Correct multiple fallback providers

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 

Shorewall-core/configure.pl

@@ -173,12 +173,7 @@ my $outfile;
 
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 
-if ( $ENV{SOURCE_DATE_EPOCH} ) {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
-} else {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
-}
-
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,8 +335,9 @@ for f in lib.* ; do
 done
 
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 
 #

Shorewall-core/lib.base

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50112
+SHOREWALL_CAPVERSION=50100
 
 if [ -z "$g_basedir" ]; then
     #
@@ -47,10 +47,6 @@ startup_error() {
     exit 1
 }
 
-only_root() {
-    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
-}
-
 #
 # Display a chain if it exists
 #
@@ -638,7 +634,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -6 -o route list table $table | grep -vF cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -651,7 +647,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -6 -o route list | grep -vF cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1141,31 +1137,16 @@ show_a_macro() {
     cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries or entries from the other address family
+# Don't dump empty SPD entries
 #
-spd_filter() {
-    #
-    # af   = Address Family (4 or 6)
-    # afok = Address Family of entry matches af
-    # p    = print the contents of A (entry is not empty)
-    # i    = Number of lines stored in A
-    #
-    awk -v af=$g_family \
-	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
-\
-	 /^src / { if (p) prnt( A, i );\
-		   afok = 1;\
-		   p	= 0;\
-		   i	= 0;\
-		   if ( af == 4 )\
-		       { if ( /:/ )  afok = 0; }\
-		   else\
-		       { if ( /\./ ) afok = 0; }\
-		 };\
-		 { if ( afok ) A[i++] = $0; };\
-	 /tmpl/	 { p = afok; };\
-\
-	 END	 { if (p) prnt( A, i ); }'
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1178,8 +1159,7 @@ heading() {
 
 show_ipsec() {
     heading "PFKEY SPD"
-    $IP -s -$g_family xfrm policy | spd_filter
-
+    $IP -s xfrm policy | spd_filter
     heading "PFKEY SAD"
     $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1207,7 +1187,6 @@ show_command() {
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
-	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1302,47 +1281,37 @@ show_command() {
 
     [ -n "$g_debugging" ] && set -x
 
-    COMMAND="$COMMAND $1"
-
     case "$1" in
 	connections)
-	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 
-	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1366,7 +1335,6 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1403,7 +1371,6 @@ show_command() {
 	    fi
 	    ;;
 	chain)
-	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
@@ -1411,31 +1378,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1445,7 +1407,6 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1453,18 +1414,14 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
-	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1475,7 +1432,6 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
 	*)
@@ -1524,8 +1480,6 @@ show_command() {
 		    ;;
 	    esac
 
-	    only_root
-
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1843,7 +1797,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1957,6 +1911,41 @@ show_proc() # $1 = name of a file
     [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2540,114 +2529,109 @@ hits_command() {
     fi
 }
 
-#
-# Issue an error message and terminate if the firewall isn't started
-#
-require_started() {
-    if ! product_is_started; then
-	error_message "ERROR: $g_product is not started"
-	exit 2
-    fi
-}
-
 #
 # 'allow' command executor
 #
 allow_command() {
 
-    local allowed
-    local which
-    which='-s'
-    local range
-    range='--src-range'
-    local dynexists
-
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && missing_argument
 
-    if [ -n "$g_blacklistipset" ]; then
-	case ${IPSET:=ipset} in
-	    */*)
-		if [ ! -x "$IPSET" ]; then
-		    fatal_error "IPSET=$IPSET does not exist or is not executable"
-		fi
-		;;
-	    *)
-		IPSET="$(mywhich $IPSET)"
-		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		;;
-	esac
-    fi
+    if product_is_started ; then
+	local allowed
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+	local dynexists
 
-    if chain_exists dynamic; then
-	dynexists=Yes
-    elif [ -z "$g_blacklistipset" ]; then
-	require_started
-	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-    fi
+	if [ -n "$g_blacklistipset" ]; then
 
