/Perl/Shorewall/Chains.pm

@@ -32,6 +32,7 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
+use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -137,6 +138,12 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
+				       validate_port
+				       validate_portpair
+				       validate_portpair1
+				       validate_port_list
+				       expand_port_range
+
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -405,14 +412,14 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z12z2>
+#   Zone-pair chains for rules chain <z1-z2>
 #
-#      Syn Flood       - @<z12z2>
+#      Syn Flood       - @<z1-z2>
-#      Blacklist       - <z12z2>~
+#      Blacklist       - <z1-z2>~
-#      Established     - ^<z12z2>
+#      Established     - ^<z1-z2>
-#      Related         - +<z12z2>
+#      Related         - +<z1-z2>
-#      Invalid         - _<z12z2>
+#      Invalid         - _<z1-z2>
-#      Untracked       - &<z12z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -434,7 +441,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -509,6 +516,7 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
+our %port_variables;
 our $ipset_rules;
 
 #
@@ -784,6 +792,7 @@ sub initialize( $$$ ) {
     %interfaceacasts    = ();
     %interfacegateways  = ();
     %address_variables  = ();
+    %port_variables     = ();
 
     $global_variables   = 0;
     $idiotcount         = 0;
@@ -819,6 +828,211 @@ sub initialize( $$$ ) {
     #
 }
 
+sub record_runtime_port( $ ) {
+    my ( $variable ) = @_;
+
+    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
+	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
+	$port_variables{$1} = 1;
+    } else {
+	fatal_error( "Invalid port variable (%$variable)" );
+    }
+
+    "\$$variable";
+}
+
+################################################################################
+# Functions moved from IPAddrs.pm in 5.1.5				       #
+################################################################################
+
+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$value = numeric_value $port;
+
+	if ( defined $value ) {
+	    if ( $value && $value <= 65535 ) {
+		return $value;
+	    } else {
+		$value = undef;
+	    }
+	}
+    } elsif ( $port =~ /^%(.*)/ ) {
+	$value = record_runtime_port( $1 );
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
+	}
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	}
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
+################################################################################
+# End functions moved from IPAddrs.pm in 5.1.5				       #
+################################################################################
+
 #
 # Functions to manipulate cmdlevel
 #
@@ -1081,11 +1295,11 @@ sub format_option( $$ ) {
 
     assert( ! reftype $value );
 
-    my $rule = '';
+    my $rule;
 
     $value =~ s/\s*$//;
 
-    $rule .= join( ' ' , ' -m', $option, $value );
+    $rule = join( ' ' , ' -m', $option, $value );
 
     $rule;
 }
@@ -1131,8 +1345,6 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
-
-	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1191,13 +1403,15 @@ sub compatible( $$ ) {
     }
     #
     # Don't combine chains where each specifies
-    #    -m policy
+    #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
     # and the other specifies
     #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    my ( $p1, $p2 );
+
+    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1223,7 +1437,7 @@ sub merge_rules( $$$ ) {
 	}
     }
 
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -1239,7 +1453,7 @@ sub merge_rules( $$$ ) {
 
     set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
 
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -1715,7 +1929,7 @@ sub delete_reference( $$ ) {
 
     assert( $toref );
 
-    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
 }
 
 #
@@ -1853,7 +2067,7 @@ sub adjust_reference_counts( $$$ ) {
     my ($toref, $name1, $name2) = @_;
 
     if ( $toref ) {
-	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
 	$toref->{references}{$name2}++;
     }
 }
@@ -3061,8 +3275,10 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
@@ -3459,7 +3675,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3686,12 +3902,21 @@ sub optimize_level8( $$$ ) {
 		    }
 
 		    $combined{ $chainref1->{name} } = $chainref->{name};
+		    #
+		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
+		    # the policy attributes in the combined chain
+		    #
+		    if ( $chainref->{policychain} ) {
+			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
+		    } elsif ( $chainref1->{policychain} ) {
+			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
+		    }
 		}
 	    }
 	}
 
 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4556,7 +4781,8 @@ sub do_proto( $$$;$ )
 
     if ( $proto ne '' ) {
 
-	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -4574,7 +4800,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = "-p $proto --syn ";
+		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
 	    }
 
 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -4611,7 +4837,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -4818,7 +5044,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5757,6 +5983,7 @@ sub record_runtime_address( $$;$$ ) {
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
+	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
     }
@@ -6102,7 +6329,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -6183,7 +6410,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -6842,6 +7069,8 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
     my ( $logical, $protect, $provider ) = @_;
 
+    $provider = '' unless defined $provider;
+
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
     my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -6855,9 +7084,9 @@ sub get_interface_gateway ( $;$$ ) {
     }
 
     if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
     } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
@@ -6980,13 +7209,13 @@ sub set_global_variables( $$ ) {
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = sort keys %interfaceaddr;
+	@interfaces = keys %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = sort keys %interfacegateways;
+	@interfaces = keys %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -6996,36 +7225,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = sort keys %interfacemacs;
+	@interfaces = keys %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for sort values %interfaceaddr;
+	emit $_     for values %interfaceaddr;
-	emit "$_\n" for sort values %interfacegateways;
+	emit "$_\n" for values %interfacegateways;
-	emit $_     for sort values %interfacemacs;
+	emit $_     for values %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
+	emit $_ for values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
     }
 }
 
 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
+    for my $variable ( keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
 
@@ -7044,6 +7273,19 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
     }
+
+    for my $variable( keys %port_variables ) {
+	my $port = "\$$variable";
+	my $type = $port_variables{$variable};
+
+	emit( qq(if [ -z "$port" ]; then) ,
+	      qq(    $variable=255) ,
+	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
+	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
+	      qq(else) ,
+	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
+	      qq(fi\n) );
+    }
 }
 
 #
@@ -7293,6 +7535,11 @@ sub isolate_dest_interface( $$$$ ) {
 
 	    $rule .= "-d $variable ";
 	}
+    } elsif ( $dest =~ /^\$/ ) {
+	#
+	# Runtime address variable
+	#
+	$dnets  = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -7942,7 +8189,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 
 	    assert( $chainref );
@@ -7961,7 +8208,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8047,7 +8294,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8216,6 +8463,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
 
@@ -8231,6 +8479,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8453,7 +8702,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = sort keys %ipsets;
+	    my @sets = keys %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8629,7 +8878,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8644,7 +8893,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8673,9 +8922,15 @@ sub create_netfilter_load( $ ) {
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
 
     emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
-	  '    option="--counters"',
+
-	  '',
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
+    } else {
+	emit( '    option="--counters"' );
+    }
+
+    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8683,7 +8938,11 @@ sub create_netfilter_load( $ ) {
 
     push_indent;
 
