Correct 'show macros'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -78,6 +78,29 @@ showchain() # $1 = name of chain
     fi
 }
 
+#
+# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
+#
+
+iptablesbug()
+{
+    if [ $g_family -eq 4 ]; then
+	if qt mywhich awk ; then
+	    awk 'BEGIN           { sline=""; };\
+             /^-[jg]/            { print sline $0; next };\
+             /-m policy.*-[jg] / { print $0; next };\
+             /-m policy/         { sline=$0; next };\
+             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
+                                 { print ; sline="" }'
+        else
+	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
+	    cat
+	fi
+    else
+	cat
+    fi
+}
+
 #
 # Validate the value of RESTOREFILE
 #
@@ -1127,11 +1150,6 @@ show_macros() {
     done
 }
 
-show_an_action() {
-    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
-    cat ${directory}/action.$1
-}
-
 show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
@@ -1440,35 +1458,12 @@ show_command() {
 		    ;;
 	    	*)
 		    case $1 in
-			action)
-			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
-			    [ $# -gt 2 ] && too_many_arguments $2
-
-			    for directory in $(split $CONFIG_PATH); do
-				if [ -f ${directory}/action.$2 ]; then
-				    eval show_an_action $2 $g_pager
-				    return
-				fi
-			    done
-
-			    case $2 in
-				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
-				    echo "   WARNING: $2 is a built-in action" >&2
-				    ;;
-				*)
-				    echo "   WARNING: Action $2 not found" >&2
-				    ;;
-			    esac
-
-			    return
-			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -4296,7 +4291,6 @@ usage() # $1 = exit status
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     ecko "   [ show | list | ls ] actions"
-    ecko "   [ show | list | ls ] action <action>"
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"

Shorewall-core/manpages/shorewall.xml

@@ -685,31 +685,6 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg>options</arg>
-
-      <arg choice="req"><option>show | list | ls </option></arg>
-
-      <arg><option>-f</option></arg>
-
-      <arg choice="plain"><option>{actions|macros}</option></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="req"><option>show | list | ls </option></arg>
-
-      <arg choice="plain"><option>action</option><arg
-      choice="plain"><replaceable>action</replaceable></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -720,7 +695,7 @@
       <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
+      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -2440,23 +2415,12 @@
           arguments:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">action
-              <replaceable>action</replaceable></emphasis></term>
-
-              <listitem>
-                <para>Lists the named action file. Available on Shorewall and
-                Shorewall6 only.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">actions</emphasis></term>
 
               <listitem>
                 <para>Produces a report about the available actions (built-in,
-                standard and user-defined). Available on Shorewall and
+                standard and user-defined).</para>
-                Shorewall6 only.</para>
               </listitem>
             </varlistentry>
 

Shorewall/Actions/action.A_Drop

@@ -12,7 +12,6 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
-?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #

Shorewall/Actions/action.A_REJECT

@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
-?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.A_REJECT!

@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
-?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.BLACKLIST

@@ -1,50 +0,0 @@
-#
-# Shorewall - /usr/share/shorewall/action.BLACKLIST
-#
-# This action:
-#
-#   - Adds the sender to the dynamic blacklist ipset
-#   - Optionally acts on the packet (default is DROP)
-#
-# Parameters:
-#
-# 1 - Action to take after adding the packet. Default is DROP.
-#     Pass -- if you don't want to take any action.
-# 2 - Timeout for ipset entry. Default is the timeout specified in
-#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
-#
-###############################################################################
-# Note -- This action is defined with the 'section' option, so the first
-#         parameter is always the section name. That means that in the
-#         following text, the first parameter passed in the rule is actually
-#         @2.
-###############################################################################
-?if $1 eq 'BLACKLIST'
-   ?if $BLACKLIST_LOGLEVEL
-       blacklog
-   ?else
-       $BLACKLIST_DISPOSITION
-   ?endif
-?else
-   ?if ! "$SW_DBL_IPSET"
-   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
-   ?endif
-
-   DEFAULTS -,DROP,-
-   #
-   # Add to the blacklist
-   #
-   ?if passed(@3)
-       ADD($SW_DBL_IPSET:src:@3)
-   ?elsif $SW_DBL_TIMEOUT
-       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
-   ?else
-       ADD($SW_DBL_IPSET:src)
-   ?endif
-   #
-   # Dispose of the packet if asked
-   #
-   ?if passed(@2)
-      @2
-   ?endif
-?endif

Shorewall/Actions/action.Drop

@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.

Shorewall/Actions/action.Reject

@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.