-    [ -n "$g_nolock" ] || mutex_on
-
-    while [ $# -gt 1 ]; do
-	shift
-
-	allowed=''
-
-	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		continue
-		;;
-	    *-*)
-		if [ -n "$g_blacklistipset" ]; then
-		    if qt $IPSET -D $g_blacklistipset $1; then
-			allowed=Yes
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
-		fi
-
-		if [ -n "$dynexists" ]; then
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-		    then
-			allowed=Yes
-		    fi
-		fi
-		;;
-	    *)
-		if [ -n "$g_blacklistipset" ]; then
-		    if qt $IPSET -D $g_blacklistipset $1; then
-			allowed=Yes
-		    fi
-		fi
-
-		if [ -n "$dynexists" ]; then
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
-		    then
-			allowed=Yes
-		    fi
-		fi
-		;;
-	esac
-
-	if [ -n "$allowed" ]; then
-	    progress_message2 "$1 Allowed"
-	else
-	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
 	fi
-    done
 
-    [ -n "$g_nolock" ] || mutex_off
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
+	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+	fi
+
+	[ -n "$g_nolock" ] || mutex_on
+
+	while [ $# -gt 1 ]; do
+	    shift
+
+	    allowed=''
+
+	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
+		*-*)
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+			then
+			    allowed=Yes
+			fi
+		    fi
+		    ;;
+		*)
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
+			then
+			    allowed=Yes
+			fi
+		    fi
+		    ;;
+	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
+	done
+
+	[ -n "$g_nolock" ] || mutex_off
+    else
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
 }
 
 #
@@ -2786,7 +2770,7 @@ determine_capabilities() {
     GOTO_TARGET=
     LOGMARK_TARGET=
     IPMARK_TARGET=
-    LOG_TARGET=
+    LOG_TARGET=Yes
     ULOG_TARGET=
     NFLOG_TARGET=
     PERSISTENT_SNAT=
@@ -2819,8 +2803,6 @@ determine_capabilities() {
     WAIT_OPTION=
     CPU_FANOUT=
     NETMAP_TARGET=
-    NFLOG_SIZE=
-    RESTORE_WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2844,11 +2826,9 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
-    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
-
     if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	g_tool="$g_tool --wait"
+	tool="$tool --wait"
     fi
 
     chain=fooX$$
@@ -2863,7 +2843,6 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
-	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3155,15 +3134,12 @@ determine_capabilities() {
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
+    qt $g_tool -A $chain -j LOG || LOG_TARGET=
     qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
     qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
-    if qt $g_tool -A $chain -j NFLOG; then
-	NFLOG_TARGET=Yes
-	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
-    fi
 
     if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3238,8 +3214,8 @@ report_capabilities_unsorted() {
     [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
     if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3319,11 +3295,9 @@ report_capabilities_unsorted() {
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3331,8 +3305,6 @@ report_capabilities_unsorted() {
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
-    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
-    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3439,9 +3411,6 @@ report_capabilities_unsorted1() {
     report_capability1 WAIT_OPTION
     report_capability1 CPU_FANOUT
     report_capability1 NETMAP_TARGET
-    report_capability1 NFLOG_SIZE
-    report_capability1 RESTORE_WAIT_OPTION
-    report_capability1 NAT_INPUT_CHAIN
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3746,7 +3715,7 @@ ipcalc_command() {
 
     valid_address $address || fatal_error "Invalid IP address: $address"
     [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm
@@ -4588,14 +4557,12 @@ shorewall_cli() {
 
     case "$COMMAND" in
 	start)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4603,7 +4570,6 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
-	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4612,13 +4578,11 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
-	    only_root
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4627,7 +4591,6 @@ shorewall_cli() {
 	    fi
 	    ;;
 	blacklist)
-	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4636,7 +4599,6 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
-	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4646,20 +4608,18 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    only_root
+	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
-	    only_root
 	    get_config Yes No Yes
     	    shift
     	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
-	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4670,63 +4630,53 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
-	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
-	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
-	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
-	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
-	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
-	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4743,13 +4693,11 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
-	    only_root
 	    get_config
 	    shift
 	    restore_command $@
             ;;
 	call)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4787,20 +4735,17 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
-	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
-	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
     local modulename
     modulename=$1
-    shift
-    local moduleoptions
-    moduleoptions=$*
     local modulefile
     local suffix
 
     if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
-		    insmod)
-			for directory in $moduledirectories; do
-			    for modulefile in $directory/${modulename}.*; do
-				if [ -f $modulefile ]; then
-				    insmod $modulefile $moduleoptions
-				    return
-				fi
-			    done
-			done
-			;;
-		    *)
-			modprobe -q $modulename $moduleoptions
-			;;
-		esac
-	    fi
-	fi
-    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	case $moduleloader in
-	    insmod)
-		for directory in $moduledirectories; do
-		    for modulefile in $directory/${modulename}.*; do
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
-			    return
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
 			fi
 		    done
 		done
-		;;
-	    *)
-		modprobe -q $modulename $moduleoptions
-		;;
-	esac
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
     fi
 }
 
