IPv6 Samples use logical interface names

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1813,7 +1813,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"

Shorewall/Actions/action.AllowICMPs

@@ -13,6 +13,7 @@ DEFAULTS ACCEPT
     @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
+
     @1	-		-	ipv6-icmp	destination-unreachable
     @1	-		-	ipv6-icmp	packet-too-big
     @1	-		-	ipv6-icmp	time-exceeded
@@ -37,7 +38,7 @@ DEFAULTS ACCEPT
     @1	-		-	ipv6-icmp	148	# Certificate path solicitation
     @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
     @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
     @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall/Actions/action.FIN

@@ -30,4 +30,4 @@
 
 DEFAULTS ACCEPT,-
 
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH

Shorewall/Perl/Shorewall/Compiler.pm

@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);

Shorewall/Perl/Shorewall/Config.pm

@@ -675,7 +675,6 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 
 our $family;                 # Protocol family (4 or 6)
-our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -789,8 +788,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+sub initialize( $;$$) {
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -5329,13 +5328,7 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
     }
 
-    my $path = $config{CONFIG_PATH};
-
-    my $chop = ( $path =~ s/^:// );
-
-    @config_path = split /:/, $path;
-
-    shift @config_path if $chop && ( $export || $> != 0 );
+    @config_path = split /:/, $config{CONFIG_PATH};
 
     #
     # To accomodate Cygwin-based compilation, we have separate directories for files whose names

Shorewall/Perl/Shorewall/Providers.pm

@@ -1575,7 +1575,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1638,7 +1638,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -96,7 +96,7 @@ use constant { NULL_SECTION          => 0x00,
 	       INVALID_SECTION       => 0x10,
 	       UNTRACKED_SECTION     => 0x20,
 	       NEW_SECTION           => 0x40,
-	       POLICYACTION_SECTION  => 0x80 };
+	       DEFAULTACTION_SECTION => 0x80 };
 #
 # Number of elements in the action tuple
 #
@@ -927,28 +927,6 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 
-#
-# Determine the protocol to be used in the jump to the passed action
-#
-sub determine_action_protocol( $$ ) {
-    my ( $action, $proto ) = @_;
-
-    if ( my $actionproto = $actions{$action}{proto} ) {
-	if ( $proto eq '-' ) {
-	    $proto = $actionproto;
-	} else {
-	    if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
-		fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
-		$proto = $protonum;
-	    } else {
-		fatal_error( "Unknown protocol ($proto)" );
-	    }
-	}
-    }
-
-    $proto;
-}
-
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
@@ -964,16 +942,12 @@ sub add_policy_rules( $$$$$ ) {
 
 	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
-		# Policy action is a regular action -- jump to the action chain
+		# Default action is a regular action -- jump to the action chain
 		#
-		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
-		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
-		} else {
-		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
-		}
+		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 	    } else {
 		#
-		# Policy action is an inline 
+		# Default action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
@@ -1288,7 +1262,7 @@ sub finish_chain_section ($$$) {
 	if ( $chain1ref->{is_policy} ) {
 	    if ( $chain1ref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chain1ref;
-		if ( $section == POLICYACTION_SECTION ) {
+		if ( $section == DEFAULTACTION_SECTION ) {
 		    if ( $chain1ref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chain1ref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -1324,7 +1298,7 @@ sub ensure_rules_chain( $ )
     $chainref = new_rules_chain( $chain ) unless $chainref;
 
     unless ( $chainref->{referenced} ) {
-	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
+	if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
@@ -1443,13 +1417,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state ) = @_;
 
     fatal_error "Invalid action name($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
 
     $targets{$action} = $type;
 }
@@ -2075,10 +2049,9 @@ sub process_actions() {
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 
 	    my $state = '';
-	    my $proto = 0;
 
 	    if ( $action =~ /:/ ) {
-		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
+		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
 
@@ -2092,9 +2065,6 @@ sub process_actions() {
 			} else {
 			    fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
 			}
-		    } elsif ( /^proto=(.+)$/ ) {
-			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
-			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2115,11 +2085,9 @@ sub process_actions() {
 			next;
 		    }
 