Shorewall/Macros/macro.BLACKLIST

@@ -0,0 +1,13 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.blacklist
+#
+# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?if $BLACKLIST_LOGLEVEL
+blacklog
+?else
+$BLACKLIST_DISPOSITION
+?endif

Shorewall/Macros/macro.Drop

@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Drop
+#
+# This macro generates the same rules as the Drop default action
+# It is used in place of action.Drop when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Drop	net	all
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' DROP
+#
+DROP	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+DROP	-	-	udp	135,445
+DROP	-	-	udp	137:139
+DROP	-	-	udp	1024:	137
+DROP	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53

Shorewall/Macros/macro.Reject

@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Reject
+#
+# This macro generates the same rules as the Reject default action
+# It is used in place of action.Reject when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Reject	loc	fw
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' REJECT
+#
+REJECT	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+REJECT	-	-	udp	135,445
+REJECT	-	-	udp	137:139
+REJECT	-	-	udp	1024:	137
+REJECT	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53

Shorewall/Perl/Shorewall/Config.pm

@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.1-RC1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -816,7 +816,6 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
-	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -905,7 +904,6 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
-	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2712,13 +2710,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$$ ) {
+sub join_parts( $$$ ) {
-    my ( $first, $val, $rest, $just_expand ) = @_;
+    my ( $first, $val, $rest ) = @_;
 
     $val = '' unless defined $val;
-    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
-					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
     join( '', $first, $val, $rest );
 }
 
@@ -2771,7 +2769,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
 
-	$expression = join_parts( $first, $val, $rest, $just_expand );
+	$expression = join_parts( $first, $val, $rest );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
     }
 
@@ -2782,7 +2780,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest , $just_expand );
+	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
     }
@@ -2854,7 +2852,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -3042,12 +3040,6 @@ sub process_compiler_directive( $$$$ ) {
 			      $linenumber ) unless $omitting;
 	  } ,
 
-	  REQUIRE => sub() {
-	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
-	      require_capability( $expression, "The $actparams{action} action", 's' );
-	  } ,
-
 	);
 
     if ( my $function = $directives{$keyword} ) {
@@ -3761,7 +3753,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -5287,13 +5279,6 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
-
-    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
-	update_default( 'BALANCE_PROVIDERS', 'No' );
-    } else {
-	update_default( 'BALANCE_PROVIDERS', 'Yes' );
-    }
-
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
     update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
@@ -6301,7 +6286,6 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
-    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6318,8 +6302,6 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
-    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
-
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6360,9 +6342,6 @@ sub get_configuration( $$$$ ) {
 
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
-	    $variables{SW_DBL_IPSET}   = $set;
-	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
-
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6370,8 +6349,6 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
-    add_variables( %variables );
-
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6639,12 +6616,11 @@ sub get_configuration( $$$$ ) {
     default 'RESTOREFILE'           , 'restore';
     default 'DROP_DEFAULT'          , 'Drop';
     default 'REJECT_DEFAULT'        , 'Reject';
-    default 'BLACKLIST_DEFAULT'     , 'Drop';
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
 
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -603,37 +603,19 @@ sub process_a_provider( $ ) {
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
 
-    unless ( $pseudo ) {
+    if ( $local ) {
-	if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'local'"           if $track;
-	    fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
+    } elsif ( $tproxy ) {
-	} elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	    fatal_error "'track' not valid with 'tproxy'"          if $track;
+	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	$mark = $globals{TPROXY_MARK};
-	    $mark = $globals{TPROXY_MARK};
-	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
-	    if ( $config{USE_DEFAULT_RT} ) {
-		if ( $rf ) {
-		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
-		} else {
-		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
-		}
-	    } else {
-		unless ( $balance ) {
-		    if ( $rf ) {
-			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
-		    } else {
-			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
-		    }
-		}
-	    }
-	}
     }
 
     my $val = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -233,7 +233,6 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
-	       SECTION_OPT          => 2048 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -247,7 +246,6 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
-		 section     => SECTION_OPT ,
     );
 
 our %reject_options;
@@ -311,12 +309,11 @@ sub initialize( $ ) {
     # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
     # in the %config hash when shorewall[6].conf was processed.
     #
-    %default_actions  = ( DROP      => 'none' ,
+    %default_actions  = ( DROP     => 'none' ,
-		 	  REJECT    => 'none' ,
+		 	  REJECT   => 'none' ,
-			  BLACKLIST => 'none' ,
+			  ACCEPT   => 'none' ,
-			  ACCEPT    => 'none' ,
+			  QUEUE    => 'none' ,
-			  QUEUE     => 'none' ,
+			  NFQUEUE  => 'none' ,
-			  NFQUEUE   => 'none' ,
 			);
     #
     # These are set to 1 as sections are encountered.
@@ -682,8 +679,6 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
-    } elsif ( $policy eq 'BLACKLIST' ) {
-	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
     }
 
     unless ( $clientwild || $serverwild ) {
@@ -822,26 +817,24 @@ sub process_policies()
     our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP	 => undef,
+			  DROP   => undef,
 			  CONTINUE => undef,
-			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
 