@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
     fi
 
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
     fi
 
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)

Shorewall-core/lib.core

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
 
-SHOREWALL_LIBVERSION=50108
+SHOREWALL_LIBVERSION=50100
 
 #
 # Fatal Error

Shorewall-core/lib.installer

@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/manpages/shorewall.xml

@@ -3173,8 +3173,6 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/</para>
-
-    <para>/etc/shorewall6/</para>
   </refsect1>
 
   <refsect1>
@@ -3184,18 +3182,13 @@
     url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
-    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
-    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
-    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
-    shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall-core/shorewall

@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.0
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,10 +25,6 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-#
-# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
-# options
-#
 PRODUCT=shorewall
 
 #

Shorewall-init/init.debian.sh

@@ -73,16 +73,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
-        if [ $PRODUCT = shorewall ]; then
-            ${SBINDIR}/shorewall compile
-        elif [ $PRODUCT = shorewall6 ]; then
-            ${SBINDIR}/shorewall -6 compile
-        else
-            return 1
-        fi
+	return 0
     fi
 }
 
@@ -112,14 +108,16 @@ shorewall_start () {
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
-	  )
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
+	  fi
       fi
   done
 
@@ -147,7 +145,9 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 
@@ -159,9 +159,8 @@ shorewall_stop () {
 
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       else
-	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
       fi
 

Shorewall-init/init.fedora.sh

@@ -44,14 +44,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -68,20 +66,20 @@ start () {
 
     printf "Initializing \"Shorewall-based firewalls\": "
 
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
     for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
     done
@@ -108,25 +106,20 @@ stop () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
     done
 
     if [ $retval -eq 0 ]; then
-	if [ -n "$SAVE_IPSETS" ]; then
-	    mkdir -p $(dirname "$SAVE_IPSETS")
-	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
-		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	    else
-		rm -f "${SAVE_IPSETS}.tmp"
-	    fi
-	fi
-
 	rm -f $lockfile
 	success
     else

Shorewall-init/init.openwrt.sh

@@ -75,14 +75,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -94,8 +92,10 @@ start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -103,8 +103,6 @@ start () {
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
       ipset -R < "$SAVE_IPSETS"
   fi
-
-  return 0
 }
 
 boot () {
@@ -119,19 +117,17 @@ stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
     done
 
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
     fi
-
-    return 0
 }
 

Shorewall-init/init.sh

@@ -69,12 +69,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
     else
-	return 1
+	return 0
     fi
 }
 
@@ -86,8 +84,10 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -107,16 +107,16 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       fi
   fi
 

Shorewall-init/init.suse.sh

@@ -79,14 +79,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 6
+	return 0
     fi
 }
 
@@ -98,8 +96,10 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -117,16 +117,16 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       fi
   fi
 }

Shorewall-init/shorewall-init

@@ -33,12 +33,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
+    else
+	return 0
     fi
 }
 
@@ -67,14 +67,16 @@ shorewall_start () {
     printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
+	    if [ -x ${STATEDIR}/firewall ]; then
+		#
+		# Run in a sub-shell to avoid name collisions
+		#
+		(
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+			${STATEDIR}/firewall ${OPTIONS} stop
+		    fi
+		)
+	    fi
 	fi
     done
 
@@ -93,16 +95,16 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
     done
 
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
     fi
 

Shorewall-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall/Actions/action.A_REJECT

@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECT
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_REJECT!

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.AllowICMPs

@@ -13,6 +13,7 @@ DEFAULTS ACCEPT
     @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
+
     @1	-		-	ipv6-icmp	destination-unreachable
     @1	-		-	ipv6-icmp	packet-too-big
     @1	-		-	ipv6-icmp	time-exceeded
@@ -37,7 +38,7 @@ DEFAULTS ACCEPT
     @1	-		-	ipv6-icmp	148	# Certificate path solicitation
     @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
     @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
     @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall/Actions/action.Broadcast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.DNSAmp

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Established

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.FIN

@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.FIN
-#
-# FIN Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# FIN[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN

Shorewall/Actions/action.IfEvent

@@ -107,11 +107,6 @@ if ( $command & $REAP_OPT ) {
 
 $duration .= '--rttl ' if $command & $TTL_OPT;
 