-		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
-		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2129,8 +2097,6 @@ sub process_actions() {
 	    }
 
 	    if ( $opts & BUILTIN_OPT ) {
-		warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
-
 		my $actiontype = USERBUILTIN | OPTIONS;
 		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
 		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
@@ -2163,7 +2129,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state );
 	    }
 	}
     }
@@ -2201,7 +2167,7 @@ sub process_reject_action() {
     #
     # This gets called very early in the compilation process so we fake the section
     #
-    $section = POLICYACTION_SECTION;
+    $section = DEFAULTACTION_SECTION;
 
     if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
@@ -2535,7 +2501,7 @@ sub verify_audit($;$$) {
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
-# reference is also passed when rules are being generated during processing of a macro used as a policy action.
+# reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -3046,10 +3012,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
-	#
-	# Verify action 'proto', if any
-	#
-	$proto = determine_action_protocol( $basictarget, $proto );
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3200,7 +3162,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     );
     }
 
-    unless ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ||
+    unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
 	     $inaction ||
 	     $blacklist ||
 	     $basictarget eq 'dropInvalid' ) {
@@ -3336,7 +3298,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
-	    unless unreachable_warning( $wildcard || $section == POLICYACTION_SECTION, $chainref );
+	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
     $generated = 1;
@@ -3414,7 +3376,7 @@ sub check_state( $ ) {
 	}
     }
 
-    if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
+    if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
 	if ( $state eq 'NEW' ) {
 	    #
 	    # If an INVALID or UNTRACKED rule would be emitted then we must include the state match
@@ -3955,7 +3917,7 @@ sub process_rules() {
     #
     # No need to finish the NEW section since no rules need to be generated
     #
-    $section = $next_section = POLICYACTION_SECTION;
+    $section = $next_section = DEFAULTACTION_SECTION;
 }
 
 sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -4774,10 +4736,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
-	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
-	    #
 	    # Create the action:level:tag:param tuple.
 	    #
 	    my $normalized_target = normalize_action( $cmd, '', $params );
@@ -5736,10 +5694,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
-		#
-		$proto = determine_action_protocol( $target, $proto );
-		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
 		#

Shorewall/Perl/prog.footer

@@ -268,10 +268,8 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    for table in raw mangle nat filter; do
-		qt $g_tool -t $table -Z
-	    done
-
+	    $g_tool -Z
+	    $g_tool -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"

Shorewall/Samples/Universal/shorewall.conf

@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall/Samples/one-interface/shorewall.conf

@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -85,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall/actions.std

@@ -26,19 +26,18 @@ Broadcast    inline,audit	# Handles Broadcast/Anycast
 ?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 ?endif
-DNSAmp	     proto=17		# Matches one-question recursive DNS queries
+DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit,\	# Handles ACK,FIN packets
-	     proto=6
+FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
@@ -51,16 +50,14 @@ Multicast    inline,audit	# Handles Multicast
 Multicast    noinline,audit	# Handles Multicast
 ?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
-	     proto=6
-rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit,\	# Handle packets with RST set
-	     proto=6
+RST	     inline,audit	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handle bad flag combinations.
+TCPFlags			# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#

Shorewall/configfiles/shorewall.conf

@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall/configpath

@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

Shorewall/manpages/shorewall-actions.xml

@@ -191,27 +191,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.10. Specifies that the action is
-                only usable with the specified
-                <replaceable>protocol</replaceable> (name or number). When the
-                action is invoked with no protocol specified in the PROTO
-                column, or if the action is used as a Policy Action, the named
-                <replaceable>protocol</replaceable> will be assumed. If a
-                protocol is specified in the PROTO column of an invocation,
-                then it must match the named
-                <replaceable>protocol</replaceable>.</para>
-
-                <para>The <option>proto</option> option has no effect if the
-                <option>inline</option> or <option>builtin</option> option is
-                specified. A warning is issued if <option>proto</option> is
-                specified along with <option>builtin</option>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><option>section</option></term>
 