-    emit 'option=';
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
+    } else {
+	emit 'option=';
+    }
 
     save_progress_message "Preparing $utility input...";
 
@@ -8732,6 +8991,10 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -8836,6 +9099,11 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9073,6 +9341,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9098,7 +9370,11 @@ sub create_stop_load( $ ) {
 
     enter_cmd_mode;
 
-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
+    } else {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    }
 
     emit( '',
 	  'progress_message2 "Running $command..."',
@@ -9120,7 +9396,7 @@ sub initialize_switches() {
     if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
+	for my $switch ( keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";

Shorewall/Perl/Shorewall/Compiler.pm

@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -93,11 +93,10 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;
 
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
-	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
 
+	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
     }
 
     my $lib = find_file 'lib.private';
@@ -110,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -210,6 +209,8 @@ sub generate_script_2() {
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
     emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
+    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -267,7 +268,8 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
     }
 
@@ -690,6 +692,7 @@ sub compiler {
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
     #
+    #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
     get_configuration( $export , $update , $annotate , $inline );
@@ -794,13 +797,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
     }
 
-    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_script;
-    #
     # Validate the TC files so that the providers will know what interfaces have TC
     #
     my $tcinterfaces = process_tc;
@@ -945,7 +945,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
+	copy $globals{SHAREDIRPL} . 'prog.footer';
 
 	disable_script;
 	#

Shorewall/Perl/Shorewall/Config.pm

@@ -30,17 +30,97 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
+#   A significant portion of this module is dedicated to the preprocessor:
+#
+#	process_compiler_directive() - processes compiler directives
+#
+#	embedded_shell() - handles embedded shell scripting
+#
+#	embedded_perl() - handles embedded perl scripting
+#
+#	read_a_line() - Reads the next configuration file record to
+#			be passed to the function processing the file.
+#
+#	    - Detects compiler directives and passes then to
+#	      process_compiler_directive() for handling.
+#
+#	    - Handles line continuation
+#
+#	    - Invokes a callback when the first (concatinated) non-directive
+#	      record is read from a file.
+#
+#	    - Conditionally expands variables.
+#
+#	    - Conditionally detects embedded Shell and Perl and passes them
+#	      off to embedded_shell() and embedded_perl() respectively.
+#
+#	    - Conditionally detects and handles [?}INCLUDE directives.
+#
+#	    - Conditionally detects and handles ?SECTION directives.
+#	      File processing functions can supply a callback to be
+#	      called during this processing.
+#
+#   File processing routines may need to open a second (third, fourth, ...)
+#   file while processing the main file (macro and/or action files). Two
+#   functions are provided to make that possible:
+#
+#      push_open() - open a file while leaving the current file open.
+#
+#      pop_open() - close the current file, and make the previous
+#		    file (if any) the current one.
+#
+#   Because this module expands variables, it must be aware of action
+#   parameters.
+#
+#	push_action_params() - populates the %actparams hash and
+#			       returns a reference to the previous
+#			       contents of that hash. The caller is
+#			       expected to store those contents locally.
+#
+#	pop_action_params()  - Restores the %actparams hash from
+#			       the reference returned by
+#			       push_action_params().
+#
+#   The following routines are provided for INLINE PERL within
+#   action bodies:
+#
+#	default_action_params() - called to fill in omitted
+#				  arguments when a DEFAULTS
+#				  line is encountered.
+#
+#	get_action_params() - returns an array of arguments.
+#
+#	setup_audit_action() - helper for A_* actions.
+#
+#	get_action_logging() - returns log level and tag
+#			       from the action's invocation.
+#
+#	get_action_chain_name() - returns chain name.
+#
+#	set_action_name_to_caller() - replace chain name
+#				      with that of invoking
+#				      chain for logging purposes.
+#
+#	set_action_disposition() - set the current action
+#				   disposition for logging purposes.
+#
+#	get_action_disposition() - get the current action disposition.
+#
+#	set_action_param() - set the value of an argument.
+#
 package Shorewall::Config;
 
 use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
+use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
+use Errno qw(:POSIX);
 
 our @ISA = qw(Exporter);
 #
@@ -86,6 +166,9 @@ our @EXPORT = qw(
 		 kernel_version
 
                  compiletime
+				       
+		 F_IPV4
+		 F_IPV6
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -196,9 +279,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
                                        PARMSMODIFIED
                                        USEDCALLER
-				       
-		                       F_IPV4
-		                       F_IPV6
 
 				       TCP
 				       UDP
@@ -315,7 +395,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -413,7 +493,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  WAIT_OPTION     => 'iptables --wait option',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                  NETMAP_TARGET   => 'NETMAP Target',
-
+                 NFLOG_SIZE      => '--nflog-size support',
+		 RESTORE_WAIT_OPTION
+				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -488,53 +570,55 @@ our %helpers_aliases;
 our %helpers_enabled;
 