-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
-    $action = 'ACCEPT';
-}
-
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
 

Shorewall/Actions/action.Invalid

@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Multicast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.New

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.NotSyn

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.RST

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Related

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.ResetEvent

@@ -41,11 +41,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "" );
-    $action = 'ACCEPT';
-}
-
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {

Shorewall/Actions/action.SetEvent

@@ -37,11 +37,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "" );
-    $action = 'ACCEPT';
-}
-
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {

Shorewall/Actions/action.TCPFlags

@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0

Shorewall/Actions/action.Untracked

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.allowInvalid

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.dropBcasts

@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcasts
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcasts[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcasts"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-

Shorewall/Actions/action.dropInvalid

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Macros/macro.Apcupsd

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Apcupsd
-#
-# This macro handles apcupsd traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	3551

Shorewall/Macros/macro.FreeIPA

@@ -1,16 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.FreeIPA
-#
-# This macro handles FreeIPA server traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DNS
-HTTP
-HTTPS
-Kerberos
-Kpasswd
-LDAP
-LDAPS
-NTP

Shorewall/Macros/macro.IPMI

@@ -11,20 +11,13 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	8889		# WS-MAN
+PARAM	-	-	udp	623		# RMCP
 HTTP
-Telnet
-SNMP
-
-# TLS/secure ports
-PARAM	-	-	tcp	3520		# Remote Console (Redfish)
-PARAM	-	-	tcp	3669		# Virtual Media (Dell)
-PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
-PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
+SNMP
 SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.Kpasswd

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Kpasswd
-#
-# This macro handles Kerberos "passwd" traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	464
-PARAM	-	-	udp	464

Shorewall/Macros/macro.RDP

@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389

Shorewall/Macros/macro.RedisSecure

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSecure
-#
-# This macro handles Redis Secure (SSL/TLS) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	6380

Shorewall/Macros/macro.Rwhois

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Rwhois
-#
-# This macro handles Remote Who Is (rwhois) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	4321

Shorewall/Macros/macro.SSDP

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDP
-#
-# This macro handles SSDP (used by DLNA/UPnP) client traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900

Shorewall/Macros/macro.SSDPserver

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDPserver
-#
-# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900
-PARAM	DEST	SOURCE	udp	-	1900

Shorewall/Makefile-lite

@@ -0,0 +1,82 @@
+#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+# Place this file in each export directory. Modify each copy to set HOST
+# to the name of the remote firewall corresponding to the directory.
+#
+#	To make the 'firewall' script, type "make".
+#
+#	Once the script is compiling correctly, you can install it by
+#	typing "make install".
+#
+################################################################################
+#                             V A R I A B L E S
+#
+# Files in the export directory on which the firewall script does not depend
+#
+IGNOREFILES =  firewall% Makefile% trace% %~
+#
+# Remote Firewall system
+#
+HOST = gateway
+#
+# Save some typing
+#
+LITEDIR = /var/lib/shorewall-lite
+#
+# Set this if the remote system has a non-standard modules directory
+#
+MODULESDIR=
+#
+# Default target is the firewall script
+#
+################################################################################
+#                                T A R G E T S
+#
+all: firewall
+#
+# Only generate the capabilities file if it doesn't already exist
+#
+capabilities:
+	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
+	scp root@$(HOST):$(LITEDIR)/capabilities .
+#
+# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
+# 'filter-out' will be presented with the list of files in this directory rather than "*"
+#
+firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
+	shorewall compile -e . firewall
+#
+# Only reload on demand.
+#
+install: firewall
+	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
+	ssh root@$(HOST) "/sbin/shorewall-lite restart"
+#
+# Save running configuration
+#
+save:
+	ssh root@$(HOST) "/sbin/shorewall-lite save"
+#
+# Remove generated files
+#
+clean:
+	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
     my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     if ( $source eq 'any' || $source eq 'all' ) {
         $source = ALLIP;
     } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
     }
 
