Correct convertion of tcrules->mangle when a writable mangle exists

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -369,7 +369,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #

Shorewall-core/lib.cli

@@ -78,29 +78,6 @@ showchain() # $1 = name of chain
     fi
 }
 
-#
-# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
-#
-
-iptablesbug()
-{
-    if [ $g_family -eq 4 ]; then
-	if qt mywhich awk ; then
-	    awk 'BEGIN           { sline=""; };\
-             /^-[jg]/            { print sline $0; next };\
-             /-m policy.*-[jg] / { print $0; next };\
-             /-m policy/         { sline=$0; next };\
-             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
-                                 { print ; sline="" }'
-        else
-	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
-	    cat
-	fi
-    else
-	cat
-    fi
-}
-
 #
 # Validate the value of RESTOREFILE
 #
@@ -1150,6 +1127,11 @@ show_macros() {
     done
 }
 
+show_an_action() {
+    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
+    cat ${directory}/action.$1
+}
+
 show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
@@ -1458,12 +1440,27 @@ show_command() {
 		    ;;
 	    	*)
 		    case $1 in
+			action)
+			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
+			    [ $# -gt 2 ] && too_many_arguments $2
+
+			    for directory in $(split $CONFIG_PATH); do
+				if [ -f ${directory}/action.$2 ]; then
+				    eval show_an_action $2 $g_pager
+				    return
+				fi
+			    done
+
+			    echo "   WARNING: Action $2 not found" >&2
+			    return
+			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
+			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -4291,6 +4288,7 @@ usage() # $1 = exit status
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     ecko "   [ show | list | ls ] actions"
+    ecko "   [ show | list | ls ] action <action>"
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4393,7 +4391,10 @@ shorewall_cli() {
     finished=0
 
     while [ $finished -eq 0 ]; do
-	[ $# -eq 0 ] && usage 1
+	if [ $# -eq 0 ]; then
+	    setup_product_environment 1
+	    usage 1
+	fi
 	option=$1
 	case $option in
 	    -)
@@ -4523,10 +4524,6 @@ shorewall_cli() {
 	esac
     done
 
-    if [ $# -eq 0 ]; then
-	usage 1
-    fi
-
     setup_product_environment 1
 
    [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std

Shorewall-core/manpages/shorewall.xml

@@ -685,6 +685,31 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg choice="plain"><option>{actions|macros}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>action</option><arg
+      choice="plain"><replaceable>action</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -695,7 +720,7 @@
       <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -2415,12 +2440,23 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">action
+              <replaceable>action</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Lists the named action file. Available on Shorewall and
+                Shorewall6 only.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">actions</emphasis></term>
 
               <listitem>
                 <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
+                standard and user-defined). Available on Shorewall and
+                Shorewall6 only.</para>
               </listitem>
             </varlistentry>
 

Shorewall-lite/shorewall-lite.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/Actions/action.A_Drop

@@ -12,6 +12,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
+?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #

Shorewall/Actions/action.A_REJECT

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.A_REJECT!

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.AllowICMPs

@@ -0,0 +1,11 @@
+#
+# Shorewall -- /usr/share/shorewall/action.AllowICMPs
+#
+# This action ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS ACCEPT
+@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}

Shorewall/Actions/action.BLACKLIST

@@ -0,0 +1,50 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOG_LEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
+   ?if ! "$SW_DBL_IPSET"
+   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+   ?endif
+
+   DEFAULTS -,DROP,-
+   #
+   # Add to the blacklist
+   #
+   ?if passed(@3)
+       ADD($SW_DBL_IPSET:src:@3)
+   ?elsif $SW_DBL_TIMEOUT
+       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+   ?else
+       ADD($SW_DBL_IPSET:src)
+   ?endif
+   #
+   # Dispose of the packet if asked
+   #
+   ?if passed(@2)
+      @2
+   ?endif
+?endif

Shorewall/Actions/action.Broadcast

@@ -30,7 +30,6 @@ DEFAULTS DROP,-
 
 ?if __ADDRTYPE
 @1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 @1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@@ -50,9 +49,6 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
-
 1;
 
 ?end perl;

Shorewall/Actions/action.Drop.deprecated

@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The default DROP common rules
+# The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,6 +28,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 
 ?if passed(@1)
     ?if @1 eq 'audit'
@@ -58,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/Actions/action.DropDNSrep

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/action.DropDNSrep
+#
+# This macro silently drops DNS UDP replies that are in the New state
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS DROP
+@1	-	-	udp	-	53 { comment="Late DNS Replies" }

Shorewall/Actions/action.Limit

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Limit
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Limit(<recent-set>,<num-connections>,<timeout>)
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.Multicast

@@ -0,0 +1,50 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Multicast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Multicast[([<action>|-[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?if __ADDRTYPE
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+?else
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action )         = get_action_params( 1 );
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;
+
+log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+
+1;
+
+?end perl;
+?endif

Shorewall/Actions/action.Reject.deprecated

@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The default REJECT action common rules
+# The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,13 +20,14 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 
 ?if passed(@1)
     ?if @1 eq 'audit'
@@ -61,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/Actions/action.allowBcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowBcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.allowMcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowMcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.allowinUPnP

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowinUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowinUPnP[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.dropBcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.dropMcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropMcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.dropNotSyn

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropNotSyn[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.forwardUPnP

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.forwardUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# forwardUPnP
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.rejNotSyn

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.rejNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# rejNotSyn[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Macros/macro.AllowICMPs

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
-#
-# This macro ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Needed ICMP types
-
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded

Shorewall/Macros/macro.BLACKLIST

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.blacklist
-#
-# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif

Shorewall/Macros/macro.Drop

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Drop
-#
-# This macro generates the same rules as the Drop default action
-# It is used in place of action.Drop when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Drop	net	all
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' DROP
-#
-DROP	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-DROP	-	-	udp	135,445
-DROP	-	-	udp	137:139
-DROP	-	-	udp	1024:	137
-DROP	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Macros/macro.DropDNSrep

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
-#
-# This macro silently drops DNS UDP replies
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Late DNS Replies
-
-DEFAULT DROP
-PARAM	-	-	udp	-	53

Shorewall/Macros/macro.Reject

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Reject
-#
-# This macro generates the same rules as the Reject default action
-# It is used in place of action.Reject when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Reject	loc	fw
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' REJECT
-#
-REJECT	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-REJECT	-	-	udp	135,445
-REJECT	-	-	udp	137:139
-REJECT	-	-	udp	1024:	137
-REJECT	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Perl/Shorewall/Config.pm

@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.1.1-RC1",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -792,6 +792,7 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
+	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -816,6 +817,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
+	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -904,6 +906,7 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
+	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2710,11 +2713,11 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
-    my ( $first, $val, $rest ) = @_;
+sub join_parts( $$$$ ) {
+    my ( $first, $val, $rest, $just_expand ) = @_;
 
     $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
 					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
 					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
     join( '', $first, $val, $rest );
@@ -2769,7 +2772,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
 
-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
     }
 
@@ -2780,7 +2783,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest );
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
     }
@@ -2852,7 +2855,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2992,15 +2995,18 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 
 	  ERROR => sub() {
+	      unless ( $omitting ) {
 		  directive_error( evaluate_expression( $expression ,
 							$filename ,
 							$linenumber ,
 							1 ) ,
 				   $filename ,
 				   $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  WARNING => sub() {
+	      unless ( $omitting ) {
 		  directive_warning( $config{VERBOSE_MESSAGES} ,
 				     evaluate_expression( $expression ,
 							  $filename ,
@@ -3008,9 +3014,11 @@ sub process_compiler_directive( $$$$ ) {
 							  1 ),
 				     $filename ,
 				     $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  INFO => sub() {
+	      unless ( $omitting ) {
 		  directive_info( $config{VERBOSE_MESSAGES} ,
 				  evaluate_expression( $expression ,
 						       $filename ,
@@ -3018,9 +3026,11 @@ sub process_compiler_directive( $$$$ ) {
 						       1 ),
 				  $filename ,
 				  $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  'WARNING!' => sub() {
+	      unless ( $omitting ) {
 		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
 				     evaluate_expression( $expression ,
 							  $filename ,
@@ -3028,9 +3038,11 @@ sub process_compiler_directive( $$$$ ) {
 							  1 ),
 				     $filename ,
 				     $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  'INFO!' => sub() {
+	      unless ( $omitting ) {
 		  directive_info( ! $config{VERBOSE_MESSAGES} ,
 				  evaluate_expression( $expression ,
 						       $filename ,
@@ -3038,6 +3050,15 @@ sub process_compiler_directive( $$$$ ) {
 						       1 ),
 				  $filename ,
 				  $linenumber ) unless $omitting;
+	      }
+	  } ,
+
+	  REQUIRE => sub() {
+	      unless ( $omitting ) {
+		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
+		  fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
+		  require_capability( $expression, "The $actparams{action} action", 's' );
+	      }
 	  } ,
 