 our %config_files = ( #accounting      => 1,
-		      actions          => 1,
+		      actions	       => 1,
-		      blacklist        => 1,
+		      blacklist	       => 1,
-		      clear            => 1,
+		      clear	       => 1,
-		      conntrack        => 1,
+		      conntrack	       => 1,
-		      ecn              => 1,
+		      ecn	       => 1,
-		      findgw           => 1,
+		      findgw	       => 1,
-		      hosts            => 1,
+		      hosts	       => 1,
-		      init             => 1,
+		      init	       => 1,
-		      initdone         => 1,
+		      initdone	       => 1,
 		      interfaces       => 1,
-		      isusable         => 1,
+		      isusable	       => 1,
-		      maclist          => 1,
+		      maclist	       => 1,
-		      masq             => 1,
+		      mangle	       => 1,
-		      nat              => 1,
+		      masq	       => 1,
-		      netmap           => 1,
+		      nat	       => 1,
-		      params           => 1,
+		      netmap	       => 1,
-		      policy           => 1,
+		      params	       => 1,
-		      providers        => 1,
+		      policy	       => 1,
-		      proxyarp         => 1,
+		      providers	       => 1,
-		      refresh          => 1,
+		      proxyarp	       => 1,
-		      refreshed        => 1,
+		      refresh	       => 1,
-		      restored         => 1,
+		      refreshed	       => 1,
-		      rawnat           => 1,
+		      restored	       => 1,
+		      rawnat	       => 1,
 		      route_rules      => 1,
-		      routes           => 1,
+		      routes	       => 1,
 		      routestopped     => 1,
-		      rtrules          => 1,
+		      rtrules	       => 1,
-		      rules            => 1,
+		      rules	       => 1,
-		      scfilter         => 1,
+		      scfilter	       => 1,
-		      secmarks         => 1,
+		      secmarks	       => 1,
-		      start            => 1,
+		      snat	       => 1,
-		      started          => 1,
+		      start	       => 1,
-		      stop             => 1,
+		      started	       => 1,
-		      stopped          => 1,
+		      stop	       => 1,
+		      stopped	       => 1,
 		      stoppedrules     => 1,
-		      tcclasses        => 1,
+		      tcclasses	       => 1,
-		      tcclear          => 1,
+		      tcclear	       => 1,
-		      tcdevices        => 1,
+		      tcdevices	       => 1,
-		      tcfilters        => 1,
+		      tcfilters	       => 1,
 		      tcinterfaces     => 1,
-		      tcpri            => 1,
+		      tcpri	       => 1,
-		      tcrules          => 1,
+		      tcrules	       => 1,
-		      tos              => 1,
+		      tos	       => 1,
-		      tunnels          => 1,
+		      tunnels	       => 1,
-		      zones            => 1 );
+		      zones	       => 1 );
 #
-# Options that involve the the AUDIT target
+# Options that involve the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -591,6 +675,7 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 
 our $family;                 # Protocol family (4 or 6)
+our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -644,6 +729,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
+                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -703,8 +789,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$) {
+sub initialize( $;$$$) {
-    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -748,8 +834,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.1.8-Beta1",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -792,6 +878,7 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
+	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -816,6 +903,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
+	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -842,7 +930,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
-	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -904,6 +991,9 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
+	  BALANCE_PROVIDERS => undef ,
+	  PERL_HASH_SEED => undef ,
+	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -999,7 +1089,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1037,6 +1127,8 @@ sub initialize( $;$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
+	       NFLOG_SIZE => undef,
+	       RESTORE_WAIT_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1089,7 +1181,7 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '', callfile => '', callline => ''  );
     $parmsmodified = 0;
     $usedcaller    = 0;
     %ipsets = ();
@@ -1162,7 +1254,7 @@ sub initialize( $;$$) {
     #
     # Process the global shorewallrc file
     #
-    #   Note: The build file executes this function passing only the protocol family
+    #   Note: The build script calls this function passing only the protocol family
     #
     process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1213,10 +1305,9 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
-    my $linenumber = $currentlinenumber || 1;
+    if ( $currentfilename ) {
-
+	my $linenumber = $currentlinenumber || 1;
-    if ( $currentfile ) {
+	my $lineinfo   = " $currentfilename ";
-	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
@@ -1982,6 +2073,7 @@ sub find_file($)
     for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
+	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
     }
 
     "$config_path[0]$filename";
@@ -2174,7 +2266,7 @@ sub split_list3( $$ ) {
 	    $element = join ',', $element , $_;
 	}
     }
-    
+
     unless ( $opencount == 0 ) {
 	fatal_error "Invalid $type ($list)";
     }
@@ -2229,7 +2321,7 @@ sub split_list4( $ ) {
 sub split_columns( $ ) {
     my ($list) = @_;
 
-    return split ' ', $list unless $list =~ /\(/;
+    return split ' ', $list unless $list =~ /[()]/;
 
     my @list1 = split ' ', $list;
     my @list2;
@@ -2270,9 +2362,7 @@ sub split_columns( $ ) {
 	}
     }
 
-    unless ( $opencount == 0 ) {
+    fatal_error "Mismatched parentheses ($list)" unless $opencount == 0;
-	fatal_error "Mismatched parentheses ($list)";
-    }
 
     @list2;
 }
@@ -2285,7 +2375,7 @@ sub clear_comment();
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
-#    Handles segragating raw iptables input in INLINE rules
+#    Handles segragating raw iptables input in rules
 #
 sub split_line2( $$;$$$ ) {
     my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
@@ -2338,7 +2428,7 @@ sub split_line2( $$;$$$ ) {
 
 	    $inline_matches = $pairs;
 
-	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2354,7 +2444,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 
-		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2368,7 +2458,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -2434,12 +2524,12 @@ sub split_line2( $$;$$$ ) {
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-		$column = $columnsref->{$column};
-		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
-		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $value =~ /[^\s[:print:]]/;
-		$line[$column] = $value;
+		my $colnum = $columnsref->{$column};
+		warning_message qq(Replacing "$line[$colnum]" with "$value" in the ) . uc( $column ) . ' column' if $line[$colnum] ne '-';
+		$line[$colnum] = $value;
 	    }
 	}
     }
@@ -2566,7 +2656,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
     } else {
 	$ifstack = @ifstack;
 	'';
@@ -2710,13 +2800,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
+sub join_parts( $$$$ ) {
-    my ( $first, $val, $rest ) = @_;
+    my ( $first, $val, $rest, $just_expand ) = @_;
 
     $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
-			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
     join( '', $first, $val, $rest );
 }
 
@@ -2769,7 +2859,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
 
-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
     }
 
@@ -2779,8 +2869,8 @@ sub evaluate_expression( $$$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var eq 'caller';
+	    $usedcaller = USEDCALLER if $var =~ /^(?:caller|callfile|callline)$/;
-	    $expression = join_parts( $first, $val, $rest );
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
     }
@@ -2815,7 +2905,6 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-
 	declare_passed unless $evals++;
 
 	$val = eval qq(package Shorewall::User;
@@ -2832,6 +2921,7 @@ sub evaluate_expression( $$$$ ) {
     $val;
 }
 
+sub pop_open();
 #
 # Set callback
 #
@@ -2839,6 +2929,40 @@ sub directive_callback( $ ) {
     $directive_callback = shift;
 }
 