     if ( have_bridges && ! $asection ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,7 +32,6 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
-use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -138,12 +137,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
-				       validate_port
-				       validate_portpair
-				       validate_portpair1
-				       validate_port_list
-				       expand_port_range
-
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -335,7 +328,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
 #                                               blacklistsection
-#                                                            => Chain was created by entries in the blrules file
+#                                                            => Chain was created by entries in the BLACKLIST section of the rules file
 #                                               action       => <action tuple that generated this chain>
 #                                               restricted   => Logical OR of restrictions of rules in this chain.
 #                                               restriction  => Restrictions on further rules in this chain.
@@ -361,13 +354,13 @@ our $VERSION = 'MODULEVERSION';
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
-#       'loglevel', 'synparams', 'synchain', 'audit', 'default' and 'origin' only apply to policy chains.
+#       'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
 ###########################################################################################################################################
 #
 # For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
 # joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
 # connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
-# explicit policy for the ordered pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
+# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
 # wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
 #
 # Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
@@ -397,7 +390,7 @@ our $VERSION = 'MODULEVERSION';
 #      MAC Recent      - <dev>_rec
 #      SNAT            - <dev>_snat
 #      ECN             - <dev>_ecn
-#      INPUT Options   - <dev>_iop
+#      FORWARD Options - <dev>_fop
 #      OUTPUT Options  - <dev>_oop
 #      FORWARD Options - <dev>_fop
 #
@@ -516,7 +509,6 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
-our %port_variables;
 our $ipset_rules;
 
 #
@@ -792,7 +784,6 @@ sub initialize( $$$ ) {
     %interfaceacasts    = ();
     %interfacegateways  = ();
     %address_variables  = ();
-    %port_variables     = ();
 
     $global_variables   = 0;
     $idiotcount         = 0;
@@ -828,214 +819,6 @@ sub initialize( $$$ ) {
     #
 }
 
-sub record_runtime_port( $ ) {
-    my ( $variable ) = @_;
-
-    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
-	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
-	$port_variables{$1} = 1;
-    } else {
-	fatal_error( "Invalid port variable (%$variable)" );
-    }
-
-    "\$$variable";
-}
-
-################################################################################
-# Functions moved from IPAddrs.pm in 5.1.5				       #
-################################################################################
-
-sub validate_port( $$ ) {
-    my ($proto, $port) = @_;
-
-    my $value;
-
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$value = numeric_value $port;
-
-	if ( defined $value ) {
-	    if ( $value && $value <= 65535 ) {
-		return $value;
-	    } else {
-		$value = undef;
-	    }
-	}
-    } elsif ( $port =~ /^%(.*)/ ) {
-	$value = record_runtime_port( $1 );
-    } else {
-	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
-	$value = getservbyname( $port, $proto );
-    }
-
-    return $value if defined $value;
-
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
-}
-
-#
-# Port or port-pair separated by ':'. Either port may be omitted in the pair
-#
-sub validate_portpair( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-
-    my @ports = split /:/, $pair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
-    join ':', @ports;
-
-}
-
-#
-# Port or port-pair separated by '-'. Neither port may be omitted in the pair
-#
-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
-sub validate_port_list( $$ ) {
-    my $result = '';
-    my ( $proto, $list ) = @_;
-    my @list   = split_list( $list, 'port' );
-
-    if ( @list > 1 && $list =~ /[:-]/ ) {
-	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
-    }
-
-    $proto = proto_name $proto;
-
-    for ( @list ) {
-	my $value = validate_portpair( $proto , $_ );
-	$result = $result ? join ',', $result, $value : $value;
-    }
-
-    $result;
-}
-
-#
-# Expands a port range into a minimal list of ( port, mask ) pairs.
-# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
-#
-# Example:
-#
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
-#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
-#
-sub expand_port_range( $$ ) {
-    my ( $proto, $range ) = @_;
-
-    if ( $range =~ /^(.*):(.*)$/ ) {
-	my ( $first, $last ) = ( $1, $2);
-	my @result;
-
-	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
-	#
-	# Supply missing first/last port number
-	#
-	$first = 0     if $first eq '';
-	$last  = 65535 if $last eq '';
-	#
-	# Validate the ports
-	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
-
-	$last++; #Increment last address for limit testing.
-	#
-	# Break the range into groups:
-	#
-	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
-	#        the remaining range has less than or equal to P ports. The next group is
-	#        ( <first> , ~( P-1 ) ).
-	#
-	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
-	    my $mask = 0xffff;         #Mask for current ports in group.
-	    my $y    = 2;              #Next power of two to test
-	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
-
-	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
-		$mask <<= 1;
-		$z  = $y;
-		$y <<= 1;
-	    }
-	    #
-	    #
-	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
-	    $first += $z;
-	}
-
-	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
-
-	@result;
-
-    } else {
-	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
-
-################################################################################
-# End functions moved from IPAddrs.pm in 5.1.5				       #
-################################################################################
-
 #
 # Functions to manipulate cmdlevel
 #
@@ -1319,14 +1102,14 @@ sub pop_match( $$ ) {
 
 sub clone_irule( $ );
 
