Update blacklisting article:

- ipset-based blacklisting - BLACKLIST policy and action Signed-off-by: Tom Eastep <teastep@shorewall.net>
core: Correct the path being displayed for the CLI
2017-01-26 13:17:11 -08:00 · 2017-01-24 16:19:08 -08:00 · 2017-01-23 15:03:02 -08:00 · 2017-01-23 13:35:10 -08:00 · 2017-01-23 11:54:40 -08:00 · 2017-01-23 09:26:19 -08:00
38 changed files with 632 additions and 341 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -369,7 +369,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -78,29 +78,6 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
 #
 iptablesbug()
 {
    if [ $g_family -eq 4 ]; then
 	if qt mywhich awk ; then
 	    awk 'BEGIN           { sline=""; };\
             /^-[jg]/            { print sline $0; next };\
             /-m policy.*-[jg] / { print $0; next };\
             /-m policy/         { sline=$0; next };\
             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
                                 { print ; sline="" }'
        else
 	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
 	    cat
 	fi
    else
 	cat
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
@@ -1150,6 +1127,11 @@ show_macros() {
    done
 }
 show_an_action() {
    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
    cat ${directory}/action.$1
 }
 show_a_macro() {
    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
    cat ${directory}/macro.$1
@@ -1458,12 +1440,35 @@ show_command() {
 		    ;;
 	    	*)
 		    case $1 in
 			action)
 			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
 			    [ $# -gt 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/action.$2 ]; then
 				    eval show_an_action $2 $g_pager
 				    return
 				fi
 			    done
 			    case $2 in
 				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
 				    echo "   WARNING: $2 is a built-in action" >&2
 				    ;;
 				*)
 				    echo "   WARNING: Action $2 not found" >&2
 				    ;;
 			    esac
 			    return
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
 			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -4291,6 +4296,7 @@ usage() # $1 = exit status
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
    ecko "   [ show | list | ls ] action <action>"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -685,6 +685,31 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg>options</arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
      <arg choice="plain"><option>{actions|macros}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>action</option><arg
      choice="plain"><replaceable>action</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
@@ -695,7 +720,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -2415,12 +2440,23 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">action
              <replaceable>action</replaceable></emphasis></term>
              <listitem>
                <para>Lists the named action file. Available on Shorewall and
                Shorewall6 only.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">actions</emphasis></term>