 	);
@@ -3753,7 +3774,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -5279,12 +5300,25 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
+
+    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
+	update_default( 'BALANCE_PROVIDERS', 'No' );
+    } else {
+	update_default( 'BALANCE_PROVIDERS', 'Yes' );
+    }
+
     update_default( 'EXPORTMODULES',     'No' );
     update_default( 'RESTART',           'reload' );
     update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',          '' );
 
+    if ( $family == F_IPV4 ) {
+	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
+    } else {
+	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
+    }	
+
     my $fn;
 
     unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -6286,6 +6320,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6302,6 +6337,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6342,6 +6379,9 @@ sub get_configuration( $$$$ ) {
 
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6349,6 +6389,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
+    add_variables( %variables );
+
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6446,6 +6488,12 @@ sub get_configuration( $$$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
+    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
+	validate_level( $val );
+    } else {
+	$config{LOG_LEVEL} = 'info';
+    }
+
     if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -6614,13 +6662,16 @@ sub get_configuration( $$$$ ) {
     }
 
     default 'RESTOREFILE'           , 'restore';
-    default 'DROP_DEFAULT'          , 'Drop';
-    default 'REJECT_DEFAULT'        , 'Reject';
+
+    default 'DROP_DEFAULT'          , 'none';
+
+    default 'REJECT_DEFAULT'        , 'none';
+    default 'BLACKLIST_DEFAULT'     , 'none';
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
 
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -523,7 +523,7 @@ sub process_a_provider( $ ) {
 	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
 	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -603,6 +603,7 @@ sub process_a_provider( $ ) {
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
 
+    unless ( $pseudo ) {
 	if ( $local ) {
 	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	    fatal_error "'track' not valid with 'local'"           if $track;
@@ -616,6 +617,23 @@ sub process_a_provider( $ ) {
 	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
 	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
 	    $mark = $globals{TPROXY_MARK};
+	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
+	    if ( $config{USE_DEFAULT_RT} ) {
+		if ( $rf ) {
+		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
+		} else {
+		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
+		}
+	    } else {
+		unless ( $balance ) {
+		    if ( $rf ) {
+			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
+		    } else {
+			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
+		    }
+		}
+	    }
+	}
     }
 
     my $val = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION ,        'ALL',
 
 our @policy_chains;
 
-our %default_actions;
+our %policy_actions;
 
 our %macros;
 
@@ -233,6 +233,7 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
+	       SECTION_OPT          => 2048 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -246,6 +247,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
+		 section     => SECTION_OPT ,
     );
 
 our %reject_options;
@@ -309,11 +311,14 @@ sub initialize( $ ) {
     # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
     # in the %config hash when shorewall[6].conf was processed.
     #
-    %default_actions  = ( DROP     => 'none' ,
-		 	  REJECT   => 'none' ,
-			  ACCEPT   => 'none' ,
-			  QUEUE    => 'none' ,
-			  NFQUEUE  => 'none' ,
+    %policy_actions  = ( DROP	    => [] ,
+			 REJECT    => [] ,
+			 BLACKLIST => [] ,
+			 ACCEPT    => [] ,
+			 QUEUE	   => [] ,
+			 NFQUEUE   => [] ,
+			 CONTINUE  => [] ,
+			 NONE      => [] ,
 			);
     #
     # These are set to 1 as sections are encountered.
@@ -358,7 +363,7 @@ sub initialize( $ ) {
     @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
 
     if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -367,10 +372,11 @@ sub initialize( $ ) {
 			    'icmp-host-prohibited'   => 1,
 			    'icmp-admin-prohibited'  => 1,
 			    'icmp-tcp-reset'         => 2,
+			    'tcp-reset'              => 2,
 	                  );
 			    
     } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -427,6 +433,7 @@ sub convert_to_policy_chain($$$$$$)
     $chainref->{audit}       = $audit;
     $chainref->{policychain} = $chainref->{name};
     $chainref->{policypair}  = [ $source, $dest ];
+    $chainref->{pactions}    = [];
 }
 
 #
@@ -476,7 +483,7 @@ sub set_policy_chain($$$$$$)
 		$chainref->{synchain}    = $polchainref->{synchain};
 	    }
 
-	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
+	    $chainref->{pactions}    = $polchainref->{pactions} || [];
 	    $chainref->{is_policy}   = 1;
 	    push @policy_chains, $chainref;
 	} else {
@@ -525,12 +532,12 @@ sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
 
-sub process_default_action( $$$$ ) {
-    my ( $originalpolicy, $policy, $default, $level ) = @_;
+sub process_policy_action( $$$$ ) {
+    my ( $originalpolicy, $policy, $paction, $level ) = @_;
 
-    if ( supplied $default ) {
-	my $default_option = ( $policy =~ /_DEFAULT$/ );
-	my ( $def, $param ) = get_target_param( $default );
+    if ( supplied $paction ) {
+	my $paction_option = ( $policy =~ /_DEFAULT$/ );
+	my ( $act, $param ) = get_target_param( $paction );
 
 	if ( supplied $level ) {
 	    validate_level( $level );
@@ -538,35 +545,49 @@ sub process_default_action( $$$$ ) {
 	    $level = 'none';
 	}
 
-	if ( "\L$default" eq 'none' ) {
-	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
-		if ( $default_option ) {
-		    fatal_error "Invalid setting ($originalpolicy) for $policy";
+	if ( ( $targets{$act} || 0 ) & ACTION ) {
+	    $paction = supplied $param  ? normalize_action( $act, $level, $param  ) :
+		       $level eq 'none' ? normalize_action_name $act :
+		       normalize_action( $act, $level, '' );
+	} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
+	    $paction = $act;
+	    $paction = "$act($param)" if supplied $param;
+	    $paction = join( ':', $paction, $level ) if $level ne 'none';
+	} elsif ( $paction_option ) {
+	    fatal_error "Unknown Action ($paction) in $policy setting";
 	} else {
-		    fatal_error "Invalid policy ($originalpolicy)";
-		}
-	    }
-
-	    $default = 'none';
-	} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
-	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
-		       $level eq 'none' ? normalize_action_name $def :
-		       normalize_action( $def, $level, '' );
-	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
-	    $default = $def;
-	    $default = "$def($param)" if supplied $param;
-	    $default = join( ':', $default, $level ) if $level ne 'none';
-	} elsif ( $default_option ) {
-	    fatal_error "Unknown Action ($default) in $policy setting";
-	} else {
-	    fatal_error "Unknown Default Action ($default)";
+	    fatal_error "Unknown Policy Action ($paction)";
 	}
 
     } else {
-	$default = $default_actions{$policy} || 'none';
+	$paction = $policy_actions{$policy};
     }
 
-    $default;
+    $paction;
+}
+
+sub process_policy_actions( $$$ ) {
+    my ( $originalpolicy, $policy, $pactions ) = @_;
+
+    if ( supplied $pactions ) {
+	my @pactions;
+
+	if ( lc $pactions ne 'none' ) {
+	    @pactions = @{$policy_actions{$policy}} if $pactions =~ s/^\+//;
+
+	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
+		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
+
+		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
+
+		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
+	    }
+	}
+
+	\@pactions;
+    } else {
+	$policy_actions{$policy};
+    }
 }
 
 #
@@ -654,12 +675,10 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
+    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
-    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
-
     ( $policy , my $queue ) = get_target_param $policy;
 
     fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
@@ -668,7 +687,7 @@ sub process_a_policy1($$$$$$$) {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
     }
 
-    $default = process_default_action( $originalpolicy, $policy, $default, $level );
+    my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
 	$policy = handle_nfqueue( $queue,
@@ -679,6 +698,8 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
+    } elsif ( $policy eq 'BLACKLIST' ) {
+	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
     }
 
     unless ( $clientwild || $serverwild ) {
@@ -723,10 +744,7 @@ sub process_a_policy1($$$$$$$) {
 	$chainref->{synchain}  = $chain
     }
 