-sub format_rule( $$ ) {
-    my ( $chainref, $rulerefp ) = @_;
+sub format_rule( $$;$ ) {
+    my ( $chainref, $rulerefp, $suppresshdr ) = @_;
 
     return $rulerefp->{cmd} if exists $rulerefp->{cmd};
 
-    my $rule = "-A $chainref->{name}";
+    my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
     #
-    # The code that follows can be destructive of the rule so we clone it
+    # The code the follows can be destructive of the rule so we clone it
     #
     my $ruleref = $rulerefp->{complex} ? clone_irule( $rulerefp ) : $rulerefp;
     my $nfacct  = $rulerefp->{nfacct};
@@ -1348,6 +1131,8 @@ sub format_rule( $$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
+
+	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1406,15 +1191,13 @@ sub compatible( $$ ) {
     }
     #
     # Don't combine chains where each specifies
-    #    -m policy and the policies are different
+    #    -m policy
     # or when one specifies
     #    -m multiport
     # and the other specifies
     #    --dport or --sport or -m multiport
     #
-    my ( $p1, $p2 );
-
-    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1932,7 +1715,7 @@ sub delete_reference( $$ ) {
 
     assert( $toref );
 
-    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
+    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
 }
 
 #
@@ -2070,7 +1853,7 @@ sub adjust_reference_counts( $$$ ) {
     my ($toref, $name1, $name2) = @_;
 
     if ( $toref ) {
-	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
+	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
 	$toref->{references}{$name2}++;
     }
 }
@@ -2301,6 +2084,8 @@ sub use_forward_chain($$) {
 
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # Use it if we already have jumps to it
     #
@@ -2375,6 +2160,8 @@ sub use_input_chain($$) {
     my ( $interface, $chainref ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # We must use the interfaces's chain if the interface is associated with multiple Zones
     #
@@ -2454,6 +2241,8 @@ sub use_output_chain($$) {
     my ( $interface, $chainref)  = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # We must use the interfaces's chain if the interface is associated with multiple Zones
     #
@@ -3176,8 +2965,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
-	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
-
 	for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3240,8 +3027,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
-	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
-
 	for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3267,7 +3052,7 @@ sub initialize_chain_table($) {
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
     }
 
-    if ( $config{DOCKER} ) {
+    if ( my $docker = $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
@@ -3276,10 +3061,8 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
-	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
@@ -3377,43 +3160,15 @@ sub delete_references( $ ) {
 #
 # Calculate a digest for the passed chain and store it in the {digest} member.
 #
-# First, a lightweight version of format_rule()
-#
-sub irule_to_string( $ ) {
-    my ( $ruleref ) = @_;
-
-    return $ruleref->{cmd} if exists $ruleref->{cmd};
-
-    my $string = '';
-
-    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}} ) {
-	my $value = $ruleref->{$_};
-	if ( reftype $value ) {
-	    $string .= "$_=" . join( ',', @$value ) . ' ';
-	} else {
-	    $string .= "$_=$value ";
-	}
-    }
-
-    if ( $ruleref->{target} ) {
-	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
-	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
-    }
-
-    $string .= join( '', ' -m comment --comment "', $ruleref->{comment}, '"' ) if $ruleref->{comment};
-
-    $string;
-}
-
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
 
     for ( @{$chainref->{rules}} ) {
 	if ( $rules ) {
-	    $rules .= ' |' . irule_to_string( $_ );
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $rules = irule_to_string( $_ );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
     }
 
@@ -3704,7 +3459,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3775,7 +3530,7 @@ sub optimize_level4( $$ ) {
     #
     # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
     # the target's rules, provided that the target chain is short (< 4 rules) or has only one
-    # reference. This prevents multiple copies of long chains from being created.
+    # reference. This prevents multiple copies of long chains being created.
     #
     $progress = 1;
 
@@ -3885,10 +3640,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} &&
-							   @{$_->{rules}}        &&
-							   ! $_->{builtin},
-							   values %{$tableref} ) );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3908,11 +3660,12 @@ sub optimize_level8( $$$ ) {
 	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
-
-	    for my $chainref1 (grep ! ( $_->{optflags} & DONT_DELETE ), @chains1 ) {
-		#
-		# Chains identical?
-		#
+	    #
+	    # Skip empty chains
+	    #
+	    for my $chainref1 ( @chains1 ) {
+		next unless @{$chainref1->{rules}};
+		next if $chainref1->{optflags} & DONT_DELETE;
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
@@ -3933,15 +3686,6 @@ sub optimize_level8( $$$ ) {
 		    }
 