+sub directive_message( \&$$$$ ) {
+    my ( $functptr, $verbose, $expression, $filename, $linenumber ) = @_;
+
+    unless ( $omitting ) {
+	if ( $actparams{0} ) {
+	    #
+	    # When issuing a message from an action, report the action invocation
+	    # site rather than the action file and line number.
+	    #
+	    # Avoid double-reporting by temporarily removing the invocation site
+	    # from the open stack.
+	    #
+	    my $saveopens = pop @openstack;
+
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $actparams{callfile} ,
+			 $actparams{callline} );
+	    push @openstack, $saveopens;
+	} else {
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $filename ,
+			 $linenumber );
+	}
+    }
+}
+
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
@@ -2852,7 +2976,8 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber )
+	unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2954,15 +3079,16 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      if ( exists $actparams{$var} ) {
-			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
+			  if ( $var =~ /^(?:loglevel|logtag|chain|disposition|caller|callfile|callline)$/ ) {
 			      $actparams{$var} = '';
 			  } else {
 			      delete $actparams{$var}
 			  }
+
+			  $parmsmodified = PARMSMODIFIED if @ifstack > $ifstack;
 		      } else {
 			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
-
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
@@ -2992,52 +3118,87 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 
 	  ERROR => sub() {
-	      directive_error( evaluate_expression( $expression ,
+	      unless ( $omitting ) {
-						    $filename ,
+		  if ( $actparams{0} ) {
-						    $linenumber ,
+		      close $currentfile;
-						    1 ) ,
+		      #
-			       $filename ,
+		      # Avoid 'missing ?ENDIF' error in pop_open'
-			       $linenumber ) unless $omitting;
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action invocation site
+		      #
+		      pop_open;
+
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  } else {
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $filename ,
+				       $linenumber ) unless $omitting;
+		  }
+	      }
 	  } ,
 
 	  WARNING => sub() {
-	      directive_warning( $config{VERBOSE_MESSAGES} ,
+	      directive_message( &directive_warning ,
-		                 evaluate_expression( $expression ,
+				 $config{VERBOSE_MESSAGES},
-						      $filename ,
+				 $expression ,
-						      $linenumber ,
-						      1 ),
 				 $filename ,
-				 $linenumber ) unless $omitting;
+				 $linenumber );
 	  } ,
 
 	  INFO => sub() {
-	      directive_info( $config{VERBOSE_MESSAGES} ,
+	      directive_message( &directive_info,
-			      evaluate_expression( $expression ,
+				 $config{VERBOSE_MESSAGES} ,
-						   $filename ,
+				 $expression ,
-						   $linenumber ,
+				 $filename ,
-						   1 ),
+				 $linenumber );
-			      $filename ,
-			      $linenumber ) unless $omitting;
 	  } ,
 
 	  'WARNING!' => sub() {
-	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
+	      directive_message( &directive_warning ,
-		                 evaluate_expression( $expression ,
+				 ! $config{VERBOSE_MESSAGES} ,
-						      $filename ,
+				 $expression ,
-						      $linenumber ,
-						      1 ),
 				 $filename ,
-				 $linenumber ) unless $omitting;
+				 $linenumber );
 	  } ,
 
 	  'INFO!' => sub() {
-	      directive_info( ! $config{VERBOSE_MESSAGES} ,
+	      directive_message( &directive_info ,
-			      evaluate_expression( $expression ,
+				 ! $config{VERBOSE_MESSAGES} ,
-						   $filename ,
+				 $expression ,
-						   $linenumber ,
+				 $filename ,
-						   1 ),
+				 $linenumber );
-			      $filename ,
+	  } ,
-			      $linenumber ) unless $omitting;
+
+	  REQUIRE => sub() {
+	      unless ( $omitting ) {
+		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
+		  fatal_error "Unknown capability ($expression)" unless ( my $capdesc = $capdesc{$expression} );
+		  unless ( have_capability( $expression ) ) {
+		      close $currentfile;
+		      #
+		      # Avoid 'missing ?ENDIF' error in pop_open'
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action call site
+		      #
+		      pop_open;
+
+		      directive_error( "The $actparams{action} action requires the $capdesc capability",
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  }
+	      }
 	  } ,
 
 	);
@@ -3538,6 +3699,8 @@ sub push_action_params( $$$$$$ ) {
     $actparams{loglevel}    = $loglevel;
     $actparams{logtag}      = $logtag;
     $actparams{caller}      = $caller;
+    $actparams{callfile}    = $currentfilename;
+    $actparams{callline}    = $currentlinenumber;
     $actparams{disposition} = '' if $chainref->{action};
     #
     # The Shorewall variable '@chain' has non-word characters other than hyphen removed
@@ -3668,6 +3831,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
+	    $val = $config{$var};
 	}
 
 	$val = '' unless defined $val;
@@ -3753,7 +3917,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3969,7 +4133,7 @@ sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
 
-my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
+my @suffixes;
 
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4205,7 +4369,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
 
     my $modulesdir = $config{MODULESDIR};
 
@@ -4238,25 +4402,20 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+      MODULE:
-
-	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
-
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
+		if ( $moduleloader =~ /modprobe$/ ) {
-		    for my $suffix ( @suffixes ) {
+		    system( "modprobe -q $module $arguments" );
-			my $modulefile = "$directory/$module.$suffix";
+		    $loadedmodules{ $module } = 1;
-			if ( -f $modulefile ) {
+		} else {
-			    if ( $moduleloader eq 'insmod' ) {
+		    for my $directory ( @moduledirectories ) {
-				system ("insmod $modulefile $arguments" );
+			for my $modulefile ( <$directory/$module.*> ) {
-			    } else {
+			    system ("insmod $modulefile $arguments" );
-				system( "modprobe $module $arguments" );
-			    }
-
 			    $loadedmodules{ $module } = 1;
+			    next MODULE;
 			}
 		    }
 		}
@@ -4741,6 +4900,10 @@ sub NFLog_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }
 
+sub NFLog_Size() {
+    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
+}
+
 sub Logmark_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -4864,6 +5027,10 @@ sub Cpu_Fanout() {
     have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 
+sub Restore_Wait_Option() {
+    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -4916,6 +5083,7 @@ our %detect_capability =
       LOG_TARGET => \&Log_Target,
       ULOG_TARGET => \&Ulog_Target,
       NFLOG_TARGET => \&NFLog_Target,
+      NFLOG_SIZE => \&NFLog_Size,
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
@@ -4943,6 +5111,7 @@ our %detect_capability =
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
+      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
       RPFILTER_MATCH => \&RPFilter_Match,
       SANE_HELPER => \&SANE_Helper,
       SANE0_HELPER => \&SANE0_Helper,
@@ -5109,6 +5278,9 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
+	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
+	$capabilities{RESTORE_WAIT_OPTION}
+				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5157,7 +5329,13 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
     }
 
-    @config_path = split /:/, $config{CONFIG_PATH};
+    my $path = $config{CONFIG_PATH};
+
+    my $chop = ( $path =~ s/^:// );
+
+    @config_path = split /:/, $path;
+
+    shift @config_path if $chop && ( $export || $> != 0 );
 