              <listitem>
                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
+                standard and user-defined). Available on Shorewall and
                Shorewall6 only.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
@@ -12,6 +12,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -0,0 +1,50 @@
 #
 # Shorewall - /usr/share/shorewall/action.BLACKLIST
 #
 # This action:
 #
 #   - Adds the sender to the dynamic blacklist ipset
 #   - Optionally acts on the packet (default is DROP)
 #
 # Parameters:
 #
 # 1 - Action to take after adding the packet. Default is DROP.
 #     Pass -- if you don't want to take any action.
 # 2 - Timeout for ipset entry. Default is the timeout specified in
 #     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
 #
 ###############################################################################
 # Note -- This action is defined with the 'section' option, so the first
 #         parameter is always the section name. That means that in the
 #         following text, the first parameter passed in the rule is actually
 #         @2.
 ###############################################################################
 ?if $1 eq 'BLACKLIST'
   ?if $BLACKLIST_LOGLEVEL
       blacklog
   ?else
       $BLACKLIST_DISPOSITION
   ?endif
 ?else
   ?if ! "$SW_DBL_IPSET"
   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
   ?endif
   DEFAULTS -,DROP,-
   #
   # Add to the blacklist
   #
   ?if passed(@3)
       ADD($SW_DBL_IPSET:src:@3)
   ?elsif $SW_DBL_TIMEOUT
       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
   ?else
       ADD($SW_DBL_IPSET:src)
   ?endif
   #
   # Dispose of the packet if asked
   #
   ?if passed(@2)
      @2
   ?endif
 ?endif
--- a/Shorewall/Actions/action.Drop
+++ b/Shorewall/Actions/action.Drop
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
--- a/Shorewall/Actions/action.Reject
+++ b/Shorewall/Actions/action.Reject
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,13 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.blacklist
 #
 # This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
 $BLACKLIST_DISPOSITION
 ?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -1,49 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Drop
 #
 # This macro generates the same rules as the Drop default action
 # It is used in place of action.Drop when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Drop	net	all
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' DROP
 #
 DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DROP	-	-	udp	135,445
 DROP	-	-	udp	137:139
 DROP	-	-	udp	1024:	137
 DROP	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -1,49 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Reject
 #
 # This macro generates the same rules as the Reject default action
 # It is used in place of action.Reject when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Reject	loc	fw
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' REJECT
 #
 REJECT	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 REJECT	-	-	udp	135,445
 REJECT	-	-	udp	137:139
 REJECT	-	-	udp	1024:	137
 REJECT	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.1.1-RC1",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -816,6 +816,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
 	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -904,6 +905,7 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2710,11 +2712,11 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
+sub join_parts( $$$$ ) {
-    my ( $first, $val, $rest ) = @_;
+    my ( $first, $val, $rest, $just_expand ) = @_;
    $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
 					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
 					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
    join( '', $first, $val, $rest );
@@ -2769,7 +2771,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }
@@ -2780,7 +2782,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest );
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
    }
@@ -2852,7 +2854,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -3040,6 +3042,12 @@ sub process_compiler_directive( $$$$ ) {
 			      $linenumber ) unless $omitting;
 	  } ,
 	  REQUIRE => sub() {
 	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
 	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
 	      require_capability( $expression, "The $actparams{action} action", 's' );
 	  } ,
 	);
    if ( my $function = $directives{$keyword} ) {
@@ -3753,7 +3761,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -5279,6 +5287,13 @@ sub update_config_file( $ ) {
    }
    update_default( 'USE_DEFAULT_RT', 'No' );
    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
 	update_default( 'BALANCE_PROVIDERS', 'No' );
    } else {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
    }
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
@@ -6282,19 +6297,11 @@ sub get_configuration( $$$$ ) {
    require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
    default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
-
+    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    if ( supplied( $val = $config{USE_DEFAULT_RT} ) ) {
 	if ( lc( $val ) eq 'exact' ) {
 	    $config{USE_DEFAULT_RT} = 'exact';
 	} else {
 	    default_yes_no 'USE_DEFAULT_RT' , '';
 	}
    } else {
 	default_yes_no 'USE_DEFAULT_RT' , '';
    }
    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6311,6 +6318,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6351,6 +6360,9 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	    $variables{SW_DBL_IPSET}   = $set;
 	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6358,6 +6370,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    add_variables( %variables );
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6625,11 +6639,12 @@ sub get_configuration( $$$$ ) {
    default 'RESTOREFILE'           , 'restore';
    default 'DROP_DEFAULT'          , 'Drop';
    default 'REJECT_DEFAULT'        , 'Reject';
    default 'BLACKLIST_DEFAULT'     , 'Drop';