 		    $combined{ $chainref1->{name} } = $chainref->{name};
-		    #
-		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
-		    # the policy attributes in the combined chain
-		    #
-		    if ( $chainref->{policychain} ) {
-			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
-		    } elsif ( $chainref1->{policychain} ) {
-			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
-		    }
 		}
 	    }
 	}
@@ -4342,7 +4086,7 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment' & origin are omitted;
 #
 sub get_keys1( $ ) {
     my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
@@ -4813,7 +4557,6 @@ sub do_proto( $$$;$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
-	my $all      = ( $proto =~ s/:all$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4829,7 +4572,6 @@ sub do_proto( $$$;$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
-		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -4870,7 +4612,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -4969,8 +4711,6 @@ sub do_proto( $$$;$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
-	    $proto = $proto . ':all' if $all;
-
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -5027,7 +4767,6 @@ sub do_iproto( $$$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:syn$//i );
-	my $all      = ( $proto =~ s/:all$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -5042,7 +4781,6 @@ sub do_iproto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
-		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		@output = ( p => "${invert}${proto}" );
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5081,7 +4819,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;
 
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5177,8 +4915,6 @@ sub do_iproto( $$$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
-	    $proto = $proto . ':all' if $all;
-
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -6022,7 +5758,6 @@ sub record_runtime_address( $$;$$ ) {
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
-	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
     }
@@ -6368,7 +6103,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -6449,7 +6184,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -7108,8 +6843,6 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
     my ( $logical, $protect, $provider ) = @_;
 
-    $provider = '' unless defined $provider;
-
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
     my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7123,9 +6856,9 @@ sub get_interface_gateway ( $;$$ ) {
     }
 
     if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
     } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
@@ -7312,19 +7045,6 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
     }
-
-    for my $variable( keys %port_variables ) {
-	my $port = "\$$variable";
-	my $type = $port_variables{$variable};
-
-	emit( qq(if [ -z "$port" ]; then) ,
-	      qq(    $variable=255) ,
-	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
-	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
-	      qq(else) ,
-	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
-	      qq(fi\n) );
-    }
 }
 
 #
@@ -7574,11 +7294,6 @@ sub isolate_dest_interface( $$$$ ) {
 
 	    $rule .= "-d $variable ";
 	}
-    } elsif ( $dest =~ /^\$/ ) {
-	#
-	# Runtime address variable
-	#
-	$dnets  = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8229,8 +7944,19 @@ sub add_interface_options( $ ) {
 	# Generate a digest for each chain
 	#
 	for my $chainref ( values %input_chains, values %forward_chains ) {
+	    my $digest = '';
+
 	    assert( $chainref );
-	    calculate_digest( $chainref );
+
+	    for ( @{$chainref->{rules}} ) {
+		if ( $digest ) {
+		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+		} else {
+		    $digest = format_rule( $chainref, $_, 1 );
+		}
+	    }
+
+	    $chainref->{digest} = sha1_hex $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -8491,7 +8217,6 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
 
@@ -8507,7 +8232,6 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
-	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8528,7 +8252,7 @@ sub save_dynamic_chains() {
 	);
 
     if ( have_capability 'IPTABLES_S' ) {
-	emithd <<"EOF";
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
 else
@@ -8549,7 +8273,6 @@ fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
-
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
     $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8558,7 +8281,7 @@ fi
 EOF
 	}
     } else {
-	emithd <<"EOF";
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -8578,8 +8301,7 @@ else
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
-	    emithd << "EOF";
-
+	    emit << "EOF";
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
     $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8593,7 +8315,7 @@ EOF
     emit ( 'else' );
     push_indent;
 
-emithd <<"EOF";
+emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
@@ -8630,7 +8352,7 @@ sub ensure_ipsets( @ ) {
 
 	pop_indent;
 
-	emit( q(    fi) );
+	emit( qq(    fi\n) );
 
     }
 
@@ -8806,6 +8528,7 @@ sub create_load_ipsets() {
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
+		  '',
 		);
 	} else {
 	    #
@@ -8817,7 +8540,7 @@ sub create_load_ipsets() {
 		   '    fi' );
 	};
 