-    our %map = ( DROP_DEFAULT      => 'DROP' ,
+    our %map = ( DROP_DEFAULT    => 'DROP' ,
-		 REJECT_DEFAULT    => 'REJECT' ,
+		 REJECT_DEFAULT  => 'REJECT' ,
-		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
+		 ACCEPT_DEFAULT  => 'ACCEPT' ,
-		 ACCEPT_DEFAULT    => 'ACCEPT' ,
+		 QUEUE_DEFAULT   => 'QUEUE' ,
-		 QUEUE_DEFAULT     => 'QUEUE' ,
+		 NFQUEUE_DEFAULT => 'NFQUEUE' );
-		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
 
     my $zone;
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
 
 	unless ( $action eq 'none' ) {
@@ -958,20 +951,7 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
-	if ( $target eq 'BLACKLIST' ) {
+	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
-	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
-
-	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
-		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
-	    } else {
-		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
-	    }
-
-	    $target = 'DROP';
-	} else {
-	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
-	}
-
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
     }
 }
@@ -2738,7 +2718,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Determine the validity of the action
     #
-    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
+    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
 
     if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -3146,10 +3126,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
-	#
-	# Handle 'section' option
-	#
-	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#

Shorewall/Perl/Shorewall/Zones.pm

@@ -1275,7 +1275,6 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
-		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {

Shorewall/Perl/lib.runtime

@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=

Shorewall/Samples/Universal/shorewall.conf

@@ -108,7 +108,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -141,8 +140,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/one-interface/shorewall.conf

@@ -119,7 +119,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -152,8 +151,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -116,7 +116,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -149,8 +148,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -119,7 +119,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -152,8 +151,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/actions.std

@@ -9,43 +9,44 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcast			# Silently Allow Broadcast/multicast
+A_ACCEPT                        # Audits then accepts a connection request
-dropBcast			# Silently Drop Broadcast/multicast
+A_DROP                          # Audits then drops a connection request
-dropNotSyn			# Silently Drop Non-syn TCP packets
+allowBcast		        # Silently Allow Broadcast/multicast
-rejNotSyn			# Silently Reject Non-syn TCP packets
+dropBcast		        # Silently Drop Broadcast/multicast
-allowinUPnP			# Allow UPnP inbound (to firewall) traffic
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
+rejNotSyn		        # Silently Reject Non-syn TCP packets
-Limit				# Limit the rate of connections from each individual IP address
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit                           # Limit the rate of connections from each individual IP address
 ?endif
 ###############################################################################
 #ACTION
-A_Drop				# Audited Default Action for DROP policy
+A_Drop 		                # Audited Default Action for DROP policy
-A_REJECT     noinline,logjump	# Audits then rejects a connection request
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
-A_REJECT!    inline		# Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
-A_Reject			# Audited Default action for REJECT policy
+A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
+AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
-AutoBLL	     noinline		# Helper for AutoBL
+AutoBLL      noinline           # Helper for AutoBL
-BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
-Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
-DNSAmp				# Matches one-question recursive DNS queries
+Drop		                # Default Action for DROP policy
-Drop				# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-DropSmurfs   noinline		# Drop smurf packets
+DropSmurfs   noinline           # Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED	#
+	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
-IfEvent	     noinline		# Perform an action based on an event
+IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-	     state=INVALID	#
+             state=INVALID      #
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject				# Default Action for REJECT policy
+Reject                          # Default Action for REJECT policy
-Related	     inline,\		# Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
-	     state=RELATED	#
+             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit	# Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags			# Handle bad flag combinations.
+TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED	#
+	     state=UNTRACKED    #

Shorewall/configfiles/shorewall.conf

@@ -108,7 +108,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -141,8 +140,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/lib.cli-std