     #
     # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5279,11 +5457,24 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
-    update_default( 'EXPORTMODULES',  'No' );
+
-    update_default( 'RESTART',        'reload' );
+    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
-    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
+	update_default( 'BALANCE_PROVIDERS', 'No' );
-    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
+    } else {
-    update_default( 'LOGLIMIT',       '' );
+	update_default( 'BALANCE_PROVIDERS', 'Yes' );
+    }
+
+    update_default( 'EXPORTMODULES',         'No' );
+    update_default( 'RESTART',               'reload' );
+    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',              '' );
+
+    if ( $family == F_IPV4 ) {
+	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
+    } else {
+	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
+    }	
 
     my $fn;
 
@@ -5334,8 +5525,12 @@ sub update_config_file( $ ) {
 		    }
 
 		}
-
+		if ( supplied $val ) {
-		$val = conditional_quote $val;
+		    #
+		    # Log LEVEL and DEFAULT settings often contain parens
+		    #
+		    $val = ($var =~ /(?:LEVEL|DEFAULT)$/) ? qq("$val") : conditional_quote $val;
+		}
 
 		$_ = "$var=$val\n";
 	    }
@@ -5398,6 +5593,7 @@ EOF
 sub process_shorewall_conf( $$ ) {
     my ( $update, $annotate ) = @_;
     my $file   = find_file "$product.conf";
+    my @vars;
 
     if ( -f $file ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
@@ -5411,7 +5607,7 @@ sub process_shorewall_conf( $$ ) {
 	    # Don't expand shell variables or allow embedded scripting
 	    #
 	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
+		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*)$/ ) {
 		    my ($var, $val) = ($1, $2);
 
 		    if ( exists $config{$var} ) {
@@ -5430,6 +5626,12 @@ sub process_shorewall_conf( $$ ) {
 			next;
 		    }
 
+		    if ( $update ) {
+			push @vars, $var;
+		    } else {
+			expand_variables( $val ) unless $val =~ /^'.*'$/;
+		    }
+
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
 
 		    warning_message "Option $var=$val is deprecated"
@@ -5450,14 +5652,19 @@ sub process_shorewall_conf( $$ ) {
     #
     # Now update the config file if asked
     #
-    update_config_file( $annotate ) if $update;
+    if ( $update ) {
-    #
+	update_config_file( $annotate ); 
-    # Config file update requires that the option values not have
+	#
-    # Shell variables expanded. We do that now.
+	# Config file update requires that the option values not have
-    #
+	# Shell variables expanded. We do that now.
-    for ( values  %config ) {
+	#
-	if ( supplied $_ ) {
+	# To handle options like LOG_LEVEL, we process the options
-	    expand_variables( $_ ) unless /^'(.+)'$/;
+	# in the order in which they appear in the .conf file.
+	#
+	for ( @vars ) {
+	    if ( supplied( my $val = $config{$_} ) ) {
+		expand_variables( $config{$_} ) unless $val =~ /^'.*'$/;
+	    }
 	}
     }
 }
@@ -5946,7 +6153,6 @@ sub get_configuration( $$$$ ) {
     #
     # get_capabilities requires that the true settings of these options be established
     #
-    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
     if ( ! $export && $> == 0 ) {
@@ -6132,7 +6338,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
     }
 
-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
     default_yes_no 'ADD_SNAT_ALIASES'           , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6286,6 +6492,18 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
+    default_yes_no 'USE_NFLOG_SIZE'             , '';
+
+    if ( $config{USE_NFLOG_SIZE} ) {
+	if ( have_capability( 'NFLOG_SIZE' ) ) {
+	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
+	} else {
+	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
+	}
+    } else {
+	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
+    }
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6302,6 +6520,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6342,6 +6562,9 @@ sub get_configuration( $$$$ ) {
 
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6349,6 +6572,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
+    add_variables( %variables );
+
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6446,6 +6671,12 @@ sub get_configuration( $$$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
+    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
+	validate_level( $val );
+    } else {
+	$config{LOG_LEVEL} = 'info';
+    }
+
     if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -6614,13 +6845,16 @@ sub get_configuration( $$$$ ) {
     }
 
     default 'RESTOREFILE'           , 'restore';
-    default 'DROP_DEFAULT'          , 'Drop';
+
-    default 'REJECT_DEFAULT'        , 'Reject';
+    default 'DROP_DEFAULT'          , 'none';
+
+    default 'REJECT_DEFAULT'        , 'none';
+    default 'BLACKLIST_DEFAULT'     , 'none';
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
 
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
@@ -6690,6 +6924,12 @@ sub get_configuration( $$$$ ) {
 	}
     }
 
+    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
+	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
+    } else {
+	$config{MUTEX_TIMEOUT} = 60;
+    }
+
     add_variables %config;
 
     while ( my ($var, $val ) = each %renamed ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -63,7 +63,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
-		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -74,10 +73,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
-		  validate_port
-		  validate_portpair
-		  validate_portpair1
-		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -389,6 +384,8 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
+    $proto =~ s/:.*//;
+
     if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
@@ -409,114 +406,6 @@ sub proto_name( $ ) {
     $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 
-sub validate_port( $$ ) {
-    my ($proto, $port) = @_;
-
-    my $value;
-
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$port = numeric_value $port;
-	return $port if defined $port && $port && $port <= 65535;
-    } else {
-	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
-	$value = getservbyname( $port, $proto );
-    }
-
-    return $value if defined $value;
-
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
-}
-
-sub validate_portpair( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-
-    my @ports = split /:/, $pair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
-    join ':', @ports;
-
-}
-
-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
-    } else {
-	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
-sub validate_port_list( $$ ) {
-    my $result = '';
-    my ( $proto, $list ) = @_;
-    my @list   = split_list( $list, 'port' );
-
-    if ( @list > 1 && $list =~ /[:-]/ ) {
-	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
-    }
-
-    $proto = proto_name $proto;
-
-    for ( @list ) {
-	my $value = validate_portpair( $proto , $_ );
-	$result = $result ? join ',', $result, $value : $value;
-    }
-
-    $result;
-}
-
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -570,67 +459,6 @@ sub validate_icmp( $ ) {
     fatal_error "Invalid ICMP Type ($type)"
 }
 
