Init: Correct indentation

Signed-off-by: Matt Darfeuille <matdarf@gmail.com>
Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,6 +47,10 @@ startup_error() {
     exit 1
 }
 
+only_root() {
+    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
+}
+
 #
 # Display a chain if it exists
 #
@@ -1203,6 +1207,7 @@ show_command() {
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
+	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1297,37 +1302,47 @@ show_command() {
 
     [ -n "$g_debugging" ] && set -x
 
+    COMMAND="$COMMAND $1"
+
     case "$1" in
 	connections)
+	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 
+	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
+	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1351,6 +1366,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1387,6 +1403,7 @@ show_command() {
 	    fi
 	    ;;
 	chain)
+	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
@@ -1394,26 +1411,31 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
+	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1423,6 +1445,7 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1430,14 +1453,18 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
+	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1448,6 +1475,7 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
 	*)
@@ -1496,6 +1524,8 @@ show_command() {
 		    ;;
 	    esac
 
+	    only_root
+
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -2545,109 +2575,114 @@ hits_command() {
     fi
 }
 
+#
+# Issue an error message and terminate if the firewall isn't started
+#
+require_started() {
+    if ! product_is_started; then
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
+}
+
 #
 # 'allow' command executor
 #
 allow_command() {
 
+    local allowed
+    local which
+    which='-s'
+    local range
+    range='--src-range'
+    local dynexists
+
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && missing_argument
 
-    if product_is_started ; then
+    if [ -n "$g_blacklistipset" ]; then
-	local allowed
+	case ${IPSET:=ipset} in
-	local which
+	    */*)
-	which='-s'
+		if [ ! -x "$IPSET" ]; then
-	local range
+		    fatal_error "IPSET=$IPSET does not exist or is not executable"
-	range='--src-range'
+		fi
-	local dynexists
+		;;
-
+	    *)
-	if [ -n "$g_blacklistipset" ]; then
+		IPSET="$(mywhich $IPSET)"
-
+		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-	    case ${IPSET:=ipset} in
+		;;
-		*/*)
+	esac
-		    if [ ! -x "$IPSET" ]; then
-			fatal_error "IPSET=$IPSET does not exist or is not executable"
-		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		    ;;
-	    esac
-	fi
-
-	if chain_exists dynamic; then
-	    dynexists=Yes
-	elif [ -z "$g_blacklistipset" ]; then
-	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-	fi
-
-	[ -n "$g_nolock" ] || mutex_on
-
-	while [ $# -gt 1 ]; do
-	    shift
-
-	    allowed=''
-
-	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
-		*-*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-		*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic $which $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-	    esac
-
-	    if [ -n "$allowed" ]; then
-		progress_message2 "$1 Allowed"
-	    else
-		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
-	    fi
-	done
-
-	[ -n "$g_nolock" ] || mutex_off
-    else
-	error_message "ERROR: $g_product is not started"
-	exit 2
     fi
+
+    if chain_exists dynamic; then
+	dynexists=Yes
+    elif [ -z "$g_blacklistipset" ]; then
+	require_started
+	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+    fi
+
+    [ -n "$g_nolock" ] || mutex_on
+
+    while [ $# -gt 1 ]; do
+	shift
+
+	allowed=''
+
+	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		continue
+		;;
+	    *-*)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	    *)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			qt $g_tool -D dynamic $which $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	esac
+
+	if [ -n "$allowed" ]; then
+	    progress_message2 "$1 Allowed"
+	else
+	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	fi
+    done
+
+    [ -n "$g_nolock" ] || mutex_off
 }
 
 #
@@ -4585,12 +4620,14 @@ shorewall_cli() {
 
     case "$COMMAND" in
 	start)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4598,6 +4635,7 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
+	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4606,11 +4644,13 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
+	    only_root
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4619,6 +4659,7 @@ shorewall_cli() {
 	    fi
 	    ;;
 	blacklist)
+	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4627,6 +4668,7 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4636,18 +4678,20 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
+	    only_root
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
+	    only_root
 	    get_config Yes No Yes
     	    shift
     	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
+	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4658,53 +4702,63 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
+	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
+	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
+	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
+	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
+	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
+	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4721,11 +4775,13 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
+	    only_root
 	    get_config
 	    shift
 	    restore_command $@
             ;;
 	call)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4763,17 +4819,20 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
+	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
+	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1

Shorewall-init/shorewall-init

@@ -34,7 +34,7 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ -x ${STATEDIR}/firewall ]; then
-       return 0
+        return 0
     elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then

Shorewall/Actions/action.A_REJECT

@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+# Shorewall -- /usr/share/shorewall/action.A_REJECT
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_REJECT!