-    assert( $default );
-    my $chainref1 = $usedactions{$default};
-    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
-
+    $chainref->{pactions} = $pactionref;
     $chainref->{origin}   = shortlineinfo('');
 
     if ( $clientwild ) {
@@ -760,7 +778,11 @@ sub process_a_policy() {
     our @zonelist;
 
     my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+	split_line2( 'policy file',
+		     { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, rate => 4, connlimit => 5 } ,
+		     {} , # nopad
+		     6  , # maxcolumns
+		    );
 
     $loglevel  = '' if $loglevel  eq '-';
     $synparams = '' if $synparams eq '-';
@@ -819,6 +841,7 @@ sub process_policies()
 			  REJECT => undef,
 			  DROP	 => undef,
 			  CONTINUE => undef,
+			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
@@ -826,6 +849,7 @@ sub process_policies()
 
     our %map = ( DROP_DEFAULT      => 'DROP' ,
 		 REJECT_DEFAULT    => 'REJECT' ,
+		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
 		 ACCEPT_DEFAULT    => 'ACCEPT' ,
 		 QUEUE_DEFAULT     => 'QUEUE' ,
 		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
@@ -834,16 +858,16 @@ sub process_policies()
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
-	my $action = $config{$option};
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+	my $actions = $config{$option};
 
-	unless ( $action eq 'none' ) {
-	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
-	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
-	    $action = process_default_action( $action, $option, $default, $level );
+	if ( $actions eq 'none' ) {
+	    $actions = [];
+	} else {
+	    $actions = process_policy_actions( $actions, $option, $actions );
 	}
 
-	$default_actions{$map{$option}} = $action;
+	$policy_actions{$map{$option}} = $actions;
     }
 
     for $zone ( all_zones ) {
@@ -903,31 +927,36 @@ sub process_policies()
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 
 sub add_policy_rules( $$$$$ ) {
-    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
+    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
+	my @pactions;
+
+	@pactions = @$pactions;
+
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 
-	if ( $default && $default ne 'none' ) {
-	    my ( $action ) = split ':', $default;
+	for my $paction ( @pactions ) {
+	    my ( $action ) = split ':', $paction;
 
-	    if ( ( $targets{$action} || 0 ) == ACTION ) {
+	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
 		# Default action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
+		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 	    } else {
 		#
 		# Default action is an inline 
 		#
+		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
 
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
-				$loglevel,    #Log Level and Tag
-				$default,     #Target
+				$level || '', #Log Level and Tag
+				$paction,     #Target
 				$param || '', #Param
 				'-',          #Source
 				'-',          #Dest
@@ -951,7 +980,20 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
+	if ( $target eq 'BLACKLIST' ) {
+	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
+
+	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
+	    } else {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
+	    }
+
+	    $target = 'DROP';
+	} else {
 	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	}
+
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
     }
 }
@@ -967,27 +1009,26 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
     my $chainref   = $_[0];
     my $policyref  = $filter_table->{$chainref->{policychain}};
     my $synparams  = $policyref->{synparams};
-    my $default    = $policyref->{default};
+    my $defaults   = $policyref->{pactions};
     my $policy     = $policyref->{policy};
     my $loglevel   = $policyref->{loglevel};
 
     assert( $policyref );
 
     if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
     } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -1010,7 +1051,7 @@ sub complete_policy_chains() {
 	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
-	    my $default     = $chainref->{default};
+	    my $defaults    = $chainref->{pactions};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
 
@@ -1022,7 +1063,7 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( $default ne 'none' ||
+		    ensure_rules_chain $name if ( @$defaults         ||
 						  $loglevel          ||
 						  $synparms          ||
 						  $config{MULTICAST} ||
@@ -1033,7 +1074,7 @@ sub complete_policy_chains() {
 	    }
 
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
-		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
     }
@@ -1062,20 +1103,18 @@ sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
     my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
-    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
+    my ( $policy, $loglevel ) = ( $default , 6 );
+    my $policy_actions = $policy_actions{$policy};
     my $policychainref;
 
     $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
 
     if ( $policychainref ) {
-	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
+	( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
 	$stdchainref->{origin} = $policychainref->{origin};
-    } elsif ( $defaultaction !~ /:/ ) {
-	$defaultaction = normalize_single_action( $defaultaction );
     }
 
-
-    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
 }
 
 #
@@ -1703,12 +1742,18 @@ sub dropBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
     }
+}
+
+sub dropMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit ( 'DROP', $audit );
 
     if ( $family == F_IPV4 ) {
-	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
@@ -1738,12 +1783,18 @@ sub allowBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
     }
+}
+
+sub allowMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
 
     if ( $family == F_IPV4 ) {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
@@ -1833,7 +1884,9 @@ sub Limit( $$$$ ) {
 }
 
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		   'dropMcast'      => \&dropMcast,
 		   'allowBcast'     => \&allowBcast,
+		   'allowMcast'     => \&allowMcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
@@ -1879,12 +1932,12 @@ sub process_action(\$\$$) {
 
     progress_message2 "$doing $actionfile for chain $chainref->{name}...";
 
-    push_open $actionfile, 2, 1, undef, 2;
-
     my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
     my $options = $actionref->{options};
     my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
 
+    push_open $actionfile, 2, 1, undef, 2;
+
     setup_audit_action( $action ) if $options & AUDIT_OPT;
 
     $active{$action}++;
@@ -2718,7 +2771,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Determine the validity of the action
     #
-    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
+    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
     if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -2866,6 +2919,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			  # tcp-reset
 			  #
 			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
+			  $exceptionrule = '-p 6 ';
+			  $param = 'tcp-reset';
 		      }
 
 		      $action = "REJECT --reject-with $param";
@@ -3126,6 +3181,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Handle 'section' option
+	#
+	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#

Shorewall/Perl/Shorewall/Tc.pm

@@ -2312,9 +2312,10 @@ EOF
 EOF
 
 	}
+    }
 
     return ( $mangle, $fn1 );
-    }
+
 }
 
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -1275,6 +1275,7 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
+		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {

Shorewall/Perl/lib.runtime

@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=

Shorewall/Samples/Universal/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for universal configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/Universal/policy

@@ -7,7 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 $FW	net	ACCEPT
-net	all	DROP
+net	all	DROP		$LOG_LEVEL

Shorewall/Samples/Universal/shorewall.conf

@@ -33,6 +33,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -107,11 +109,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -140,6 +143,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/one-interface/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for one-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/one-interface/policy

@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 $FW	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL

Shorewall/Samples/one-interface/shorewall.conf

@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -118,11 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,6 +154,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/three-interfaces/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for three-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/three-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
 loc	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -41,6 +41,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -61,19 +63,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -115,11 +117,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -148,6 +151,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/two-interfaces/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall/Samples/two-interfaces/policy

@@ -11,10 +11,10 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
 loc	net		ACCEPT
-net		all		DROP		info
-# THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+net	all		DROP		$LOG_LEVEL
+# THE FOLOWING POLICY MUST BE LAST
+all	all		REJECT		$LOG_LEVEL
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -118,11 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,6 +154,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/actions.std

@@ -9,10 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-A_ACCEPT                        # Audits then accepts a connection request
-A_DROP                          # Audits then drops a connection request
-allowBcast		        # Silently Allow Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
+allowBcast			# Silently Allow Broadcast
+allowMcast			# Silently Allow Multicast
+dropBcast			# Silently Drop Broadcast
+dropMcast			# Silently Drop Multicast
 dropNotSyn			# Silently Drop Non-syn TCP packets
 rejNotSyn			# Silently Reject Non-syn TCP packets
 allowinUPnP			# Allow UPnP inbound (to firewall) traffic
@@ -25,13 +25,16 @@ A_Drop 		                # Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
+AllowICMPs   inline             # Allow Required ICMP packets
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
+BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
-Drop		                # Default Action for DROP policy
+Drop				# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
@@ -39,9 +42,10 @@ GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
+Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-Reject                          # Default Action for REJECT policy
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event

Shorewall/configfiles/policy

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT

Shorewall/configfiles/shorewall.conf

@@ -33,6 +33,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -108,10 +110,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -140,6 +143,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/install.sh

@@ -481,6 +481,16 @@ if [ -z "$first_install" ]; then
     delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
     delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
     delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
+
+    if [ $PRODUCT = shorewall ]; then
+	#
+	# Delete deprecated macros and actions
+	#
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/macro.SNMPTrap
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
+    fi
 fi
 