-#
-# Expands a port range into a minimal list of ( port, mask ) pairs.
-# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
-#
-# Example:
-#
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
-#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
-#
-sub expand_port_range( $$ ) {
-    my ( $proto, $range ) = @_;
-
-    if ( $range =~ /^(.*):(.*)$/ ) {
-	my ( $first, $last ) = ( $1, $2);
-	my @result;
-
-	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
-	#
-	# Supply missing first/last port number
-	#
-	$first = 0     if $first eq '';
-	$last  = 65535 if $last eq '';
-	#
-	# Validate the ports
-	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
-
-	$last++; #Increment last address for limit testing.
-	#
-	# Break the range into groups:
-	#
-	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
-	#        the remaining range has less than or equal to P ports. The next group is
-	#        ( <first> , ~( P-1 ) ).
-	#
-	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
-	    my $mask = 0xffff;         #Mask for current ports in group.
-	    my $y    = 2;              #Next power of two to test
-	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
-
-	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
-		$mask <<= 1;
-		$z  = $y;
-		$y <<= 1;
-	    }
-	    #
-	    #
-	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
-	    $first += $z;
-	}
-
-	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
-
-	@result;
-
-    } else {
-	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
-
 sub valid_6address( $ ) {
     my $address = $_[0];
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -127,7 +127,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
+	    my @interfaces = ( keys %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -667,6 +667,7 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
     add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {
@@ -1213,55 +1214,53 @@ sub add_common_rules ( $ ) {
 	}
     }
 
-    if ( $family == F_IPV4 ) {
+    my $announced = 0;
-	my $announced = 0;
 
-	$list = find_interfaces_by_option 'upnp';
+    $list = find_interfaces_by_option 'upnp';
 
-	if ( @$list ) {
+    if ( @$list ) {
-	    progress_message2 "$doing UPnP";
+	progress_message2 "$doing UPnP";
 
-	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
 
-	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
-	    my $chainref1;
+	my $chainref1;
 
-	    if ( $config{MINIUPNPD} ) {
+	if ( $config{MINIUPNPD} ) {
-		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
-	    }
-
-	    $announced = 1;
-
-	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
-	    }
 	}
 
-	$list = find_interfaces_by_option 'upnpclient';
+	$announced = 1;
 
-	if ( @$list ) {
+	for $interface ( @$list ) {
-	    progress_message2 "$doing UPnP" unless $announced;
+	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+	}
+    }
 
-	    for $interface ( @$list ) {
+    $list = find_interfaces_by_option 'upnpclient';
-		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc var_base get_physical $interface;
-		my $optional = interface_is_optional( $interface );
-		my $variable = get_interface_gateway( $interface, ! $optional );
-		my $origin   = get_interface_origin( $interface );
 
-		if ( $optional ) {
+    if ( @$list ) {
-		    add_commands( $chainref,
+	progress_message2 "$doing UPnP" unless $announced;
-				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+
-		    incr_cmd_level( $chainref );
+	for $interface ( @$list ) {
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+	    my $chainref = $filter_table->{input_option_chain $interface};
-		    decr_cmd_level( $chainref );
+	    my $base     = uc var_base get_physical $interface;
-		    add_commands( $chainref, 'fi' );
+	    my $optional = interface_is_optional( $interface );
-		} else {
+	    my $variable = get_interface_gateway( $interface, ! $optional );
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+	    my $origin   = get_interface_origin( $interface );
-		}
+
+	    if ( $optional ) {
+		add_commands( $chainref,
+			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+		incr_cmd_level( $chainref );
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		decr_cmd_level( $chainref );
+		add_commands( $chainref, 'fi' );
+	    } else {
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 	    }
 	}
     }
@@ -1297,7 +1296,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( sort keys %maclist_interfaces );
+    my @maclist_interfaces = ( keys %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1618,7 +1617,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
@@ -1639,8 +1638,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
 
-	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
+		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1662,7 +1661,7 @@ sub add_interface_jumps {
     our %input_jump_added;
     our %output_jump_added;
     our %forward_jump_added;
-    my @interfaces = sort grep $_ ne '%vserver%', @_;
+    my @interfaces = grep $_ ne '%vserver%', @_;
     my $dummy;
     my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
     #
@@ -1776,7 +1775,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
+	for my $interface ( keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2288,9 +2287,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( sort keys %$source_hosts_ref ) {
+	for my $type ( keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
+	    for my $interface ( keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2375,9 +2374,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		for my $type ( keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
+		    for my $interface ( keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2449,7 +2448,7 @@ sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
     my @match;
-    my $chainref = $filter_table->{FORWARD};
+    my $chainref = $mangle_table->{FORWARD};
 
     if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {

Shorewall/Perl/Shorewall/Nat.pm

@@ -941,7 +941,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
+	    my @servers;
+
+	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
+		$server = record_runtime_address( $1, $2 );
+		$server =~ s/ $//;
+		@servers = ( $server );
+	    } else {
+		@servers = validate_address $server, 1;
+	    }
+
 	    $server = join ',', @servers;
 	}
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -64,6 +64,8 @@ our @load_interfaces;
 
 our $balancing;
 our $fallback;
+our $balanced_providers;
+our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -99,6 +101,8 @@ sub initialize( $ ) {
     %provider_interfaces    = ();
     @load_interfaces        = ();
     $balancing              = 0;
+    $balanced_providers     = 0;
+    $fallback_providers     = 0;
     $fallback               = 0;
     $metrics                = 0;
     $first_default_route    = 1;
@@ -121,7 +125,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask   = in_hex( $globals{PROVIDER_MASK} );
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -323,7 +327,13 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $gateway ) {
+	if ( $balanced_providers == 1 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
+	} elsif ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -347,7 +357,13 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $gateway ) {
+	if ( $fallback_providers == 1 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
+	} elsif ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -486,7 +502,7 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
@@ -496,6 +512,9 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
     } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
+
+	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
+
 	validate_address $gateway, 0;
 
 	if ( defined $mac ) {
@@ -519,11 +538,11 @@ sub process_a_provider( $ ) {
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -586,6 +605,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
+		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -593,7 +613,12 @@ sub process_a_provider( $ ) {
 	}
     }
 
-    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
+    if ( $balance ) {
+	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
+	$balanced_providers++;
+    } elsif ( $default ) {
+	$fallback_providers++;
+    }
 
     if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -603,19 +628,37 @@ sub process_a_provider( $ ) {
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
 
-    if ( $local ) {
+    unless ( $pseudo ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	if ( $local ) {
-	fatal_error "'track' not valid with 'local'"           if $track;
+	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	    fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "'persistent' is not valid with 'local"    if $persistent;
+	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-    } elsif ( $tproxy ) {
+	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	} elsif ( $tproxy ) {
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
+	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	    fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	$mark = $globals{TPROXY_MARK};
+	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	    $mark = $globals{TPROXY_MARK};
+	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
+	    if ( $config{USE_DEFAULT_RT} ) {
+		if ( $rf ) {
+		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
+		} else {
+		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
+		}
+	    } else {
+		unless ( $balance ) {
+		    if ( $rf ) {
+			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
+		    } else {
+			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
+		    }
+		}
+	    }
+	}
     }
 
     my $val = 0;
@@ -649,7 +692,6 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
-
     }
 
     unless ( $loose || $pseudo ) {
@@ -808,7 +850,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
 