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Broadcast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.DNSAmp

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Established

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.FIN

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Invalid

@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Multicast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.New

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.NotSyn

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.RST

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Related

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Untracked

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.allowInvalid

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.dropInvalid

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -4782,6 +4782,7 @@ sub do_proto( $$$;$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $all      = ( $proto =~ s/:all$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4797,6 +4798,7 @@ sub do_proto( $$$;$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
+		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -4936,6 +4938,8 @@ sub do_proto( $$$;$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
+	    $proto = $proto . ':all' if $all;
+
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -4992,6 +4996,7 @@ sub do_iproto( $$$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $all      = ( $proto =~ s/:all$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -5006,6 +5011,7 @@ sub do_iproto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
+		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		@output = ( p => "${invert}${proto}" );
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5140,6 +5146,8 @@ sub do_iproto( $$$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
+	    $proto = $proto . ':all' if $all;
+
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Config.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -6491,7 +6491,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
-    default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -161,6 +161,15 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
+
+		if ( have_ipsec ) {
+		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
+			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
+			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    }
+		}
+
 		$marked_interfaces{$interface} = 1;
 	    }
 

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $disposition = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+
     my $level = '';
 
     if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,6 +138,14 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
+	if ( $proto ne '-' ) {
+	    if ( $proto =~ s/:all$// ) {
+		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
+	    } else {
+		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
+	    }
+	}
+
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -199,7 +207,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 $rule,
+		 do_proto( $proto, $ports, $sports ) . 
+		 do_user ( $user ) . 
+		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,

Shorewall/Perl/Shorewall/Rules.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -1159,7 +1159,7 @@ sub setup_syn_flood_chains() {
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $chainref->{name} ,
+			     $synchainref->{name} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1447,7 +1447,7 @@ sub new_action( $$$$$$ ) {
 
     my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
 
-    fatal_error "Invalid action name($action)" if reserved_name( $action );
+    fatal_error "Reserved action name ($action)" if reserved_name( $action );
 
     $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
 
@@ -1457,11 +1457,7 @@ sub new_action( $$$$$$ ) {
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
-# a 1- or 2-digit sequence number. In the functions that follow,
+# a 1- or 2-digit sequence number.
-# the $chain, $level and $tag variables serve as arguments to the user's
-# exit. We call the exit corresponding to the name of the action but we
-# set $chain to the name of the iptables chain where rules are to be added.
-# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -1065,8 +1065,6 @@ clear_firewall() {
     run_iptables -F
     qt $IPTABLES -t raw -F
 
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
     if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1375,8 +1373,6 @@ clear_firewall() {
     run_iptables -F
     qt $IP6TABLES -t raw -F
 
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
     run_clear_exit
 
     set_state "Cleared"

Shorewall/Perl/prog.footer

@@ -1,5 +1,23 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
+#
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#
+#	This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#	Free Software Foundation, either version 2 of the license or, at your
+#	option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
 ###############################################################################
 #
 # Give Usage Information
@@ -355,6 +373,7 @@ case "$COMMAND" in
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
+	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then

Shorewall/configfiles/shorewall.conf

@@ -241,7 +241,7 @@ TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=No
+TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 

Shorewall/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #

Shorewall/lib.cli-std

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,11 +47,10 @@ get_config() {
 	fi
     fi
 
-    if [ "$(id -u)" -eq 0 ]; then
+    if [ -n "$g_shorewalldir" ]; then
-	config=$(find_file ${PRODUCT}.conf)
-    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
 	config="$g_shorewalldir/$PRODUCT.conf"
+    else
+	config=$(find_file ${PRODUCT}.conf)
     fi
 
     if [ -f $config ]; then
@@ -342,8 +341,12 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
-	setup_dbl
+	case $COMMAND in
+	    blacklist|allow|drop|logdrop|reject)
+		setup_dbl
+		;;
+	esac
     fi
 
     if [ -z "$PERL_HASH_SEED" ]; then
@@ -363,6 +366,17 @@ get_config() {
     [ -f $lib ] && . $lib
 }
 