 #

Shorewall/lib.cli-std

@@ -443,6 +443,7 @@ compiler() {
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
+
     [ -n "$shorewallrc1" ]     && options="$options --shorewallrc1=${shorewallrc1}"
     [ -n "$STARTUP_LOG" ]      && options="$options --log=$STARTUP_LOG"
     [ -n "$LOG_VERBOSITY" ]    && options="$options --log_verbosity=$LOG_VERBOSITY";

Shorewall/manpages/shorewall-actions.xml

@@ -191,6 +191,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified. </para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -205,9 +224,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-interfaces.xml

@@ -303,6 +303,12 @@ loc     eth2            -</programlisting>
                 <para>Designates the interface as a bridge. Beginning with
                 Shorewall 4.4.7, setting this option also sets
                 <option>routeback</option>.</para>
+
+                <note>
+                  <para>If you have a bridge that you don't intend to define
+                  bport zones on, then it is best to omit this option and
+                  simply specify <option>routeback</option>.</para>
+                </note>
               </listitem>
             </varlistentry>
 
@@ -762,6 +768,13 @@ loc     eth2            -</programlisting>
                     </listitem>
                   </itemizedlist>
                 </note>
+
+                <para>Beginning with Shorewall 5.1.1, when
+                <option>routefilter</option> is set to a non-zero value, the
+                <option>logmartians</option> option is also implicitly set. If
+                you actually want route filtering without logging, then you
+                must also specify <option>logmartians=0</option> after
+                <option>routefilter</option>.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-policy.xml

@@ -115,11 +115,12 @@
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
         role="bold">REJECT</emphasis>|<emphasis
+        role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
+        role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
         role="bold">None</emphasis>}]</term>
 
         <listitem>
@@ -137,8 +138,9 @@
             </listitem>
 
             <listitem>
-              <para>The name of an action. The action will be invoked before
-              the policy is enforced.</para>
+              <para>The name of an action with optional parameters enclosed in
+              parentheses. The action will be invoked before the policy is
+              enforced.</para>
             </listitem>
           </orderedlist>
 
@@ -149,7 +151,16 @@
           applied to each rule in the action or body that does not already
           have a log level.</para>
 
-          <para>Possible actions are:</para>
+          <para>Beginning with Shorewall 5.1.2, multiple
+          <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
+          specification may be listeded, separated by commas. The actions are
+          invoked in the order listed. Also beginning with Shorewall 5.1.2,
+          the policy-action list can be prefixed with a plus sign ("+")
+          indicating that the listed actions are in addition to those listed
+          in the related _DEFAULT setting in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>Possible policies are:</para>
 
           <variablelist>
             <varlistentry>
@@ -177,6 +188,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 
@@ -259,7 +283,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
         [-|<replaceable>limit</replaceable>]</term>
 
         <listitem>

Shorewall/manpages/shorewall-providers.xml

@@ -208,6 +208,16 @@
                 <option>balance=</option><replaceable>weight</replaceable>
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface.</para>
+
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-rtrules.xml

@@ -129,6 +129,17 @@
           <para>Beginning with Shorewall 5.0.2, the priority may be followed
           optionally by an exclaimation mark ("!"). This causes the rule to
           remain in place if the interface is disabled.</para>
+
+          <caution>
+            <para>Be careful when using rules of the same PRIORITY as some
+            unexpected behavior can occur when multiple rules have the same
+            SOURCE. For example, in the following rules, the second rule
+            overwrites the first unless the priority in the second is changed
+            to 19001 or higher:</para>
+
+            <programlisting>10.10.0.0/24    192.168.5.6 provider1 19000
+10.10.0.0/24    -           provider2 19000</programlisting>
+          </caution>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -109,7 +109,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis
-        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -119,7 +119,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -129,7 +129,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -139,7 +139,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -149,13 +149,23 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para>In earlier Shorewall versions, a "default action" for DROP and
-          REJECT policies was specified in the file
-          /usr/share/shorewall/actions.std.</para>
+          <para/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para>In earlier Shorewall versions, a "<firstterm>default
+          action</firstterm>" for DROP and REJECT policies was specified in
+          the file /usr/share/shorewall/actions.std.</para>
 
           <para>In Shorewall 4.4.0, the DROP_DEFAULT, REJECT_DEFAULT,
           ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were
@@ -169,20 +179,38 @@
 
           <para>The value applied to these may be:</para>
 
-          <para>The default values are:</para>
+          <simplelist>
+            <member>a) The name of an <replaceable>action</replaceable>. The
+            name may optionally be followed by a comma-separated list of
+            parameters enclosed in parentheses if the specified action accepts
+            parameters (e.g., 'Drop(audit)').</member>
+
+            <member>c) <emphasis role="bold">None</emphasis> or <emphasis
+            role="bold">none</emphasis></member>
+          </simplelist>
+
+          <para>Prior to Shorewall 5.1.2, the default values are:</para>
 
           <simplelist>
             <member>DROP_DEFAULT="Drop"</member>
 
             <member>REJECT_DEFAULT="Reject"</member>
 
+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
 
-            <member>NFQUEUE_DEFAULT="None"</member>
+            <member>NFQUEUE_DEFAULT="none"</member>
           </simplelist>
 
+          <para>Beginning with Shorewall 5.1.2, the default value is 'none'
+          for all of these. Note that the sample configuration files do,
+          however, provide settings for DROP_DEFAULT, BLACKLIST_DEFAULT and
+          REJECT_DEFAULT.</para>
+
           <para>If you set the value of either option to "None" then no
           default action will be used and the default action or macro must be
           specified in <ulink
@@ -197,6 +225,10 @@
           <replaceable>level</replaceable>. The level will be applied to each
           rule in the action or body that does not already have a log
           level.</para>
+
+          <para>Beginning with Shorewall 5.1.2, multiple
+          <replaceable>action</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]
+          specifications may be listed, separated by commas.</para>
         </listitem>
       </varlistentry>
 
@@ -443,6 +475,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
+          determines whether the <option>balance</option> provider option (see
+          <ulink
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
+          <option>balance</option> option is assumed unless the
+          <option>fallback</option>, <option>loose</option>,
+          <option>load</option> or <option>tproxy</option> option is
+          specified. If this option is not set or is set to the empty value,
+          then the default value is the value of USE_DEFAULT_RT.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -1306,6 +1356,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.2. Beginning with that release, the
+          sample configurations use this as the default log level and changing
+          it will change all packet logging done by the configuration. In any
+          configuration file (except <ulink
+          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          will expand to this value.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -2831,8 +2895,12 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              <emphasis role="bold">loose</emphasis> is specified.</para>
+              <para>If running Shorewall 5.1.0 or earlier or if
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">balance</emphasis> provider option is
+              assumed unless the <option>fallback</option>,
+              <option>loose</option>, <option>load</option> or
+              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

Shorewall/shorewall.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
+ExecStop=/sbin/shorewall $OPTIONS clear
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall6-lite/shorewall6-lite.service.debian

@@ -15,7 +15,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall6-lite $OPTIONS clear
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload
 
 [Install]

Shorewall6/Actions/action.Broadcast

@@ -45,12 +45,11 @@ fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $aud
 
 if ( have_capability( 'ADDRTYPE' ) ) {
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
     }
 
     add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
     add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
     add_commands $chainref, 'for address in $ALL_ACASTS; do';
@@ -59,9 +58,6 @@ if ( have_capability( 'ADDRTYPE' ) ) {
     add_jump $chainref, $target, 0, "-d \$address ";
     decr_cmd_level $chainref;
     add_commands $chainref, 'done';
-
-    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
-    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 
 1;

Shorewall6/Actions/action.Multicast

@@ -0,0 +1,59 @@
+#
+# Shorewall6 -- /usr/share/shorewall6/action.Multicast
+#
+# Multicast/Anycast IPv6 Action
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Multicast[([<action>|-[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref           = get_action_chain;
+my ( $action, $audit ) = get_action_params( 2 );
+my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
+
+fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
+
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+    }
+
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+} else {
+    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
+    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
+}
+
+1;
+
+?end perl;

Shorewall6/Samples6/Universal/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for universal configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall6/Samples6/Universal/policy