@@ -824,7 +866,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
@@ -834,24 +876,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "find_interface_addresses $physical | while read address; do",
-		emit  ( "    qt \$IP -$family rule del from \$address" );
+			"    qt \$IP -$family rule del from \$address",
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
+	}
 
-	    if ( @{$providerref->{persistent_routes}} ) {
+	if ( @{$providerref->{persistent_routes}} ) {
-		emit '';
+	    emit '';
-		emit $_ for @{$providers{$table}->{persistent_routes}};
+	    emit $_ for @{$providers{$table}->{persistent_routes}};
-	    }
+	}
 
-	    if ( @{$providerref->{persistent_rules}} ) {
+	if ( @{$providerref->{persistent_rules}} ) {
-		emit '';
+	    emit '';
-		emit $_ for @{$providers{$table}->{persistent_rules}};
+	    emit $_ for @{$providers{$table}->{persistent_rules}};
-	    }
 	}
 
 	pop_indent;
@@ -859,7 +901,6 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
-
 	pop_indent;
 
 	emit( "}\n" );
@@ -885,7 +926,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
     }
@@ -917,7 +958,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
 
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -946,7 +987,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
     }
 
     if ( $balance ) {
@@ -958,14 +999,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 
+	emit( 'g_fallback=Yes' ) if $persistent;
+
 	$metrics = 1;
     }
 
@@ -987,12 +1030,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1049,7 +1093,21 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
+	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
+	    );
+
+	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
+	    emit  ( '#',
+		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
+		    '#',
+		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
+		    '    true',
+		    'done',
+		    ''
+		);
+	}
+
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1194,12 +1252,14 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
+	    );
 
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
 	}
 
 	pop_indent;
@@ -1300,7 +1360,7 @@ sub add_an_rtrule1( $$$$$ ) {
 
     $priority = "pref $priority";
 
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
     push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
 
     if ( $persistent ) {
@@ -1398,22 +1458,22 @@ sub add_a_route( ) {
 
     if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
     } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
     }
 
@@ -1515,10 +1575,10 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        while qt \$IP -6 route delete default table $table; do true; done",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
@@ -1536,7 +1596,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1563,7 +1623,7 @@ sub finish_providers() {
 	}
 
 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1578,7 +1638,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 
@@ -1591,7 +1651,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
     } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
+	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
+	      '#',
+	      "delete_default_routes $default",
 	      ''
 	    );
     }
@@ -1636,7 +1699,7 @@ sub process_providers( $ ) {
     }
 
     if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
 
 	my $fn = open_file( 'route_rules' );
 
@@ -1781,7 +1844,7 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
+    for my $providerref ( values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1875,7 +1938,6 @@ sub setup_providers() {
 
 	emit "fi\n";
     }
-
 }
 
 #
@@ -1945,7 +2007,7 @@ sub compile_updown() {
     }
 
     my @nonshared = ( grep $providers{$_}->{optional},
-		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
+		      values %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2140,7 +2202,7 @@ sub handle_optional_interfaces( $ ) {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+    for my $providerref ( grep $_->{optional} , values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
     }

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( sort keys %reset ) {
+	for my $interface ( keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( sort keys %set ) {
+	for my $interface ( keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Tc.pm

@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
 
@@ -1924,7 +1924,7 @@ sub process_traffic_shaping() {
 
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
 
-			for my $option ( sort keys %validredoptions ) {
+			for my $option ( keys %validredoptions ) {
 			    my $type = $validredoptions{$option};
 
 			    if ( my $value = $redopts->{$option} ) {
@@ -1943,7 +1943,7 @@ sub process_traffic_shaping() {
 
 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
 
-			for my $option ( sort keys %validcodeloptions ) {
+			for my $option ( keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};
 
 			    if ( my $value = $codelopts->{$option} ) {
@@ -2312,9 +2312,10 @@ EOF
 EOF
 
 	}
-
-	return ( $mangle, $fn1 );
     }
+
+    return ( $mangle, $fn1 );
+
 }
 
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -92,7 +92,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-                    get_interface_origin
+		    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -108,55 +108,37 @@ our @EXPORT = ( qw( NOTHING
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
-
-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	       };
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 #
 # Zone Table.
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
-#                        complex =>    0|1
+#			 complex =>    0|1
-#                        super   =>    0|1
+#			 super	 =>    0|1
-#                        options =>    { in_out  => < policy match string >
+#			 options =>    { in_out	 => < policy match string >
-#                                        in      => < policy match string >
+#					 in	 => < policy match string >
-#                                        out     => < policy match string >
+#					 out	 => < policy match string >
-#                                      }
+#				       }
-#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
+#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
-#                        children =>   [ <children> ]
+#			 children =>   [ <children> ]
-#                        interfaces => { <interfaces1> => 1, ... }
+#			 interfaces => { <interfaces1> => 1, ... }
-#                        bridge =>     <bridge>
+#			 bridge =>     <bridge>
-#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#                                                                  options => { <option1> => <value1>
+#								   options => { <option1> => <value1>
-#                                                                               ...
+#										...
-#                                                                             }
+#									      }
-#                                                                  hosts   => [ <net1> , <net2> , ... ]
+#								   hosts   => [ <net1> , <net2> , ... ]
-#                                                                  exclusions => [ <net1>, <net2>, ... ]
+#								   exclusions => [ <net1>, <net2>, ... ]
-#                                                                  origin   => <where defined>
+#								   origin   => <where defined>
-#                                                                }
+#								 }
-#                                                <interface2> => ...
+#						 <interface2> => ...
-#                                              }
+#					       }
-#                                            ]
+#					     ]
-#                       }
+#			}
-#             <zone2> => ...
+#	      <zone2> => ...
-#           }
+#	    }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -178,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name        => <name of interface>
+#     %interfaces { <interface1> => { name	  => <name of interface>
-#                                     root        => <name without trailing '+'>
+#				      root	  => <name without trailing '+'>
-#                                     options     => { port => undef|1
+#				      options	  => { port => undef|1
-#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
-#                                                      ...
+#						       ...
-#                                                    }
+#						     }
-#                                     zone        => <zone name>
+#				      zone	  => <zone name>
-#                                     multizone   => undef|1   #More than one zone interfaces through this interface
+#				      multizone	  => undef|1   #More than one zone interfaces through this interface
-#                                     nets        => <number of nets in interface/hosts records referring to this interface>
+#				      nets	  => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
-#                                     ports       => <number of port on this bridge>
+#				      ports	  => <number of port on this bridge>
-#                                     ipsec       => undef|1 # Has an ipsec host group
+#				      ipsec	  => undef|1 # Has an ipsec host group
-#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#                                     number      => <ordinal position in the interfaces file>
+#				      number	  => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
+#				      physical	  => <physical interface name>
-#                                     base        => <shell variable base representing this interface>
+#				      base	  => <shell variable base representing this interface>
-#                                     wildcard    => undef|1 # Wildcard Name
+#				      wildcard	  => undef|1 # Wildcard Name
-#                                     zones       => { zone1 => 1, ... }
+#				      zones	  => { zone1 => 1, ... }
-#                                     origin      => <where defined>
+#				      origin	  => <where defined>
-#                                   }
+#				    }
-#                 }
+#		  }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -221,6 +203,26 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 
+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	     };
+
+sub NETWORK() {
+    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
+}
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -276,19 +278,7 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =
 