+#
+# Ensure that the effective UID is 0 or that we are dealing with a private configuration
+#
+ensure_root() {
+    if [ $(id -u) -ne 0 ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	    startup_error "Ordinary users may not $COMMAND the default $PRODUCT configuration"
+	fi
+    fi
+}
+
 #
 # Determine if there are config files newer than the passed object
 #
@@ -370,20 +384,13 @@ uptodate() {
     [ -x $1 ] || return 1
 
     local dir
-    local ifs
 
-    ifs="$IFS"
+    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
-    IFS=':'
+	if [ -n "$(find ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
-
-    for dir in $g_shorewalldir $CONFIG_PATH; do
-	if [ -n "$(find ${dir} -newer $1)" ]; then
-	    IFS="$ifs"
 	    return 1;
 	fi
     done
 
-    IFS="$ifs"
-
     return 0
 }
 
@@ -413,11 +420,7 @@ compiler() {
 
     pc=${LIBEXECDIR}/shorewall/compiler.pl
 
-    if [ $(id -u) -ne 0 ]; then
+    ensure_root
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	fi
-    fi
     #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
@@ -1741,6 +1744,7 @@ compiler_command() {
 	    compile_command $@
 	    ;;
 	refresh)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    refresh_command $@
@@ -1762,11 +1766,13 @@ compiler_command() {
 	    export_command $@
 	    ;;
 	try)
+	    only_root
 	    get_config Yes
 	    shift
 	    try_command $@
 	    ;;
 	safe-reload|safe-restart|safe-start)
+	    only_root
 	    get_config Yes
 	    shift
 	    safe_commands $@

Shorewall/manpages/shorewall-conntrack.xml

@@ -579,14 +579,23 @@
 
         <listitem>
           <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number.</para>
+          protocol number. tcp and 6 may be optionally followed by <emphasis
+          role="bold">:syn </emphasis>to match only the SYN packet (first
+          packet in the three-way handshake).</para>
 
-          <para>Beginning with Shorewall 4.5.12, this column is labeled
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          <emphasis role="bold">PROTOS</emphasis> and can accept a
+          comma-separated list of protocols and either <emphasis
-          comma-separated list of protocols. Either <emphasis
           role="bold">proto</emphasis> or <emphasis
           role="bold">protos</emphasis> is accepted in the alternate input
           format.</para>
+
+          <para>Beginning with Shorewall 5.1.11, when <emphasis
+          role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
+          specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
+          compiler will default to <emphasis role="bold">:syn</emphasis>. If
+          you wish the rule to match packets with any valid combination of TCP
+          flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
+          <emphasis role="bold">6:all</emphasis>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #

Shorewall6/configfiles/shorewall6.conf

@@ -216,7 +216,7 @@ TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=No
+TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 

docs/FAQ.xml

@@ -2340,6 +2340,15 @@ gateway:~# </programlisting>
           option 8 combines identical chains which can result in a smaller
           ruleset, but it slows down the compilation of large rulesets.</para>
         </listitem>
+
+        <listitem>
+          <para>Rather than <command>restart</command>, use
+          <command>reload</command>. With the default setting of
+          RESTART=restart, <command>restart</command> performs
+          <command>stop</command> then <command>start</command>, while
+          <command>reload</command> avoids the <command>stop</command>
+          part.</para>
+        </listitem>
       </orderedlist>
     </section>
 
@@ -2367,6 +2376,14 @@ gateway:~# </programlisting>
       capabiities of your system. If you system doesn't support a command, it
       will generally issue a kernel log message.</para>
     </section>
+
+    <section>
+      <title id="faq106">(FAQ 106) Shorewall is not starting at boot on Debian
+      with systemd</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> To enable start at boot,
+      run <command>systemctl enable shorewall.service</command></para>
+    </section>
   </section>
 
   <section id="MultiISP">

docs/SharedConfig.xml

@@ -963,7 +963,7 @@ SMBBI(ACCEPT)	    { SOURCE=vpn, DEST=$FW }
 ######################################################################################################
 # IRC
 #
-IRC(ACCEPT)	    { SOURCE=loc,vpn,apps:IRC_IF, DEST=net }
+IRC(ACCEPT)	    { SOURCE=loc,apps, DEST=net }
 ######################################################################################################
 # Rsync
 #

docs/support.xml

@@ -42,10 +42,10 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 4.5 and 4.6.</para>
+        url="ReleaseModel.html">major release</ulink>s are 5.0 and 5.1.</para>
 
         <note>
-          <para>Shorewall versions earlier than 4.5.0 are no longer supported;
+          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
           we will try to help but we will not spend time reading earlier code
           to try to help you solve a problem and we will not release a patch
           to correct any defect found.</para>