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -523,7 +523,7 @@ sub process_a_provider( $ ) {
 	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
 	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} eq 'Yes' ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }
    unless ( $options eq '-' ) {
@@ -603,6 +603,7 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
    unless ( $pseudo ) {
 	if ( $local ) {
 	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	    fatal_error "'track' not valid with 'local'"           if $track;
@@ -633,8 +634,7 @@ sub process_a_provider( $ ) {
 		}
 	    }
 	}
-
+    }
    my $val = 0;
    my $pref;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -233,6 +233,7 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
 	       SECTION_OPT          => 2048 ,
 };
 our %options = ( inline      => INLINE_OPT ,
@@ -246,6 +247,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
 		 section     => SECTION_OPT ,
    );
 our %reject_options;
@@ -311,6 +313,7 @@ sub initialize( $ ) {
    #
    %default_actions  = ( DROP      => 'none' ,
 		 	  REJECT    => 'none' ,
 			  BLACKLIST => 'none' ,
 			  ACCEPT    => 'none' ,
 			  QUEUE     => 'none' ,
 			  NFQUEUE   => 'none' ,
@@ -679,6 +682,8 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    } elsif ( $policy eq 'BLACKLIST' ) {
 	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
    }
    unless ( $clientwild || $serverwild ) {
@@ -819,6 +824,7 @@ sub process_policies()
 			  REJECT => undef,
 			  DROP	 => undef,
 			  CONTINUE => undef,
 			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
@@ -826,6 +832,7 @@ sub process_policies()
    our %map = ( DROP_DEFAULT      => 'DROP' ,
 		 REJECT_DEFAULT    => 'REJECT' ,
 		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
 		 ACCEPT_DEFAULT    => 'ACCEPT' ,
 		 QUEUE_DEFAULT     => 'QUEUE' ,
 		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
@@ -834,7 +841,7 @@ sub process_policies()
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
 	unless ( $action eq 'none' ) {
@@ -951,7 +958,20 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	if ( $target eq 'BLACKLIST' ) {
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
 	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
 	    } else {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
 	    }
 	    $target = 'DROP';
 	} else {
 	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	}
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
 }
@@ -2718,7 +2738,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Determine the validity of the action
    #
-    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
+    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
    if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -3126,6 +3146,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
 	# Handle 'section' option
 	#
 	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -108,6 +108,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -140,6 +141,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -240,7 +243,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -119,6 +119,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -151,6 +152,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -251,7 +254,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -116,6 +116,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -148,6 +149,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -248,7 +251,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -119,6 +119,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -151,6 +152,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -251,7 +254,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -9,8 +9,6 @@
 # Builtin Actions are:
 #
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
 allowBcast			# Silently Allow Broadcast/multicast
 dropBcast			# Silently Drop Broadcast/multicast
 dropNotSyn			# Silently Drop Non-syn TCP packets
@@ -28,6 +26,7 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -108,6 +108,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -140,6 +141,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -240,7 +243,7 @@ TRACK_PROVIDERS=No
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -443,6 +443,7 @@ compiler() {
    fi
    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
    [ -n "$shorewallrc1" ]     && options="$options --shorewallrc1=${shorewallrc1}"
    [ -n "$STARTUP_LOG" ]      && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ]    && options="$options --log_verbosity=$LOG_VERBOSITY";
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,6 +191,25 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
              <listitem>
                <para>Added in Shorewall 5.1.1. When specified, this option
                causes the rules file section name and a comma to be prepended
                to the parameters passed to the action (if any). Note that
                this means that the first parameter passed to the action by
                the user is actually the second parameter to the action. If
                the action is invoked out of the blrules file, 'BLACKLIST' is
                used as the section name.</para>
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
                <option>nat</option> is specified. </para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
@@ -205,9 +224,9 @@
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
+                <option>builtin</option>, indicates that the built-in action
-                built-in action is termiating (i.e., if the action is jumped
+                is termiating (i.e., if the action is jumped to, the next rule
-                to, the next rule in the chain is not evaluated).</para>
+                in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -115,6 +115,7 @@
        role="bold">ACCEPT</emphasis>|<emphasis
        role="bold">DROP</emphasis>|<emphasis