@@ -443,21 +443,20 @@ compiler() {
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
-
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
-    [ -n "$shorewallrc1" ]     && options="$options --shorewallrc1=${shorewallrc1}"
+    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
-    [ -n "$STARTUP_LOG" ]      && options="$options --log=$STARTUP_LOG"
+    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
-    [ -n "$LOG_VERBOSITY" ]    && options="$options --log_verbosity=$LOG_VERBOSITY";
+    [ -n "$g_export" ] && options="$options --export"
-    [ -n "$g_export" ]         && options="$options --export"
+    [ -n "$g_shorewalldir" ] && options="$options --directory=$g_shorewalldir"
-    [ -n "$g_shorewalldir" ]   && options="$options --directory=$g_shorewalldir"
+    [ -n "$g_timestamp" ] && options="$options --timestamp"
-    [ -n "$g_timestamp" ]      && options="$options --timestamp"
+    [ -n "$g_test" ] && options="$options --test"
-    [ -n "$g_test" ]           && options="$options --test"
+    [ -n "$g_preview" ] && options="$options --preview"
-    [ -n "$g_preview" ]        && options="$options --preview"
     [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
+    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
-    [ -n "$g_confess" ]        && options="$options --confess"
+    [ -n "$g_confess" ] && options="$options --confess"
-    [ -n "$g_update" ]         && options="$options --update"
+    [ -n "$g_update" ] && options="$options --update"
-    [ -n "$g_annotate" ]       && options="$options --annotate"
+    [ -n "$g_annotate" ] && options="$options --annotate"
-    [ -n "$g_inline" ]         && options="$options --inline"
+    [ -n "$g_inline" ] && options="$options --inline"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then

Shorewall/manpages/shorewall-actions.xml

@@ -191,25 +191,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><option>section</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.1. When specified, this option
-                causes the rules file section name and a comma to be prepended
-                to the parameters passed to the action (if any). Note that
-                this means that the first parameter passed to the action by
-                the user is actually the second parameter to the action. If
-                the action is invoked out of the blrules file, 'BLACKLIST' is
-                used as the section name.</para>
-
-                <para>Given that neither the <filename>snat</filename> nor the
-                <filename>mangle</filename> file is sectioned, this parameter
-                has no effect when <option>mangle</option> or
-                <option>nat</option> is specified. </para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -224,9 +205,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <option>builtin</option>, indicates that the built-in action
+                <replaceable>builtin</replaceable>, indicates that the
-                is termiating (i.e., if the action is jumped to, the next rule
+                built-in action is termiating (i.e., if the action is jumped
-                in the chain is not evaluated).</para>
+                to, the next rule in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-interfaces.xml

@@ -762,13 +762,6 @@ loc     eth2            -</programlisting>
                     </listitem>
                   </itemizedlist>
                 </note>
-
-                <para>Beginning with Shorewall 5.1.1, when
-                <option>routefilter</option> is set to a non-zero value, the
-                <option>logmartians</option> option is also implicitly set. If
-                you actually want route filtering without logging, then you
-                must also specify <option>logmartians=0</option> after
-                <option>routefilter</option>.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-policy.xml

@@ -115,7 +115,6 @@
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
         role="bold">REJECT</emphasis>|<emphasis
-        role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -178,19 +177,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">BLACKLIST</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.1 and requires that the
-                DYNAMIC_BLACKLIST setting in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-                specifies ipset-based dynamic blacklisting. The SOURCE IP
-                address is added to the blacklist ipset and the connection
-                request is ignored.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 

Shorewall/manpages/shorewall-providers.xml

@@ -208,16 +208,6 @@
                 <option>balance=</option><replaceable>weight</replaceable>
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface.</para>
-
-                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
-                <option>balance=1</option> is assumed unless the
-                <option>fallback</option>, <option>loose</option>,
-                <option>load</option> or <option>tproxy</option> option is
-                specified. Beginning with Shorewall 5.1.1, when
-                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
-                unless the <option>fallback</option>, <option>loose</option>,
-                <option>load</option> or <option>tproxy</option> option is
-                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -117,16 +117,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis
-        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
-        role="bold">none</emphasis>}</term>
-
-        <listitem>
-          <para/>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -186,9 +176,6 @@
 
             <member>REJECT_DEFAULT="Reject"</member>
 
-            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
-            5.1.1)</member>
-
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
@@ -456,24 +443,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
-          determines whether the <option>balance</option> provider option (see
-          <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
-          the default. When BALANCE_PROVIDERS=Yes, then the
-          <option>balance</option> option is assumed unless the
-          <option>fallback</option>, <option>loose</option>,
-          <option>load</option> or <option>tproxy</option> option is
-          specified. If this option is not set or is set to the empty value,
-          then the default value is the value of USE_DEFAULT_RT.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2862,12 +2831,8 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para>If running Shorewall 5.1.0 or earlier or if
+              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">loose</emphasis> is specified.</para>
-              <emphasis role="bold">balance</emphasis> provider option is
-              assumed unless the <option>fallback</option>,
-              <option>loose</option>, <option>load</option> or
-              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -105,7 +105,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -134,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -106,7 +106,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -135,8 +134,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -105,7 +105,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -134,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -105,7 +105,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -134,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/configfiles/shorewall6.conf

@@ -105,7 +105,6 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -134,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/manpages/shorewall6-actions.xml