Shorewall/manpages/shorewall-conntrack.xml

@@ -447,7 +447,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
+                both the incoming interace and source address match.</para>
               </listitem>
             </varlistentry>
 
@@ -543,7 +543,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the outgoing interface and destination address
+                both the outgoing interace and destination address
                 match.</para>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall-logging.xml

@@ -362,7 +362,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     is 2 and AF_INET6 is 10).</para>
 
     <para>The name immediately following the number is the currently-selected
-    backend, and the ones in parentheses are the ones that are available. You
+    backend, and the ones in parantheses are the ones that are available. You
     can change the currently selected backend by echoing it's name into
     /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
 

Shorewall/manpages/shorewall-mangle.xml

@@ -681,7 +681,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <listitem>
                 <para>Added in Shorewall 5.1.9. This target only applies to
                 TCP traffic and alters the MSS value in SYN packets. It may be
-                used in the FORWARD and POSTROUTING chains; the default is
+                used in the FOWARD and POSTROUTING chains; the default is
                 FORWARD.</para>
 
                 <para>The <replaceable>mss</replaceable> parameter may be

Shorewall/manpages/shorewall-providers.xml

@@ -84,7 +84,7 @@
 
           <para>If PROVIDER_OFFSET is non-zero in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the
+          the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
           number of significant bits may not exceed PROVIDER_OFFSET +
           PROVIDER_BITS.</para>
         </listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -673,7 +673,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">CONFIG_PATH</emphasis>=[[:]<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
+        role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
 
         <listitem>
           <para>Specifies where configuration files other than
@@ -701,16 +701,6 @@
           /etc/shorewall:/usr/share/shorewall but your particular distribution
           may set it differently. See the output of shorewall show config for
           the default on your system.</para>
-
-          <para>Beginning with Shorewall 5.1.10, the CONFIG_PATH setting may
-          begin with a colon (":"), to signal that the first
-          <replaceable>directory</replaceable> listed will be skipped if the
-          user performing a compilation is not root or if the configuration is
-          being compiled for export (-e option specified or if running one of
-          the remote-* commands) . This prevents the compiler from looking in
-          <filename>/etc/shorewall[6]</filename>/ when compilation is being
-          done by a non-root user or if the generated script is to be sent to
-          a remote firewall system.</para>
         </listitem>
       </varlistentry>
 
@@ -730,14 +720,6 @@
           and <command>restart</command> commands will succeed even if no DNS
           server is reachable (assuming that the configuration hasn't changed
           since the compiled script was last generated).</para>
-
-          <important>
-            <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS
-            change makes it necessary to recompile an existing firewall
-            script, the <option>-c</option> option must be used with the
-            <command>reload</command> or <command>restart</command> command to
-            force recompilation.</para>
-          </important>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall6/actions.std

@@ -8,43 +8,42 @@
 #
 ###############################################################################
 #ACTION
-A_Drop				# Audited Default Action for DROP policy
-A_Reject			# Audited Default Action for REJECT policy
-A_AllowICMPs proto=58		# Audited Accept needed ICMP6 types
-AllowICMPs   proto=58		# Accept needed ICMP6 types
+A_Drop	                        # Audited Default Action for DROP policy
+A_Reject	                # Audited Default Action for REJECT policy
+A_AllowICMPs	                # Audited Accept needed ICMP6 types
+AllowICMPs   	                # Accept needed ICMP6 types
 allowBcast   inline		# Silently Allow Broadcast
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 allowMcast   inline		# Silently Allow Multicast
-AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
-AutoBLL	     noinline		# Helper for AutoBL
+AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
+AutoBLL      noinline           # Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-Broadcast    noinline		# Handles Broadcast/Anycast
-Drop				# Default Action for DROP policy (deprecated)
+Broadcast    noinline      	# Handles Broadcast/Anycast
+Drop		        	# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
-DropSmurfs   noinline		# Handles packets with a broadcast source address
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
+DropDNSrep   inline		# Drops DNS replies
+DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
-FIN	     inline,audit,\	# Handles ACK,FIN,PSH packets
-	     proto=6
+FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
-IfEvent	     noinline		# Perform an action based on an event
-Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
-	     state=INVALID
-Multicast    noinline		# Handles Multicast
+IfEvent      noinline           # Perform an action based on an event
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID
+Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,proto=6	# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject				# Default Action for REJECT policy (deprecated)
-rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
-Related	     inline,\		# Handles packets in the RELATED conntrack state
-	     state=RELATED
+NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
+Reject		        	# Default Action for REJECT policy (deprecated)
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED
 ResetEvent   inline		# Reset an Event
-RST	     inline,proto=6	# Handle packets with RST set
+RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handles bad flags combinations
-Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
+TCPFlags    			# Handles bad flags combinations
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED