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">BLACKLIST</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,6 +178,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">BLACKLIST</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.1.1 and requires that the
                DYNAMIC_BLACKLIST setting in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                specifies ipset-based dynamic blacklisting. The SOURCE IP
                address is added to the blacklist ipset and the connection
                request is ignored.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -209,13 +209,15 @@
                where <replaceable>weight</replaceable> is the weight of the
                route out of this interface.</para>
-                <para>The setting <option>balance=1</option> is the default
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
-                when USE_DEFAULT_RT=Yes in and neither
+                <option>balance=1</option> is assumed unless the
-                <option>balance</option>[=], <option>primary</option>,
+                <option>fallback</option>, <option>loose</option>,
-                <option>fallback</option>, <option>loose</option> nor
+                <option>load</option> or <option>tproxy</option> option is
-                <option>tproxy</option> is specified. To suppress this
+                specified. Beginning with Shorewall 5.1.1, when
-                behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
-                later).</para>
+                unless the <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
                specified.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -117,6 +117,16 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -176,6 +186,9 @@
            <member>REJECT_DEFAULT="Reject"</member>
            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
            5.1.1)</member>
            <member>ACCEPT_DEFAULT="none"</member>
            <member>QUEUE_DEFAULT="none"</member>
@@ -443,6 +456,24 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
          the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
          specified. If this option is not set or is set to the empty value,
          then the default value is the value of USE_DEFAULT_RT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2307,10 +2338,9 @@ INLINE          -       -       -       ;; -j REJECT
          <para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
          default route in the main table (USE_DEFAULT_RT=No) or in the
-          default table (USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact) when
+          default table (USE_DEFAULT_RT=Yes) when there are no balance
-          there are no balance providers available. In that case,
+          providers available. In that case, RESTORE_DEFAULT_ROUTE=No will
-          RESTORE_DEFAULT_ROUTE=No will cause any default route in the
+          cause any default route in the relevant table to be deleted.</para>
          relevant table to be deleted.</para>
        </listitem>
      </varlistentry>
@@ -2806,8 +2836,7 @@ INLINE          -       -       -       ;; -j REJECT
      <varlistentry>
        <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        role="bold">No|Exact</emphasis>]</term>
        <listitem>
          <para>When set to 'Yes', this option causes the Shorewall multi-ISP
@@ -2818,8 +2847,7 @@ INLINE          -       -       -       ;; -j REJECT
          the Shorewall-generated routing rules. So changes to the main table
          will affect the routing of packets by default.</para>
-          <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
+          <para>When USE_DEFAULT_RT=Yes:</para>
          5.1.1 or later):</para>
          <orderedlist>
            <listitem>
@@ -2834,11 +2862,12 @@ INLINE          -       -       -       ;; -j REJECT
            </listitem>
            <listitem>
-              <para>The <emphasis role="bold">balance</emphasis> provider
+              <para>If running Shorewall 5.1.0 or earlier or if
-              option is assumed unless <emphasis role="bold">loose</emphasis>,
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
-              <option>fallback</option>,<option> load=</option> or
+              <emphasis role="bold">balance</emphasis> provider option is
-              <option>tproxy</option> is specified for the provider or unless
+              assumed unless the <option>fallback</option>,
-              USE_DEFAULT_RT=Exact.</para>
+              <option>loose</option>, <option>load</option> or
              <option>tproxy</option> option is specified.</para>
            </listitem>
            <listitem>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,7 +214,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -106,6 +106,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -134,6 +135,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -212,7 +215,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,7 +214,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,7 +214,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 USE_PHYSICAL_NAMES=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -192,6 +192,25 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
              <listitem>
                <para>Added in Shorewall 5.1.1. When specified, this option
                causes the rules file section name and a comma to be prepended
                to the parameters passed to the action (if any). Note that
                this means that the first parameter passed to the action by
                the user is actually the second parameter to the action. If
                the action is invoked out of the blrules file, 'BLACKLIST' is
                used as the section name.</para>
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
                <option>nat</option> is specified.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
@@ -206,9 +225,9 @@
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
+                <option>builtin</option>, indicates that the built-in action
-                built-in action is termiating (i.e., if the action is jumped