@@ -192,25 +192,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><option>section</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.1. When specified, this option
-                causes the rules file section name and a comma to be prepended
-                to the parameters passed to the action (if any). Note that
-                this means that the first parameter passed to the action by
-                the user is actually the second parameter to the action. If
-                the action is invoked out of the blrules file, 'BLACKLIST' is
-                used as the section name.</para>
-
-                <para>Given that neither the <filename>snat</filename> nor the
-                <filename>mangle</filename> file is sectioned, this parameter
-                has no effect when <option>mangle</option> or
-                <option>nat</option> is specified.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -225,9 +206,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <option>builtin</option>, indicates that the built-in action
+                <replaceable>builtin</replaceable>, indicates that the
-                is termiating (i.e., if the action is jumped to, the next rule
+                built-in action is termiating (i.e., if the action is jumped
-                in the chain is not evaluated).</para>
+                to, the next rule in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-policy.xml

@@ -114,7 +114,7 @@
         <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
+        role="bold">REJECT</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,19 +177,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">BLACKLIST</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.1 and requires that the
-                DYNAMIC_BLACKLIST setting in <ulink
-                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
-                specifies ipset-based dynamic blacklisting. The SOURCE IP
-                address is added to the blacklist ipset and the connection
-                request is ignored.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 

Shorewall6/manpages/shorewall6-providers.xml

@@ -173,16 +173,6 @@
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface. Prior to Shorewall 5.0.13, only
                 one provider can specify this option.</para>
-
-                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
-                <option>balance=1</option> is assumed unless the
-                <option>fallback</option>, <option>loose</option>,
-                <option>load</option> or <option>tproxy</option> option is
-                specified. Beginning with Shorewall 5.1.1, when
-                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
-                unless the <option>fallback</option>, <option>loose</option>,
-                <option>load</option> or <option>tproxy</option> option is
-                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -103,16 +103,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis
-        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
-        role="bold">none</emphasis>}</term>
-
-        <listitem>
-          <para/>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -174,9 +164,6 @@
 
             <member>REJECT_DEFAULT="Reject"</member>
 
-            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
-            5.1.1)</member>
-
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
@@ -387,24 +374,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
-          determines whether the <option>balance</option> provider option (see
-          <ulink
-          url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
-          the default. When BALANCE_PROVIDERS=Yes, then the
-          <option>balance</option> option is assumed unless the
-          <option>fallback</option>, <option>loose</option>,
-          <option>load</option> or <option>tproxy</option> option is
-          specified. If this option is not set or is set to the empty value,
-          then the default value is the value of USE_DEFAULT_RT.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2506,12 +2475,8 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para>If running Shorewall 5.1.0 or earlier or if
+              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">loose</emphasis> is specified.</para>
-              <emphasis role="bold">balance</emphasis> provider option is
-              assumed unless the <option>fallback</option>,
-              <option>loose</option>, <option>load</option> or
-              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

docs/IPSEC-2.6.xml

@@ -106,10 +106,10 @@
     traffic that is to be encrypted according to the contents of the SPD
     requires an appropriate SA to exist. SAs may be created manually using
     <command>setkey</command>(8) but most often, they are created by a
-    cooperative process involving the ISAKMP protocol and a daemon included in
+    cooperative process involving the ISAKMP protocol and daemons such
-    your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
+    as<command> racoon</command> or <command>isakmpd</command>. Incoming
-    Incoming traffic is verified against the SPD to ensure that no unencrypted
+    traffic is verified against the SPD to ensure that no unencrypted traffic
-    traffic is accepted in violation of the administrator's policies.</para>
+    is accepted in violation of the administrator's policies.</para>
 
     <para>There are three ways in which IPsec traffic can interact with
     Shorewall policies and rules:</para>
@@ -225,11 +225,18 @@
     of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
     security policies that select which traffic to encrypt/decrypt.</para>
 
-    <important>
+    <para>This article assumes the use of ipsec-tools (<ulink
-      <para>This article provides guidance regarding configuring Shorewall to
+    url="http://ipsec-tools.sourceforge.net">http://ipsec-tools.sourceforge.net</ulink>).
-      use with IPSEC. For configuring IPSEC itself, consult your IPSEC
+    As of this writing, I recommend that you run at least version 0.5.2.
-      product's documentation.</para>
+    Debian users, please note that there are separate Debian packages for
-    </important>
+    ipsec-tools and racoon although the ipsec-tools project releases them as a
+    single package.</para>
+
+    <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
+    url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
+    2005</ulink>. Be warned though that the presentation is based on Shorewall
+    2.2 and there are some differences in the details of how IPsec is
+    configured.</para>
   </section>
 
   <section id="GwFw">
@@ -353,25 +360,155 @@ $FW              vpn             ACCEPT</programlisting>
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
     </blockquote>
 