@@ -7,8 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 fw	net	ACCEPT
-net	all	DROP
+net	all	DROP		$LOG_LEVEL
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -72,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -104,11 +106,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -133,6 +136,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/one-interface/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for one-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall6/Samples6/one-interface/policy

@@ -11,10 +11,9 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 #
-###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+##############################################################################
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 $FW	net		ACCEPT
-net		$FW		DROP		info
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -35,6 +35,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -105,11 +107,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -134,6 +137,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/three-interfaces/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for three-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall6/Samples6/three-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
 loc	net		ACCEPT
-net		all		DROP		info
-all		all		REJECT		info
+net	all		DROP		$LOG_LEVEL
+all	all		REJECT		$LOG_LEVEL
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -104,11 +106,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -133,6 +136,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/two-interfaces/params

@@ -0,0 +1,13 @@
+#
+# Shorewall - Sample Params File for two-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-params"
+######################################################################################################################################################################################################

Shorewall6/Samples6/two-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
 loc	net		ACCEPT
-net		all		DROP		info
-all		all		REJECT		info
+net	all		DROP		$LOG_LEVEL
+all	all		REJECT		$LOG_LEVEL
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -104,11 +106,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -133,6 +136,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/actions.std

@@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcasts                     # Accept multicast and anycast packets
-dropBcasts                      # Silently Drop multicast and anycast packets
+allowBcasts                     # Accept anycast packets
+allowMcasts                     # Accept multicast packets
+dropBcasts                      # Silently Drop anycast packets
+dropMcasts                      # Silently Drop multicast packets
 dropNotSyn		        # Silently Drop Non-syn TCP packets
 rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
@@ -23,18 +25,20 @@ AllowICMPs   	                # Accept needed ICMP6 types
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
-Drop		        	# Default Action for DROP policy
+Broadcast    noinline      	# Handles Broadcast/Anycast
+Drop		        	# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
              state=INVALID
+Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		        	# Default Action for REJECT policy
+Reject		        	# Default Action for REJECT policy (deprecated)
 Related      inline,\		# Handles packets in the RELATED conntrack state
              state=RELATED
 ResetEvent   inline		# Reset an Event

Shorewall6/configfiles/policy

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT

Shorewall6/configfiles/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -52,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -105,10 +107,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -133,6 +136,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/manpages/shorewall6-actions.xml

@@ -192,6 +192,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -206,9 +225,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -234,6 +234,12 @@ loc     eth2            -</programlisting>
                 <para>Designates the interface as a bridge. Beginning with
                 Shorewall 4.4.7, setting this option also sets
                 <option>routeback</option>.</para>
+
+                <note>
+                  <para>If you have a bridge that you don't intend to define
+                  bport zones on, then it is best to omit this option and
+                  simply specify <option>routeback</option>.</para>
+                </note>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-policy.xml

@@ -114,12 +114,12 @@
         <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
+        role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
         role="bold">None</emphasis>}]</term>
 
         <listitem>
@@ -149,7 +149,16 @@
           applied to each rule in the action or body that does not already
           have a log level.</para>
 
-          <para>Possible actions are:</para>
+          <para>Beginning with Shorewall 5.1.2, multiple
+          <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
+          pairs may be specified, separated by commas. The actions are invoked
+          in the order listed. Also beginning with Shorewall 5.1.2, the
+          policy-action list can be prefixed with a plus sign ("+") indicating
+          that the listed actions are in addition to those listed in the
+          related _DEFAULT setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>Possible policies are:</para>
 
           <variablelist>
             <varlistentry>
@@ -177,6 +186,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 
@@ -259,7 +281,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
         [-|<replaceable>limit</replaceable>]</term>
 
         <listitem>

Shorewall6/manpages/shorewall6-providers.xml

@@ -173,6 +173,16 @@
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface. Prior to Shorewall 5.0.13, only
                 one provider can specify this option.</para>
+
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-rtrules.xml

@@ -129,6 +129,17 @@
           <para>Beginning with Shorewall 5.0.2, the priority may be followed
           optionally by an exclaimation mark ("!"). This causes the rule to
           remain in place if the interface is disabled.</para>
+
+          <caution>
+            <para>Be careful when using rules of the same PRIORITY as some
+            unexpected behavior can occur when multiple rules have the same
+            SOURCE. For example, in the following rules, the second rule
+            overwrites the first unless the priority in the second is changed
+            to 19001 or higher:</para>
+
+            <programlisting>2601:601:8b00:bf0::/64 2001:470:b:787::542 provider1 19000
+2601:601:8b00:bf0::/64 -                   provider2 19000</programlisting>
+          </caution>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -95,7 +95,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis
-        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -105,7 +105,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -115,7 +115,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -125,7 +125,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -135,7 +135,17 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
         role="bold">none</emphasis>}</term>
 
         <listitem>
@@ -157,20 +167,28 @@
             role="bold">none</emphasis></member>
           </simplelist>
 
-          <para>The default values are:</para>
+          <para>Prior to Shorewall 5.1.2, the default values are:</para>
 
           <simplelist>
             <member>DROP_DEFAULT="Drop"</member>
 
             <member>REJECT_DEFAULT="Reject"</member>
 
+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
 
-            <member>NFQUEUE_DEFAULT="None"</member>
+            <member>NFQUEUE_DEFAULT="none"</member>
           </simplelist>
 
+          <para>Beginning with Shorewall 5.1.2, the default value is 'none'
+          for all of these. Note that the sample configuration files do,
+          however, provide settings for DROP_DEFAULT, BLACKLIST_DEFAULT and
+          REJECT_DEFAULT.</para>
+
           <para>If you set the value of either option to "None" then no
           default action will be used and the default action or macro must be
           specified in <ulink
@@ -185,6 +203,10 @@
           <replaceable>level</replaceable>. The level will be applied to each
           rule in the action or macro body that does not already have a log
           level.</para>
+
+          <para>Beginning with Shorewall 5.1.2, multiple
+          <replaceable>action</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]
+          specifications may be listed, separated by commas.</para>
         </listitem>
       </varlistentry>
 
@@ -374,6 +396,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
+          determines whether the <option>balance</option> provider option (see
+          <ulink
+          url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
+          <option>balance</option> option is assumed unless the
+          <option>fallback</option>, <option>loose</option>,
+          <option>load</option> or <option>tproxy</option> option is
+          specified. If this option is not set or is set to the empty value,
+          then the default value is the value of USE_DEFAULT_RT.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -1145,6 +1185,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.2. Beginning with that release, the
+          sample configurations use this as the default log level and changing
+          it will change all packet logging done by the configuration. In any
+          configuration file (except <ulink
+          url="shorewall6-params.html">shorewall6-params(5)</ulink>),
+          $LOG_LEVEL will expand to this value.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2475,8 +2529,12 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              <emphasis role="bold">loose</emphasis> is specified.</para>
+              <para>If running Shorewall 5.1.0 or earlier or if
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">balance</emphasis> provider option is
+              assumed unless the <option>fallback</option>,
+              <option>loose</option>, <option>load</option> or
+              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

Shorewall6/shorewall6.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
+ExecStop=/sbin/shorewall -6 $OPTIONS clear
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 
 [Install]

docs/Actions.xml

@@ -132,13 +132,14 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
   </section>
 
   <section id="Default">
-    <title>Default Actions (Formerly Common Actions)</title>
+    <title>Policy Actions (Formerly Default Actions)</title>
 
-    <para>Shorewall allows the association of a <firstterm>default
-    action</firstterm> with policies. A separate default action may be
-    associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Default
-    actions provide a way to invoke a set of common rules just before the
-    policy is enforced. Default actions accomplish two goals:</para>
+    <para>Shorewall allows the association of a <firstterm>policy
+    action</firstterm> with policies. A separate policy action may be
+    associated with ACCEPT, DROP, REJECT, QUEUE, NFQUEUE and BLACKLIST
+    policies. Policy actions provide a way to invoke a set of common rules
+    just before the policy is enforced. Policy actions accomplish two
+    goals:</para>
 
     <orderedlist>
       <listitem>
@@ -152,9 +153,9 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
       </listitem>
     </orderedlist>
 
-    <para>Shorewall supports default actions for the ACCEPT, REJECT, DROP,
-    QUEUE and NFQUEUE policies. These default actions are specified in the
-    <filename>/etc/shorewall/shorewall.conf</filename> file using the
+    <para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP,
+    QUEUE, NFQUEUE and BLACKLIST policies. These default actions are specified
+    in the <filename>/etc/shorewall/shorewall.conf</filename> file using the
     ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
     NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
     value of <quote>none</quote> have no default action.</para>
@@ -165,14 +166,15 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
     url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink></filename>.</para>
 