+                is termiating (i.e., if the action is jumped to, the next rule
-                to, the next rule in the chain is not evaluated).</para>
+                in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -114,7 +114,7 @@
        <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
        role="bold">ACCEPT</emphasis>|<emphasis
        role="bold">DROP</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,6 +177,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">BLACKLIST</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.1.1 and requires that the
                DYNAMIC_BLACKLIST setting in <ulink
                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
                specifies ipset-based dynamic blacklisting. The SOURCE IP
                address is added to the blacklist ipset and the connection
                request is ignored.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -174,13 +174,15 @@
                route out of this interface. Prior to Shorewall 5.0.13, only
                one provider can specify this option.</para>
-                <para>The setting <option>balance=1</option> is the default
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
-                when USE_DEFAULT_RT=Yes in and neither
+                <option>balance=1</option> is assumed unless the
-                <option>balance</option>[=], <option>primary</option>,
+                <option>fallback</option>, <option>loose</option>,
-                <option>fallback</option>[=], <option>loose</option> nor
+                <option>load</option> or <option>tproxy</option> option is
-                <option>tproxy</option> is specified. To suppress this
+                specified. Beginning with Shorewall 5.1.1, when
-                behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
-                later).</para>
+                unless the <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
                specified.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -103,6 +103,16 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -164,6 +174,9 @@
            <member>REJECT_DEFAULT="Reject"</member>
            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
            5.1.1)</member>
            <member>ACCEPT_DEFAULT="none"</member>
            <member>QUEUE_DEFAULT="none"</member>
@@ -374,6 +387,24 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
          url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
          the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
          specified. If this option is not set or is set to the empty value,
          then the default value is the value of USE_DEFAULT_RT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2448,8 +2479,7 @@ INLINE          -       -       -       ;; -j REJECT
      <varlistentry>
        <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        role="bold">No</emphasis>|Exact]</term>
        <listitem>
          <para>Added in Shorewall6 4.4.25. When set to 'Yes', this option
@@ -2461,8 +2491,7 @@ INLINE          -       -       -       ;; -j REJECT
          changes to the main table will affect the routing of packets by
          default.</para>
-          <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
+          <para>When USE_DEFAULT_RT=Yes:</para>
          5.1.1 or later):</para>
          <orderedlist>
            <listitem>
@@ -2477,11 +2506,12 @@ INLINE          -       -       -       ;; -j REJECT
            </listitem>
            <listitem>
-              <para>The <emphasis role="bold">balance</emphasis> provider
+              <para>If running Shorewall 5.1.0 or earlier or if
-              option is assumed unless <emphasis role="bold">loose</emphasis>,
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
-              <option>fallback</option>,<option> load=</option> or
+              <emphasis role="bold">balance</emphasis> provider option is
-              <option>tproxy</option> is specified for the provider or unless
+              assumed unless the <option>fallback</option>,
-              USE_DEFAULT_RT=Exact.</para>
+              <option>loose</option>, <option>load</option> or
              <option>tproxy</option> option is specified.</para>
            </listitem>
            <listitem>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -219,16 +219,14 @@
      <para>The behavior and configuration of Multiple ISP support is
      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
-      <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall 5.1.1
+      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
-      and later), packets are first routed through the main routing table
+      routing table <emphasis>which does not contain a default
-      <emphasis>which does not contain a default route</emphasis>. Packets
+      route</emphasis>. Packets which fail to be routed by an entry in the
-      which fail to be routed by an entry in the main table are then passed to
+      main table are then passed to shorewall-defined routing tables based on
-      shorewall-defined routing tables based on your Multi-ISP configuration.
+      your Multi-ISP configuration. The advantage of this approach is that
-      The advantage of this approach is that dynamic changes to the ip
+      dynamic changes to the ip configuration, such as VPNs going up and down,
-      configuration, such as VPNs going up and down, do not require
+      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
-      notificaiton of Shorewall. USE_DEFAULT_RT=No (USE_DEFAULT_RT=Exact in
+      default and use of USE_DEFAULT_RT=No is deprecated.</para>
      Shorewall 5.1.1 and later) is now the default and use of
      USE_DEFAULT_RT=No is deprecated.</para>
      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
      routing tables. As a consequence, the main routing table must be copied
@@ -321,10 +319,9 @@
            <para>Gives the name or number of a routing table to duplicate.