Shorewall6/configfiles/shorewall6.conf

@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 

Shorewall6/configpath

@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall6/configpath
 #
-CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

docs/Helpers.xml

@@ -71,7 +71,7 @@
       </listitem>
 
       <listitem>
-        <para>PPTP (TCP 1723)</para>
+        <para>PPTP (TCP 1729)</para>
       </listitem>
 
       <listitem>
@@ -121,10 +121,9 @@
       of your system.</para>
 
       <para>Many of the modules allow parameters to be specified when the
-      module is loaded. Among the common parameters is the
-      <option>ports</option> parameter that lists one or more ports that the
-      module is to monitor. This allows running the application on a
-      non-standard port.</para>
+      module is loaded. Among the common parameters is the ports parameter
+      that lists one or more ports that the module is to monitor. This allows
+      running the application on a non-standard port.</para>
     </section>
 
     <section>

docs/configuration_file_basics.xml

@@ -2498,63 +2498,27 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.2
     <programlisting>#ACTION        SOURCE               DEST              PROTO             DPORT
 POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>
 
-    <para>There are two options in <ulink
-    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink> that
-    affect the use of DNS names in Shorewall[6] config files:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
-        compile time; when set to Yes, DNS Names are resolved at
-        runtime.</para>
-      </listitem>
-
-      <listitem>
-        <para>AUTOMAKE - When set to Yes, <command>start</command>,
-        <command>restart</command> and <command>reload</command> only result
-        in compilation if one of the files on the CONFIG_PATH has changed
-        since the the last compilation.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
-    will only take place at boot time if a change had been make to the config
-    but no <command>restart</command> or <command>reload</command> had taken
-    place. This is clearly spelled out in the shorewall.conf manpage. So with
-    these settings, so long as a 'reload' or 'restart' takes place after the
-    Shorewall configuration is changes, there should be no DNS-related
-    problems at boot time.</para>
-
-    <important>
-      <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
-      makes it necessary to recompile an existing firewall script, the
-      <option>-c</option> option must be used with the
-      <command>reload</command> or <command>restart</command> command to force
-      recompilation.</para>
-    </important>
-
-    <para>If your firewall rules include DNS names then, even if
-    DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:</para>
+    <para>If your firewall rules include DNS names then:</para>
 
     <itemizedlist>
       <listitem>
         <para>If your <filename>/etc/resolv.conf </filename>is wrong then your
-        firewall may not start.</para>
+        firewall won't start.</para>
       </listitem>
 
       <listitem>
         <para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
-        your firewall may not start.</para>
+        your firewall won't start.</para>
       </listitem>
 
       <listitem>
-        <para>If your Name Server(s) is(are) down then your firewall may not
+        <para>If your Name Server(s) is(are) down then your firewall won't
         start.</para>
       </listitem>
 
       <listitem>
         <para>If your startup scripts try to start your firewall before
-        starting your DNS server then your firewall may not start.</para>
+        starting your DNS server then your firewall won't start.</para>
       </listitem>
 
       <listitem>
@@ -2564,7 +2528,7 @@ POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>
 
       <listitem>
         <para>You must bring up your network interfaces prior to starting your
-        firewall, or the firewall may not start.</para>
+        firewall.</para>
       </listitem>
     </itemizedlist>
 

docs/shorewall_logging.xml

@@ -278,7 +278,7 @@
       time:</para>
 
       <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
-params:LOG=NFLOG
+params:LOG=NFOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
 policy:all              all             REJECT          $LOG