     <important>
-      <para>Entries in the DROP and REJECT default actions <emphasis
+      <para>Entries in the DROP, REJECT and BLACKLIST policy actions <emphasis
       role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
-      Remember — default actions are only invoked immediately before the
-      packet is going to be dropped or rejected anyway!!!</para>
+      Remember — policy actions are only invoked immediately before the packet
+      is going to be dropped or rejected anyway!!!</para>
     </important>
 
-    <para>Beginning with Shorewall 4.4.21, the standard Drop and Reject
-    options are parameterized. Each has five parameters as follows:</para>
+    <para>Prior to Shorewall 5.1.2, the Drop and Reject actions were the
+    default policy actions for DROP and REJECT policies respectively. Those
+    actions are parameterized; each has five parameters as follows:</para>
 
     <informaltable>
       <tgroup cols="4">
@@ -283,6 +285,95 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
     POLICY column of <ulink
     url="manpages/shorewall-policy.html">shorewall-policy</ulink>(5) (e.g.,
     DROP:<emphasis role="bold">Drop(audit)</emphasis>:audit).</para>
+
+    <para>Beginning with Shorewall 5.1.2, Drop and Reject are deprecated. In
+    5.1.2, a list of policy actions is accepted in both shorewall.conf and the
+    policy file. This allows logging to be specified on some actions and not
+    on others and eliminates the need for a large number of policy-action
+    parameters.</para>
+
+    <para>Actions commonly included in policy-action lists are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
+
+        <listitem>
+          <para>Handles broadcasts based on the
+          <replaceable>disposition</replaceable>. The default
+          <replaceable>disposition</replaceable> is DROP.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Multicast[(<replaceable>disposition</replaceable>)]</term>
+
+        <listitem>
+          <para>Handles multicasts based on the
+          <replaceable>disposition</replaceable>. The default
+          <replaceable>disposition</replaceable> is DROP.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>dropNotSyn[:<replaceable>level</replaceable>]</term>
+
+        <listitem>
+          <para>Drops TCP packets that are not part of an existing connection
+          but that don't have the SYN flag set or that have additional flags
+          set. We recommend that these be logged by specifying an approproate
+          <replaceable>level</replaceable>. This action is particularly
+          appropriate packets received from the Internet. Recommended when the
+          policy is BLACKLIST to avoid late-arriving FIN packets from
+          blacklisting the remote system.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DropDNSrep[:<replaceable>level</replaceable>]</term>
+
+        <listitem>
+          <para>Drops UDP packets with source port 53. We recommend that these
+          be logged by specifying an approproate
+          <replaceable>level</replaceable>. This action is recommended when
+          the policy is BLACKLIST to avoid blacklisting uplevel DNS
+          servers.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>AllowICMPs (IPv6 only)</term>
+
+        <listitem>
+          <para>Allows ICMP packets mandated by RFC 4890. In particular, this
+          ensures that Neighbor Discovery won't be broken</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The recommended settings for the 6 policy actions for IPv4 are:
+    </para>
+
+    <programlisting>        ACCEPT_DEFAULT=none
+        BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+        DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+        NFQUEUE_DEFAULT=none
+        QUEUE_DEFAULT=none
+        REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+</programlisting>
+
+    <para>The recommended settings for IPv6 are:</para>
+
+    <programlisting>        ACCEPT_DEFAULT=none
+        BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+        DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+        NFQUEUE_DEFAULT=none
+        QUEUE_DEFAULT=none
+        REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+</programlisting>
+
+    <para>Note that in both cases, logging occurs based on the setting of
+    LOG_LEVEL in shorewall[6].conf.</para>
   </section>
 
   <section id="Defining">

docs/FAQ.xml

@@ -406,6 +406,14 @@ DNAT       net      loc:192.168.1.3:22  tcp      1022</programlisting>
         the net. Is it possible to only redirect 4104 to the localhost port 22
         and have connection attempts to port 22 from the net dropped?</title>
 
+        <important>
+          <para>On systems with the "Extended Conntrack Match"
+          (NEW_CONNTRACK_MATCH) capability (see the output of
+          <command>shorewall show capabilities</command>), port 22 is opened
+          only to connections whose original destination port is 4104 and this
+          FAQ does not apply.</para>
+        </important>
+
         <para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
         that the IP address of your local firewall interface is 192.168.1.1.
         If you configure SSHD to only listen on that address and add the

docs/IPSEC-2.6.xml

@@ -106,10 +106,10 @@
     traffic that is to be encrypted according to the contents of the SPD
     requires an appropriate SA to exist. SAs may be created manually using
     <command>setkey</command>(8) but most often, they are created by a
-    cooperative process involving the ISAKMP protocol and daemons such
-    as<command> racoon</command> or <command>isakmpd</command>. Incoming
-    traffic is verified against the SPD to ensure that no unencrypted traffic
-    is accepted in violation of the administrator's policies.</para>
+    cooperative process involving the ISAKMP protocol and a daemon included in
+    your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
+    Incoming traffic is verified against the SPD to ensure that no unencrypted
+    traffic is accepted in violation of the administrator's policies.</para>
 
     <para>There are three ways in which IPsec traffic can interact with
     Shorewall policies and rules:</para>
@@ -225,18 +225,11 @@
     of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
     security policies that select which traffic to encrypt/decrypt.</para>
 
-    <para>This article assumes the use of ipsec-tools (<ulink
-    url="http://ipsec-tools.sourceforge.net">http://ipsec-tools.sourceforge.net</ulink>).
-    As of this writing, I recommend that you run at least version 0.5.2.
-    Debian users, please note that there are separate Debian packages for
-    ipsec-tools and racoon although the ipsec-tools project releases them as a
-    single package.</para>
-
-    <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
-    url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
-    2005</ulink>. Be warned though that the presentation is based on Shorewall
-    2.2 and there are some differences in the details of how IPsec is
-    configured.</para>
+    <important>
+      <para>This article provides guidance regarding configuring Shorewall to
+      use with IPSEC. For configuring IPSEC itself, consult your IPSEC
+      product's documentation.</para>
+    </important>
   </section>
 
   <section id="GwFw">
@@ -360,155 +353,25 @@ $FW              vpn             ACCEPT</programlisting>
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
     </blockquote>
 
-    <para>Note that your Security Policies must also be set up to send traffic
-    between 134.28.54.2 and 206.162.148.9 through the tunnel (see
-    below).</para>
-
-    <para>Once you have these entries in place, restart Shorewall (type
-    shorewall restart); you are now ready to configure IPsec.</para>
-
-    <para>For full encrypted connectivity in this configuration (between the
-    subnets, between each subnet and the opposite gateway, and between the
-    gateways), you will need eight policies in
-    <filename>/etc/racoon/setkey.conf</filename>. For example, on gateway
-    A:</para>
-
-    <blockquote>
-      <programlisting># First of all flush the SPD and SAD databases
-spdflush;
-flush;
-
-# Add some SPD rules
-
-spdadd 192.168.1.0/24   10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 192.168.1.0/24   134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 206.162.148.9/32 134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 206.162.148.9/32 10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
-spdadd 10.0.0.0/8       192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
-spdadd 10.0.0.0/8       206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
-spdadd 134.28.54.2/32   192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
-spdadd 134.28.54.2/32   206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;</programlisting>
-    </blockquote>
-
-    <para>The <filename>setkey.conf</filename> file on gateway B would be
-    similar.</para>
-
-    <para>A sample <filename>/etc/racoon/racoon.conf</filename> file using
-    X.509 certificates might look like:</para>
-
-    <blockquote>
-      <programlisting>path certificates "/etc/certs" ;
-
-listen 
-{
-        isakmp 206.162.148.9;
-}
-
-remote 134.28.54.2
-{
-        exchange_mode main ;
-        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
-        verify_cert on;
-        my_identifier asn1dn ;
-        peers_identifier asn1dn ;
-        verify_identifier on ;
-        lifetime time 24 hour ;
-        proposal {
-                encryption_algorithm blowfish;
-                hash_algorithm sha1;
-                authentication_method rsasig ;
-                dh_group 2 ;
-        }
-}
-
-sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-
-sainfo address 206.162.148.9/32 any address 10.0.0.0/8 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-
-sainfo address 206.162.148.9/32 any address 134.28.54.2/32 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-
-sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}</programlisting>
-
     <warning>
       <para>If you have hosts that access the Internet through an IPsec
       tunnel, then it is a good idea to set the MSS value for traffic from
-        those hosts explicitly in the
-        <filename>/etc/shorewall/zones</filename> file. For example, if hosts
-        in the <emphasis role="bold">vpn</emphasis> zone access the Internet
-        through an ESP tunnel then the following entry would be
-        appropriate:</para>
+      those hosts explicitly in the <filename>/etc/shorewall/zones</filename>
+      file. For example, if hosts in the <emphasis role="bold">vpn</emphasis>
+      zone access the Internet through an ESP tunnel then the following entry
+      would be appropriate:</para>
 