            May be 'main' or the name or number of a previously declared
            provider. This field should be be specified as '-' when
-            USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact in
+            USE_DEFAULT_RT=Yes in <filename>shorewall.conf. When
-            <filename>shorewall.conf. When USE_DEFAULT_RT=No (not
+            USE_DEFAULT_RT=No (not recommended), this column is normally
-            recommended), this column is normally specified as
+            specified as <option>main</option>.</filename></para>
            <option>main</option>.</filename></para>
          </listitem>
        </varlistentry>
@@ -487,6 +484,18 @@ fi</programlisting>
                        url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                      </note></para>
                  </important>
                  <para>Prior to Shorewall 5.1.1, <emphasis
                  role="bold">balance=1</emphasis> is the default when
                  USE_DEFAULT_RT=Yes and neither the
                  <option>fallback</option>, <option>loose</option>,
                  <option>load</option> or <option>tproxy</option> option is
                  specified. Beginning with Shorewall 5.1.1, <emphasis
                  role="bold">balance=1</emphasis> is the default when both
                  USE_DEFAULT_RT=Yes and BALANCE_PROVIDERS=Yes and neither the
                  <option>fallback</option>, <option>loose</option>,
                  <option>load</option> nor <option>tproxy</option> option is
                  specified.</para>
                </listitem>
              </varlistentry>
@@ -698,8 +707,7 @@ fi</programlisting>
      interfaces should be routed through the main table using entries in
      <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
      linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes or
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
      USE_DEFAULT_RT=Exact</link> (recommended)</para>
      <para>In addition:</para>
@@ -911,8 +919,8 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
      <title id="Example">Legacy Example</title>
      <para>This section describes the legacy method of configuring multiple
-      uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes or
+      uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes
-      USE_DEFAULT_RT=Exact configuration described <link
+      configuration described <link
      linkend="USE_DEFAULT_RT">below</link>.</para>
      <para>The configuration in the figure at the top of this section would
@@ -944,8 +952,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>
    <section id="Example2">
-      <title id="Example99">Example using USE_DEFAULT_RT=Yes or
+      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
      USE_DEFAULT_RT=Exact</title>
      <para>This section shows the differences in configuring the above
      example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -1219,12 +1226,12 @@ gateway:~ #</programlisting>
        VPN clients (including but not limited to OpenVPN in routed mode and
        PPTP), the VPN software adds a host route to the <emphasis
        role="bold">main</emphasis> table for each VPN client. The best
-        approach is to use USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact as
+        approach is to use USE_DEFAULT_RT=Yes as described <link
-        described <link linkend="USE_DEFAULT_RT">below</link>. If that isn't
+        linkend="USE_DEFAULT_RT">below</link>. If that isn't possible, you
-        possible, you must add a routing rule in the 1000-1999 range to
+        must add a routing rule in the 1000-1999 range to specify the
-        specify the <emphasis role="bold">main</emphasis> table for traffic
+        <emphasis role="bold">main</emphasis> table for traffic addressed to
-        addressed to those clients. See<link linkend="Openvpn"> Example
+        those clients. See<link linkend="Openvpn"> Example 2</link>
-        2</link> below.</para>
+        below.</para>
        <para>If you have an IPSEC gateway on your firewall, be sure to
        arrange for ESP packets to be routed out of the same interface that
@@ -1794,9 +1801,9 @@ lillycat: #</programlisting>
      route rules such as described in <link linkend="Openvpn">one of the
      examples above</link> necessary.</para>
-      <para>USE_DEFAULT_RT=Yes and USE_DEFAULT_RT=Exact work around that
+      <para>USE_DEFAULT_RT=Yes works around that problem by passing packets
-      problem by passing packets through the main table first rather than
+      through the main table first rather than last. This has a number of
-      last. This has a number of implications:</para>
+      implications:</para>
      <orderedlist>