 our %validhostoptions;
 
-our %validzoneoptions = ( mss            => NUMERIC,
+our %validzoneoptions;
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -330,6 +320,20 @@ sub initialize( $$ ) {
     $minroot = 0;
     $loopback_interface = '';
 
+    %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );
+
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
@@ -407,6 +411,8 @@ sub initialize( $$ ) {
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
+				    upnp        => SIMPLE_IF_OPTION,
+				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -695,6 +701,40 @@ sub haveipseczones() {
     0;
 }
 
+#
+# Returns 1 if the two interfaces passed are related
+#
+sub interface_match( $$ ) {
+    my ( $piface, $ciface ) = @_;
+
+    return 1 if $piface eq $ciface;
+
+    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
+
+    return 1 if $piface eq $cifaceref->{bridge};
+    return 1 if $ciface eq $pifaceref->{bridge};
+
+    if ( $minroot ) {
+	if ( $piface =~ /\+$/ ) {
+	    my $root    = $pifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $ciface ) >= $rlength ) {
+		return 1 if $ciface eq $root;
+		chop $ciface;
+	    }
+	} elsif ( $ciface =~ /\+$/ ) {
+	    my $root    = $cifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $piface ) >= $rlength ) {
+		return 1 if $piface eq $root;
+		chop $piface;
+	    }
+	}
+    }
+
+    0;
+}
+
 #
 # Report about zones.
 #
@@ -713,10 +753,10 @@ sub zone_report()
 	my $printed = 0;
 
 	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
+	    for my $type ( keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( sort keys %$interfaceref ) {
+		for my $interface ( keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -732,7 +772,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -741,6 +781,17 @@ sub zone_report()
 	    }
 	}
 
+      PARENT:
+	for my $p ( @{$zoneref->{parents}} ) {
+	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
+		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
+		    next PARENT if interface_match( $pi, $ci );
+		}
+	    }
+
+	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
+	}
+
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -766,10 +817,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
+	    for my $type ( keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( sort keys %$interfaceref ) {
+		for my $interface ( keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -1275,6 +1326,7 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
+		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1312,7 +1364,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The '$option' option requires a value" unless supplied $value;
 
 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
@@ -1568,9 +1620,7 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
+	while ( length $iface >= $minroot ) {
-	    chop $iface;
-
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1592,6 +1642,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
+
+	    chop $iface;
 	}
     }
 
@@ -2218,9 +2270,9 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	for my $type (keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
+	    for my $interface ( keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2248,9 +2300,9 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	for my $type (keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
+	    for my $interface ( keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {

Shorewall/Perl/compiler.pl

@@ -43,6 +43,8 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
+#    If the <filename> is omitted, then a 'check' operation is performed.
+#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then nable an optional
+#	    reenable			Disable then enable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
     $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
     done
 } 
 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
             conntrack -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
     local interface
     interface=$1
@@ -912,6 +912,8 @@ detect_gateway() # $1 = interface
     # Maybe there's a default route through this gateway already
     #
     [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+
+    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #

Shorewall/Perl/prog.footer

@@ -78,11 +78,13 @@ reload_command() {
     detect_configuration
     define_firewall
     status=$?
-    if [ -n "$SUBSYSLOCK" ]; then
- 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-    fi
 
-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
+	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	progress_message3 "done."
+    else
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    fi
 }
 
 ################################################################################
@@ -127,8 +129,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockeringress=
 g_dockernetwork=
 g_forcereload=
+g_fallback=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -264,8 +268,10 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    $g_tool -Z
+	    for table in raw mangle nat filter; do
-	    $g_tool -t mangle -Z
+		qt $g_tool -t $table -Z
+	    done
+
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -418,9 +424,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
+	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
+	    disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    COMMAND=enable
+	    detect_configuration $1
+	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0

Shorewall/Samples/Universal/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for universal configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/Universal/policy

@@ -7,7 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
-#				LEVEL	BURST		MASK
 $FW	net	ACCEPT
-net	all	DROP
+net	all	DROP		$LOG_LEVEL

Shorewall/Samples/Universal/shorewall.conf

@@ -33,6 +33,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL="info"
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -75,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -108,10 +110,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -140,6 +143,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -200,8 +205,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -212,6 +215,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=Yes
@@ -242,6 +247,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0

Shorewall/Samples/one-interface/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for one-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/one-interface/policy

@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
-$FW		net		ACCEPT
+$FW	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL

Shorewall/Samples/one-interface/shorewall.conf

@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -86,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -119,10 +121,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,6 +154,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -223,6 +226,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -253,6 +258,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
-dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2

Shorewall/Samples/three-interfaces/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for three-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/three-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
-loc		net		ACCEPT
+loc	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -41,6 +41,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL="info"
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -61,19 +63,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -83,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -116,10 +118,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -148,6 +151,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -208,8 +213,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -220,6 +223,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -250,6 +255,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
+ACCEPT		LOC_IF		-
-ACCEPT		-		eth1
+ACCEPT		-		LOC_IF
-ACCEPT		eth2		-
+ACCEPT		DMZ_IF		-
-ACCEPT		-		eth2
+ACCEPT		-		DMZ_IF
 

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1

Shorewall/Samples/two-interfaces/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/two-interfaces/policy

@@ -11,10 +11,10 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
-loc		net		ACCEPT
+loc	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
-# THE FOLLOWING POLICY MUST BE LAST
+# THE FOLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL="info"
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -86,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -119,10 +121,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,6 +154,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -223,6 +226,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -253,6 +258,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No