       <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
-        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
-        that both the SYN and SYN,ACK packets have their MSS field
-        adjusted.</para>
+      <para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
+      both the SYN and SYN,ACK packets have their MSS field adjusted.</para>
 
       <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
       isn't effective with the 2.6 native IPsec implementation because there
-        is no separate IPsec device with a lower mtu as there was under the
-        2.4 and earlier kernels.</para>
+      is no separate IPsec device with a lower mtu as there was under the 2.4
+      and earlier kernels.</para>
     </warning>
-    </blockquote>
-  </section>
-
-  <section>
-    <title>IPCOMP and IPSEC</title>
-
-    <para>IPSEC can be configured to perform data compression. This is
-    accomplished by compressing the original IP packet, then encapsulating it
-    in an ipcomp (protocol 108) packet. That packet is then encrypted and
-    encapsulated within an ESP packet. Because of the extra protocol header
-    required for compression, short IP packets (such as default ping packets)
-    are not compressed. The Linux IP stack handles these uncompressed packets
-    by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
-    the remote gateway must be handled in Shorewall. The easiest way to
-    accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
-    zone to the $FW zone:</para>
-
-    <blockquote>
-      <programlisting>#ACTION         SOURCE         DEST       PROTO       DPORT ...
-ACCEPT          vpn            $FW        4</programlisting>
-    </blockquote>
-
-    <para>Note that the source IP address is these IPIP packets is that of the
-    remote peer, so the definition of the ipsec zone in <ulink
-    url="manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) must
-    include the peer.</para>
-
-    <para>Finally, when IPCOMP is used, it is recommended that the OPTIONS
-    column of the ipsec zone's entry in <ulink
-    url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) be left
-    empty.</para>
   </section>
 
   <section id="RoadWarrior">
@@ -586,116 +449,7 @@ ipsec         net         206.162.148.9       vpn</programlisting>
         <programlisting>#ZONE             HOSTS                  OPTIONS
 vpn               eth0:0.0.0.0/0</programlisting>
       </blockquote>
-
-      <para>On system A, here are the IPsec files:</para>
-
-      <blockquote>
-        <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
-
-        <programlisting>path certificate "/etc/certs" ;
- 
-listen
-{
-        isakmp 206.162.148.9;
-}
- 
-remote <emphasis role="bold">anonymous</emphasis>
-{
-        exchange_mode main ;
-        <emphasis role="bold">generate_policy on</emphasis> ;
-        <emphasis role="bold">passive on</emphasis> ;
-        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
-        verify_cert on;
-        my_identifier asn1dn ;
-        peers_identifier asn1dn ;
-        verify_identifier on ;
-        lifetime time 24 hour ;
-        proposal {
-                encryption_algorithm blowfish ;
-                hash_algorithm sha1;
-                authentication_method rsasig ;
-                dh_group 2 ;
-        }
-}
- 
-sainfo <emphasis role="bold">anonymous</emphasis>
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}</programlisting>
-
-        <para><filename>/etc/racoon/setkey.conf</filename> - System A:</para>
-
-        <programlisting>flush;
-spdflush;</programlisting>
-      </blockquote>
-
-      <para>If system A is running kernel 2.6.10 or later then it must also be
-      running ipsec-tools (racoon) 0.5rc1 or later.</para>
-
-      <para>On the mobile system (system B), it is not possible to create a
-      static IPsec configuration because the IP address of the laptop's
-      Internet connection isn't static. I have created an 'ipsecvpn' script
-      and included in the tarball and in the RPM's documentation directory;
-      this script can be used to start and stop the connection.</para>
-
-      <para>The ipsecvpn script has some variable assignments at the top -- in
-      the above case, these would be as follows:</para>
-
-      <blockquote>
-        <programlisting>#
-# External Interface
-#
-INTERFACE=eth0
-#
-# Remote IPsec Gateway
-#
-GATEWAY=206.162.148.9
-#
-# Networks behind the remote gateway
-#
-NETWORKS="192.168.1.0/24"
-#
-# Directory where X.509 certificates are stored.
-#
-CERTS=/etc/certs
-#
-# Certificate to be used for this connection. The cert
-# directory must contain:
-#
-#     ${CERT}.pem     - the certificate
-#     ${CERT}_key.pem - the certificates's key
-#
-CERT=roadwarrior
-#
-#     The setkey binary
-#
-SETKEY=/usr/sbin/setkey
-#
-#     The racoon binary
-#
-RACOON=/usr/sbin/racoon</programlisting>
-      </blockquote>
-
-      <para>The ipsecvpn script can be installed in /etc/init.d/ but it is
-      probably best installed in /usr/local/sbin and run manually:</para>
-
-      <blockquote>
-        <para><command>ipsecvpn start </command># Starts the tunnel</para>
-
-        <para><command>ipsecvpn stop</command> # Stops the tunnel</para>
-      </blockquote>
     </example>
-
-    <warning>
-      <para>Although the ipsecvpn script allows you to specify multiple remote
-      NETWORKS as a space-separated list, SAs are created on the gateway only
-      during ISAKMP negotiation. So in practice, only the first remote network
-      accessed will be accessible from the roadwarrior.</para>
-    </warning>
   </section>
 
   <section id="RW-L2TP">
@@ -853,62 +607,7 @@ HTTPS(ACCEPT)   l2tp    $FW</programlisting>
     hosts in that network. In that case, IPsec transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
-    the ipsec-tools package. The files shown are from host 192.168.20.10; the
-    configuration of the other nodes is similar.</para>
-
-    <blockquote>
-      <para><filename>/etc/racoon/racoon.conf</filename>:</para>
-
-      <programlisting>path pre_shared_key "/etc/racoon/psk.txt" ;
-
-remote anonymous
-{
-        exchange_mode main ;
-        my_identifier address ;
-        lifetime time 24 hour ;
-        proposal {
-                encryption_algorithm blowfish ;
-                hash_algorithm sha1;
-                authentication_method pre_shared_key ;
-                dh_group 2 ;
-        }
-}
-
-sainfo anonymous
-{
-        pfs_group 2;
-        lifetime time 12 hour ;
-        encryption_algorithm blowfish ;
-        authentication_algorithm hmac_sha1, hmac_md5 ;
-        compression_algorithm deflate ;
-}
-</programlisting>
-
-      <para><filename>/etc/racoon/setkey.conf</filename>:</para>
-
-      <programlisting># First of all flush the SPD database
-spdflush;
-
-# Add some SPD rules
-
-spdadd 192.168.20.10/32 192.168.20.20/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.20/require;
-spdadd 192.168.20.20/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.20-192.168.20.10/require;
-spdadd 192.168.20.10/32 192.168.20.30/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.30/require;
-spdadd 192.168.20.30/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.30-192.168.20.10/require;
-spdadd 192.168.20.10/32 192.168.20.40/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.40/require;
-spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.40-192.168.20.10/require;
-</programlisting>
-
-      <para><filename>/etc/racoon/psk.txt</filename>:</para>
-
-      <programlisting>192.168.20.20             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.20&gt;
-192.168.20.30             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.30&gt;
-192.168.20.40             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.40&gt;</programlisting>
-
-      <para>Note that the <emphasis role="bold">same key</emphasis>must be
-      used in both directions.</para>
-    </blockquote>
+    <para><graphic fileref="images/TransportMode.png"/></para>
 
     <para>Shorewall configuration goes as follows:</para>
 
@@ -973,75 +672,13 @@ all             all             REJECT          info</programlisting>
 ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
     above assumes that the name of your IPsec vpn zone is
     <emphasis>vpn</emphasis>.</para>
-  </section>
 