        <listitem>
@@ -1807,12 +1814,9 @@ lillycat: #</programlisting>
        </listitem>
        <listitem>
-          <para>When USE_DEFAULT_RT=Yes, the <emphasis
+          <para>The <emphasis role="bold">balance</emphasis> option is assumed
-          role="bold">balance</emphasis> option is assumed for all interfaces
+          for all interfaces that do not have the <emphasis
-          that do not have the <emphasis role="bold">loose</emphasis>,
+          role="bold">loose</emphasis> option. When you want both <emphasis
          <emphasis role="bold">primary</emphasis>, <emphasis
          role="bold">fallback</emphasis> or <emphasis
          role="bold">tproxy</emphasis> option. When you want both <emphasis
          role="bold">balance</emphasis> and <emphasis
          role="bold">loose</emphasis>, both must be specified.</para>
        </listitem>
@@ -1906,9 +1910,8 @@ shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional<
      <section>
        <title>DHCP with USE_DEFAULT_RT</title>
-        <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact, you don't want
+        <para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client
-        your DHCP client inserting a default route into the main routing
+        inserting a default route into the main routing table.</para>
        table.</para>
        <section>
          <title>Debian</title>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -109,7 +109,7 @@ DROP            net:200.55.14.18        all
  </section>
  <section>
-    <title>Dynamic Blacklisting</title>
+    <title>Chain-based Dynamic Blacklisting</title>
    <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
    setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
@@ -176,4 +176,103 @@ DROP            net:200.55.14.18        all
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Ipset-based Dynamic Blacklisting</title>
    <para>Beginning with Shorewall 5.0.8, it is possible to use an ipset to
    hold blacklisted addresses. The DYNAMIC_BLACKLIST option was expanded
    to:</para>
    <para><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
    role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>||<emphasis
    role="bold">ipset</emphasis>[<emphasis
    role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</para>
    <para>When <option>ipset</option> or <option>ipset-only</option> is
    specified, the <command>shorewall blacklist</command> command is used to
    blacklist a single host or a network. The <command>allow</command> command
    is used to remove entries from the ipset. The name of the set
    (<replaceable>setname</replaceable>) and the level
    (<replaceable>log_level</replaceable>), if any, at which blacklisted
    traffic is to be logged may also be specified. The default set name is
    SW_DBL4 and the default log level is <option>none</option> (no logging).
    If <option>ipset-only</option> is given, then chain-based dynamic
    blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
    specified.</para>
    <para>Possible <replaceable>option</replaceable>s are:</para>
    <variablelist>
      <varlistentry>
        <term>src-dst</term>
        <listitem>
          <para>Normally, only packets whose source address matches an entry
          in the ipset are dropped. If <option>src-dst</option> is included,
          then packets whose destination address matches an entry in the ipset
          are also dropped.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><option>disconnect</option></term>
        <listitem>
          <para>The <option>disconnect</option> option was added in Shorewall
          5.0.13 and requires that the conntrack utility be installed on the
          firewall system. When an address is blacklisted using the
          <command>blacklist</command> command, all connections originating
          from that address are disconnected. if the <option>src-dst</option>
          option was also specified, then all connections to that address are
          also disconnected.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
        <listitem>
          <para>Added in Shorewall 5.0.13. Normally, Shorewall creates the
          dynamic blacklisting ipset with timeout 0 which means that entries
          are permanent. If you want entries in the set that are not accessed
          for a period of time to be deleted from the set, you may specify
          that period using this option. Note that the
          <command>blacklist</command> command can override the ipset's
          timeout setting.</para>
          <important>
            <para>Once the dynamic blacklisting ipset has been created,
            changing this option setting requires a complete restart of the