-    <warning>
+    <para>Note that your Security Policies must also be set up to send traffic
-      <para>If you have hosts that access the Internet through an IPsec
+    between 134.28.54.2 and 206.162.148.9 through the tunnel (see
-      tunnel, then it is a good idea to set the MSS value for traffic from
+    below).</para>
-      those hosts explicitly in the <filename>/etc/shorewall/zones</filename>
-      file. For example, if hosts in the <emphasis role="bold">vpn</emphasis>
-      zone access the Internet through an ESP tunnel then the following entry
-      would be appropriate:</para>
 
-      <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+    <para>Once you have these entries in place, restart Shorewall (type
+    shorewall restart); you are now ready to configure IPsec.</para>
+
+    <para>For full encrypted connectivity in this configuration (between the
+    subnets, between each subnet and the opposite gateway, and between the
+    gateways), you will need eight policies in
+    <filename>/etc/racoon/setkey.conf</filename>. For example, on gateway
+    A:</para>
+
+    <blockquote>
+      <programlisting># First of all flush the SPD and SAD databases
+spdflush;
+flush;
+
+# Add some SPD rules
+
+spdadd 192.168.1.0/24   10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 192.168.1.0/24   134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 206.162.148.9/32 134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 206.162.148.9/32 10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 10.0.0.0/8       192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
+spdadd 10.0.0.0/8       206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
+spdadd 134.28.54.2/32   192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
+spdadd 134.28.54.2/32   206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;</programlisting>
+    </blockquote>
+
+    <para>The <filename>setkey.conf</filename> file on gateway B would be
+    similar.</para>
+
+    <para>A sample <filename>/etc/racoon/racoon.conf</filename> file using
+    X.509 certificates might look like:</para>
+
+    <blockquote>
+      <programlisting>path certificates "/etc/certs" ;
+
+listen 
+{
+        isakmp 206.162.148.9;
+}
+
+remote 134.28.54.2
+{
+        exchange_mode main ;
+        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
+        verify_cert on;
+        my_identifier asn1dn ;
+        peers_identifier asn1dn ;
+        verify_identifier on ;
+        lifetime time 24 hour ;
+        proposal {
+                encryption_algorithm blowfish;
+                hash_algorithm sha1;
+                authentication_method rsasig ;
+                dh_group 2 ;
+        }
+}
+
+sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+
+sainfo address 206.162.148.9/32 any address 10.0.0.0/8 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+
+sainfo address 206.162.148.9/32 any address 134.28.54.2/32 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+
+sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}</programlisting>
+
+      <warning>
+        <para>If you have hosts that access the Internet through an IPsec
+        tunnel, then it is a good idea to set the MSS value for traffic from
+        those hosts explicitly in the
+        <filename>/etc/shorewall/zones</filename> file. For example, if hosts
+        in the <emphasis role="bold">vpn</emphasis> zone access the Internet
+        through an ESP tunnel then the following entry would be
+        appropriate:</para>
+
+        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
-      <para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
+        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
-      both the SYN and SYN,ACK packets have their MSS field adjusted.</para>
+        that both the SYN and SYN,ACK packets have their MSS field
+        adjusted.</para>
 
-      <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
+        <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
-      isn't effective with the 2.6 native IPsec implementation because there
+        isn't effective with the 2.6 native IPsec implementation because there
-      is no separate IPsec device with a lower mtu as there was under the 2.4
+        is no separate IPsec device with a lower mtu as there was under the
-      and earlier kernels.</para>
+        2.4 and earlier kernels.</para>
-    </warning>
+      </warning>
+    </blockquote>
+  </section>
+
+  <section>
+    <title>IPCOMP and IPSEC</title>
+
+    <para>IPSEC can be configured to perform data compression. This is
+    accomplished by compressing the original IP packet, then encapsulating it
+    in an ipcomp (protocol 108) packet. That packet is then encrypted and
+    encapsulated within an ESP packet. Because of the extra protocol header
+    required for compression, short IP packets (such as default ping packets)
+    are not compressed. The Linux IP stack handles these uncompressed packets
+    by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
+    the remote gateway must be handled in Shorewall. The easiest way to
+    accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
+    zone to the $FW zone:</para>
+
+    <blockquote>
+      <programlisting>#ACTION         SOURCE         DEST       PROTO       DPORT ...
+ACCEPT          vpn            $FW        4</programlisting>
+    </blockquote>
+
+    <para>Note that the source IP address is these IPIP packets is that of the
+    remote peer, so the definition of the ipsec zone in <ulink
+    url="manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) must
+    include the peer.</para>
+
+    <para>Finally, when IPCOMP is used, it is recommended that the OPTIONS
+    column of the ipsec zone's entry in <ulink
+    url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) be left
+    empty.</para>
   </section>
 