-  <section id="XP">
-    <title>IPsec and <trademark>Windows</trademark> XP</title>
-
-    <para>I have successfully configured my work laptop to use IPsec with
-    X.509 certificates for wireless IP communication when it is undocked at
-    home. I looked at dozens of sites and the one I found most helpful was
-    <ulink
-    url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
-    The instructions on that site are directed to students at UCLA but they
-    worked fine for me (once I followed them very carefully).</para>
-
-    <warning>
-      <para>The instructions found on the UCLA site are complex and do not
-      include any information on the generation of X.509 certificates. There
-      are lots of sites however that can tell you how to generate
-      certificates, including <ulink
-      url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
-
-      <para>One piece of information that may not be so easy to find is "How
-      do I generate a PKCS#12 certificate to import into Windows?". Here's the
-      openssl command that I used:</para>
-
-      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
-
-      <para>I was prompted for a password to associate with the certificate.
-      This password is entered on the Windows system during import.</para>
-
-      <para>In the above command:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para><filename>eastepnc6000.pem</filename> was the laptop's
-          certificate in PEM format.</para>
-        </listitem>
-
-        <listitem>
-          <para><filename>eastepnc6000_key.pem</filename> was the laptop's
-          private key (actually, it's the original signing request which
-          includes the private key).</para>
-        </listitem>
-
-        <listitem>
-          <para><filename>eastepnc6000.pfx</filename> is the PKCS#12 output
-          file.</para>
-        </listitem>
-
-        <listitem>
-          <para>"IPsec Cert for Home Wireless" is the friendly name for the
-          certificate.</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>I started to write an article about how to do this, complete with
-      graphics captured from my laptop. I gave up. I had captured 12 images
-      and hadn't really started yet. The Windows interface for configuring
-      IPsec is the worst GUI that I have ever used. What can be displayed on
-      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
-      different dialog boxes on Windows XP!!!</para>
-    </warning>
-  </section>
-
-  <section id="More">
-    <title>Source of Additional Samples</title>
-
-    <para>Be sure to check out the <filename
-    class="directory">src/racoon/samples</filename> subdirectory in the
-    ipsec-tools source tree. It has a wide variety of sample racoon
-    configuration files.</para>
+    <important>
+      <para>Note that this protocol 4 (IPIP) traffic appears to originate in
+      the vpn zone, but it's source IP address is that of the remote gateway.
+      As a consequence, that address must be included in the definition of the
+      remote zone. If you haven't done that, the traffic will be dropped in
+      the INPUT chain.</para>
+    </important>
   </section>
 </article>

docs/MultiISP.xml

@@ -484,6 +484,18 @@ fi</programlisting>
                         url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                       </note></para>
                   </important>
+
+                  <para>Prior to Shorewall 5.1.1, <emphasis
+                  role="bold">balance=1</emphasis> is the default when
+                  USE_DEFAULT_RT=Yes and neither the
+                  <option>fallback</option>, <option>loose</option>,
+                  <option>load</option> or <option>tproxy</option> option is
+                  specified. Beginning with Shorewall 5.1.1, <emphasis
+                  role="bold">balance=1</emphasis> is the default when both
+                  USE_DEFAULT_RT=Yes and BALANCE_PROVIDERS=Yes and neither the
+                  <option>fallback</option>, <option>loose</option>,
+                  <option>load</option> nor <option>tproxy</option> option is
+                  specified.</para>
                 </listitem>
               </varlistentry>
 

docs/blacklisting_support.xml

@@ -109,7 +109,7 @@ DROP            net:200.55.14.18        all
   </section>
 
   <section>
-    <title>Dynamic Blacklisting</title>
+    <title>Chain-based Dynamic Blacklisting</title>
 
     <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
     setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
@@ -176,4 +176,103 @@ DROP            net:200.55.14.18        all
       </listitem>
     </itemizedlist>
   </section>
+
+  <section>
+    <title>Ipset-based Dynamic Blacklisting</title>
+
+    <para>Beginning with Shorewall 5.0.8, it is possible to use an ipset to
+    hold blacklisted addresses. The DYNAMIC_BLACKLIST option was expanded
+    to:</para>
+
+    <para><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
+    role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>||<emphasis
+    role="bold">ipset</emphasis>[<emphasis
+    role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</para>
+
+    <para>When <option>ipset</option> or <option>ipset-only</option> is
+    specified, the <command>shorewall blacklist</command> command is used to
+    blacklist a single host or a network. The <command>allow</command> command
+    is used to remove entries from the ipset. The name of the set
+    (<replaceable>setname</replaceable>) and the level
+    (<replaceable>log_level</replaceable>), if any, at which blacklisted
+    traffic is to be logged may also be specified. The default set name is
+    SW_DBL4 and the default log level is <option>none</option> (no logging).
+    If <option>ipset-only</option> is given, then chain-based dynamic
+    blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+    specified.</para>
+
+    <para>Possible <replaceable>option</replaceable>s are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>src-dst</term>
+
+        <listitem>
+          <para>Normally, only packets whose source address matches an entry
+          in the ipset are dropped. If <option>src-dst</option> is included,
+          then packets whose destination address matches an entry in the ipset
+          are also dropped.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>disconnect</option></term>
+
+        <listitem>
+          <para>The <option>disconnect</option> option was added in Shorewall
+          5.0.13 and requires that the conntrack utility be installed on the
+          firewall system. When an address is blacklisted using the
+          <command>blacklist</command> command, all connections originating
+          from that address are disconnected. if the <option>src-dst</option>
+          option was also specified, then all connections to that address are
+          also disconnected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.13. Normally, Shorewall creates the
+          dynamic blacklisting ipset with timeout 0 which means that entries
+          are permanent. If you want entries in the set that are not accessed
+          for a period of time to be deleted from the set, you may specify
+          that period using this option. Note that the
+          <command>blacklist</command> command can override the ipset's
+          timeout setting.</para>
+
+          <important>
+            <para>Once the dynamic blacklisting ipset has been created,
+            changing this option setting requires a complete restart of the
+            firewall; <command>shorewall restart</command> if RESTART=restart,
+            otherwise <command>shorewall stop &amp;&amp; shorewall
+            start</command></para>
+          </important>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>When ipset-based dynamic blacklisting is enabled, the contents of
+    the blacklist will be preserved over
+    <command>stop</command>/<command>reboot</command>/<command>start</command>
+    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+    <replaceable>setname</replaceable> is included in the list of sets to be
+    saved in SAVE_IPSETS.</para>
+  </section>
+
+  <section>
+    <title>BLACKLIST Policy and Action</title>
+
+    <para>Beginning with Shorewall 5.1.1, it is possible to specify BLACKLIST
+    in the POLICY column of <ulink
+    url="manpages/shorewall-policies.html">shorewall-policies</ulink>(5) when
+    ipset-based dynamic blacklisting is being used. When a packet is disposed
+    of via the BLACKLIST policy, the packet's sender is added to the dynamic
+    blacklist ipset and the packet is dropped.</para>
+
+    <para>Also available beginning with Shorewall 5.1.1 is a BLACKLIST action
+    for use in the rules file, macros and filter table actions. Execute the
+    <command>shorewall show action BLACKLIST</command> command for
+    details.</para>
+  </section>
 </article>

docs/configuration_file_basics.xml

@@ -1992,6 +1992,14 @@ SSH(ACCEPT)    net:$MYIP      $FW
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>@action(@{action})</term>
+
+        <listitem>
+          <para>Expands to the name of the action being compiled.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>@disposition (@{disposition})</term>
 

docs/shorewall_logging.xml

@@ -266,7 +266,16 @@
       <para>You will need to change all instances of log levels (usually
       <quote>info</quote>) in your Shorewall configuration files to
       <quote>NFLOG</quote> - this includes entries in the policy, rules and
-      shorewall.conf files. Here's what I had at one time:</para>
+      shorewall.conf files. If you initially installed using Shorewall 5.1.2
+      or later, you can simply change the setting of LOG_LEVEL in
+      shorewall.conf.</para>
+
+      <para>Otherwise, you must search for all instances of log levels in your
+      configuration and change them accordingly. If you currently run
+      Shorewall 5.1.2 or later, then change them to $LOG_LEVEL and set
+      LOG_LEVEL accordingly. If you are running an earlier release, using a
+      shell variable simplifies future changes. Here's what I had at one
+      time:</para>
 
       <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
 params:LOG=NFOG