            firewall; <command>shorewall restart</command> if RESTART=restart,
            otherwise <command>shorewall stop &amp;&amp; shorewall
            start</command></para>
          </important>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>When ipset-based dynamic blacklisting is enabled, the contents of
    the blacklist will be preserved over
    <command>stop</command>/<command>reboot</command>/<command>start</command>
    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
    <replaceable>setname</replaceable> is included in the list of sets to be
    saved in SAVE_IPSETS.</para>
  </section>
  <section>
    <title>BLACKLIST Policy and Action</title>
    <para>Beginning with Shorewall 5.1.1, it is possible to specify BLACKLIST
    in the POLICY column of <ulink
    url="manpages/shorewall-policies.html">shorewall-policies</ulink>(5) when
    ipset-based dynamic blacklisting is being used. When a packet is disposed
    of via the BLACKLIST policy, the packet's sender is added to the dynamic
    blacklist ipset and the packet is dropped.</para>
    <para>Also available beginning with Shorewall 5.1.1 is a BLACKLIST action
    for use in the rules file, macros and filter table actions. Execute the
    <command>shorewall show action BLACKLIST</command> command for
    details.</para>
  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1992,6 +1992,14 @@ SSH(ACCEPT)    net:$MYIP      $FW
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>@action(@{action})</term>
        <listitem>
          <para>Expands to the name of the action being compiled.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>@disposition (@{disposition})</term>
Author	SHA1	Message	Date
Tom Eastep	e45b96ca20	Update blacklisting article: - ipset-based blacklisting - BLACKLIST policy and action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-26 13:17:11 -08:00
Matt Darfeuille	eac2639684	core: Correct the path being displayed for the CLI Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-24 16:19:08 -08:00
Tom Eastep	70a395892f	Make BLACKLIST work correctly in the blrules file - Add the 'section' action option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 15:03:02 -08:00
Tom Eastep	d2d11df4f6	Make action.BLACKLIST behave correctly in the blrules file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 13:35:10 -08:00
Tom Eastep	b985654600	Correct typo in heading of Reject and Drop actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 11:54:40 -08:00
Tom Eastep	62ff6d3fa5	Remove obsolete macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 09:26:19 -08:00
Tom Eastep	2bbb5c8c1e	Add hack to distinguish between the BLACKLIST macro and action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 09:23:26 -08:00
Tom Eastep	33b4ee4d31	Don't quote variable values in ERROR/WARNING/INFO directives Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 09:00:18 -08:00
Tom Eastep	889ca756a1	Document @action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-23 08:58:42 -08:00
Tom Eastep	d111e4f186	Handle built-in actions in 'show action' - Remove a couple of non-actions from IPv4 actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-22 15:40:36 -08:00
Tom Eastep	634c8debda	Use ?REQUIRE in several actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-22 14:59:37 -08:00
Tom Eastep	71dd5d016b	Add ?REQUIRE compiler directive Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-22 14:48:18 -08:00
Tom Eastep	6b408869d2	Correct the synopsis in two action files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-22 11:47:12 -08:00
Tom Eastep	edf08bf408	Cosmetic change in compiler() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-21 19:47:50 -08:00
Tom Eastep	4a01e910ff	Delete unused iptablesbug() function Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-21 14:42:24 -08:00
Tom Eastep	2a010f827b	Add 'show action' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-19 15:58:18 -08:00
Tom Eastep	9c3a82f628	Add BLACKLIST action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-19 14:08:15 -08:00
Tom Eastep	e6933f4c8d	Add BLACKLIST policy Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-18 10:55:15 -08:00
Tom Eastep	cc3b8793e0	Make BALANCE_PROVIDERS default the setting of USE_DEFAULT_RT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-17 15:02:16 -08:00
Tom Eastep	ac5fd195ec	Correct provider/routefilter check wrt optional interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-17 09:34:13 -08:00
Tom Eastep	45b9ddf188	Add BALANCE_PROVIDERS option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-17 08:58:09 -08:00
Tom Eastep	2d16fac9ed	Revert "Implement USE_DEFAULT_RT=Exact" This reverts commit `2ca1ae734a`.	2017-01-17 08:25:33 -08:00