   <section id="RoadWarrior">
@@ -449,7 +586,116 @@ ipsec         net         206.162.148.9       vpn</programlisting>
         <programlisting>#ZONE             HOSTS                  OPTIONS
 vpn               eth0:0.0.0.0/0</programlisting>
       </blockquote>
+
+      <para>On system A, here are the IPsec files:</para>
+
+      <blockquote>
+        <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
+
+        <programlisting>path certificate "/etc/certs" ;
+ 
+listen
+{
+        isakmp 206.162.148.9;
+}
+ 
+remote <emphasis role="bold">anonymous</emphasis>
+{
+        exchange_mode main ;
+        <emphasis role="bold">generate_policy on</emphasis> ;
+        <emphasis role="bold">passive on</emphasis> ;
+        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
+        verify_cert on;
+        my_identifier asn1dn ;
+        peers_identifier asn1dn ;
+        verify_identifier on ;
+        lifetime time 24 hour ;
+        proposal {
+                encryption_algorithm blowfish ;
+                hash_algorithm sha1;
+                authentication_method rsasig ;
+                dh_group 2 ;
+        }
+}
+ 
+sainfo <emphasis role="bold">anonymous</emphasis>
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}</programlisting>
+
+        <para><filename>/etc/racoon/setkey.conf</filename> - System A:</para>
+
+        <programlisting>flush;
+spdflush;</programlisting>
+      </blockquote>
+
+      <para>If system A is running kernel 2.6.10 or later then it must also be
+      running ipsec-tools (racoon) 0.5rc1 or later.</para>
+
+      <para>On the mobile system (system B), it is not possible to create a
+      static IPsec configuration because the IP address of the laptop's
+      Internet connection isn't static. I have created an 'ipsecvpn' script
+      and included in the tarball and in the RPM's documentation directory;
+      this script can be used to start and stop the connection.</para>
+
+      <para>The ipsecvpn script has some variable assignments at the top -- in
+      the above case, these would be as follows:</para>
+
+      <blockquote>
+        <programlisting>#
+# External Interface
+#
+INTERFACE=eth0
+#
+# Remote IPsec Gateway
+#
+GATEWAY=206.162.148.9
+#
+# Networks behind the remote gateway
+#
+NETWORKS="192.168.1.0/24"
+#
+# Directory where X.509 certificates are stored.
+#
+CERTS=/etc/certs
+#
+# Certificate to be used for this connection. The cert
+# directory must contain:
+#
+#     ${CERT}.pem     - the certificate
+#     ${CERT}_key.pem - the certificates's key
+#
+CERT=roadwarrior
+#
+#     The setkey binary
+#
+SETKEY=/usr/sbin/setkey
+#
+#     The racoon binary
+#
+RACOON=/usr/sbin/racoon</programlisting>
+      </blockquote>
+
+      <para>The ipsecvpn script can be installed in /etc/init.d/ but it is
+      probably best installed in /usr/local/sbin and run manually:</para>
+
+      <blockquote>
+        <para><command>ipsecvpn start </command># Starts the tunnel</para>
+
+        <para><command>ipsecvpn stop</command> # Stops the tunnel</para>
+      </blockquote>
     </example>
+
+    <warning>
+      <para>Although the ipsecvpn script allows you to specify multiple remote
+      NETWORKS as a space-separated list, SAs are created on the gateway only
+      during ISAKMP negotiation. So in practice, only the first remote network
+      accessed will be accessible from the roadwarrior.</para>
+    </warning>
   </section>
 
   <section id="RW-L2TP">
@@ -607,7 +853,62 @@ HTTPS(ACCEPT)   l2tp    $FW</programlisting>
     hosts in that network. In that case, IPsec transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/></para>
+    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
+    the ipsec-tools package. The files shown are from host 192.168.20.10; the
+    configuration of the other nodes is similar.</para>
+
+    <blockquote>
+      <para><filename>/etc/racoon/racoon.conf</filename>:</para>
+
+      <programlisting>path pre_shared_key "/etc/racoon/psk.txt" ;
+
+remote anonymous
+{
+        exchange_mode main ;
+        my_identifier address ;
+        lifetime time 24 hour ;
+        proposal {
+                encryption_algorithm blowfish ;
+                hash_algorithm sha1;
+                authentication_method pre_shared_key ;
+                dh_group 2 ;
+        }
+}
+
+sainfo anonymous
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+</programlisting>
+
+      <para><filename>/etc/racoon/setkey.conf</filename>:</para>
+
+      <programlisting># First of all flush the SPD database
+spdflush;
+
+# Add some SPD rules
+
+spdadd 192.168.20.10/32 192.168.20.20/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.20/require;
+spdadd 192.168.20.20/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.20-192.168.20.10/require;
+spdadd 192.168.20.10/32 192.168.20.30/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.30/require;
+spdadd 192.168.20.30/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.30-192.168.20.10/require;
+spdadd 192.168.20.10/32 192.168.20.40/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.40/require;
+spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.40-192.168.20.10/require;
+</programlisting>
+
+      <para><filename>/etc/racoon/psk.txt</filename>:</para>
+
+      <programlisting>192.168.20.20             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.20&gt;
+192.168.20.30             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.30&gt;
+192.168.20.40             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.40&gt;</programlisting>
+
+      <para>Note that the <emphasis role="bold">same key</emphasis>must be
+      used in both directions.</para>
+    </blockquote>
 
     <para>Shorewall configuration goes as follows:</para>
 
@@ -672,13 +973,75 @@ all             all             REJECT          info</programlisting>
 ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
     above assumes that the name of your IPsec vpn zone is
     <emphasis>vpn</emphasis>.</para>
+  </section>
 
-    <important>
+  <section id="XP">
-      <para>Note that this protocol 4 (IPIP) traffic appears to originate in
+    <title>IPsec and <trademark>Windows</trademark> XP</title>
-      the vpn zone, but it's source IP address is that of the remote gateway.
+
-      As a consequence, that address must be included in the definition of the
+    <para>I have successfully configured my work laptop to use IPsec with
-      remote zone. If you haven't done that, the traffic will be dropped in
+    X.509 certificates for wireless IP communication when it is undocked at
-      the INPUT chain.</para>
+    home. I looked at dozens of sites and the one I found most helpful was
-    </important>
+    <ulink
+    url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
+    The instructions on that site are directed to students at UCLA but they
+    worked fine for me (once I followed them very carefully).</para>
+
+    <warning>
+      <para>The instructions found on the UCLA site are complex and do not
+      include any information on the generation of X.509 certificates. There
+      are lots of sites however that can tell you how to generate
+      certificates, including <ulink
+      url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
+
+      <para>One piece of information that may not be so easy to find is "How
+      do I generate a PKCS#12 certificate to import into Windows?". Here's the
+      openssl command that I used:</para>
+
+      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
+
+      <para>I was prompted for a password to associate with the certificate.
+      This password is entered on the Windows system during import.</para>
+
+      <para>In the above command:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><filename>eastepnc6000.pem</filename> was the laptop's
+          certificate in PEM format.</para>
+        </listitem>
+
+        <listitem>
+          <para><filename>eastepnc6000_key.pem</filename> was the laptop's
+          private key (actually, it's the original signing request which
+          includes the private key).</para>
+        </listitem>
+
+        <listitem>
+          <para><filename>eastepnc6000.pfx</filename> is the PKCS#12 output
+          file.</para>
+        </listitem>
+
+        <listitem>
+          <para>"IPsec Cert for Home Wireless" is the friendly name for the
+          certificate.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>I started to write an article about how to do this, complete with
+      graphics captured from my laptop. I gave up. I had captured 12 images
+      and hadn't really started yet. The Windows interface for configuring
+      IPsec is the worst GUI that I have ever used. What can be displayed on
+      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
+      different dialog boxes on Windows XP!!!</para>
+    </warning>
+  </section>
+
+  <section id="More">
+    <title>Source of Additional Samples</title>
+
+    <para>Be sure to check out the <filename
+    class="directory">src/racoon/samples</filename> subdirectory in the
+    ipsec-tools source tree. It has a wide variety of sample racoon
+    configuration files.</para>
   </section>
 </article>

docs/MultiISP.xml

@@ -484,18 +484,6 @@ fi</programlisting>
                         url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                       </note></para>
                   </important>
-
-                  <para>Prior to Shorewall 5.1.1, <emphasis
-                  role="bold">balance=1</emphasis> is the default when
-                  USE_DEFAULT_RT=Yes and neither the
-                  <option>fallback</option>, <option>loose</option>,
-                  <option>load</option> or <option>tproxy</option> option is
-                  specified. Beginning with Shorewall 5.1.1, <emphasis
-                  role="bold">balance=1</emphasis> is the default when both
-                  USE_DEFAULT_RT=Yes and BALANCE_PROVIDERS=Yes and neither the
-                  <option>fallback</option>, <option>loose</option>,
-                  <option>load</option> nor <option>tproxy</option> option is
-                  specified.</para>
                 </listitem>
               </varlistentry>
 

docs/configuration_file_basics.xml

@@ -1992,14 +1992,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>@action(@{action})</term>
-
-        <listitem>
-          <para>Expands to the name of the action being compiled.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>@disposition (@{disposition})</term>