-	emit( "}\n" );
+	emit( '}' );
     }
     #
     # Now generate load_ipsets()
@@ -8886,17 +8609,20 @@ sub create_load_ipsets() {
 	    ensure_ipsets( @ipsets );
 
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	    emit ( '' );
 	    ensure_ipsets( @ipsets );
+	    emit ( '' );
 	};
 
-	emit ( 'fi' );
+	emit ( 'fi' ,
+	       '' );
     } else {
 	emit 'true';
     }
 
     pop_indent;
 
-    emit "}\n";	    
+    emit '}';	    
 }
 
 #
@@ -8948,15 +8674,9 @@ sub create_netfilter_load( $ ) {
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
 
     emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
-
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
-    } else {
-	emit( '    option="--counters"' );
-    }
-
-    emit( '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
+	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8964,11 +8684,7 @@ sub create_netfilter_load( $ ) {
 
     push_indent;
 
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
-    } else {
-	emit 'option=';
-    }
+    emit 'option=';
 
     save_progress_message "Preparing $utility input...";
 
@@ -9017,10 +8733,6 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9069,7 +8781,7 @@ sub create_netfilter_load( $ ) {
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
 	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  'fi'
+	  "fi\n"
 	);
 
     pop_indent;
@@ -9125,11 +8837,6 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
-		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			print "\n";
-			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9367,10 +9074,6 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9396,11 +9099,7 @@ sub create_stop_load( $ ) {
 
     enter_cmd_mode;
 
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
-    } else {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
-    }
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
 
     emit( '',
 	  'progress_message2 "Running $command..."',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
 
     copy2( $lib, $debug ) if -f $lib;
 
-    emithd<<'EOF';
+    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
     }
 
-    emithd <<'EOF';
+    emit <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -209,8 +209,6 @@ sub generate_script_2() {
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
     emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
-    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -268,13 +266,13 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
     }
 
     pop_indent;
 
-    emit "}\n"; # End of initialize()
+    emit "\n}\n"; # End of initialize()
 
     emit( '' ,
 	  '#' ,
@@ -311,9 +309,10 @@ sub generate_script_2() {
 	    push_indent;
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		verify_required_interfaces(0);
+
 		set_global_variables(0, 0);
-		handle_optional_interfaces;
+
+		handle_optional_interfaces(0);
 	    }
 
 	    emit ';;';
@@ -325,19 +324,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 
-	verify_required_interfaces(1);
 	set_global_variables(1,1);
-	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
 	}
     } else {
-	verify_required_interfaces(1);
-	emit( 'true' ) unless handle_optional_interfaces;
+	emit( 'true' ) unless handle_optional_interfaces(1);
     }
 
     pop_indent;
@@ -524,7 +523,7 @@ sub generate_script_3($) {
 
     my $config_dir = $globals{CONFIGDIR};
 
-    emithd <<"EOF";
+    emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
 elif [ \$COMMAND = refresh ]; then
@@ -571,7 +570,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
 
-    emithd<<'EOF';
+    emit<<'EOF';
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -690,7 +689,6 @@ sub compiler {
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
     #
-    #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
     get_configuration( $export , $update , $annotate , $inline );
@@ -795,10 +793,13 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
     }
 
+    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
+    enable_script;
+    #
     # Validate the TC files so that the providers will know what interfaces have TC
     #
     my $tcinterfaces = process_tc;
@@ -897,7 +898,7 @@ sub compiler {
 
 	optimize_level0;
 
-	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains

Shorewall/Perl/Shorewall/Config.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -30,97 +30,17 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
-#   A significant portion of this module is dedicated to the preprocessor:
-#
-#	process_compiler_directive() - processes compiler directives
-#
-#	embedded_shell() - handles embedded shell scripting
-#
-#	embedded_perl() - handles embedded perl scripting
-#
-#	read_a_line() - Reads the next configuration file record to
-#			be passed to the function processing the file.
-#
-#	    - Detects compiler directives and passes then to
-#	      process_compiler_directive() for handling.
-#
-#	    - Handles line continuation
-#
-#	    - Invokes a callback when the first (concatinated) non-directive
-#	      record is read from a file.
-#
-#	    - Conditionally expands variables.
-#
-#	    - Conditionally detects embedded Shell and Perl and passes them
-#	      off to embedded_shell() and embedded_perl() respectively.
-#
-#	    - Conditionally detects and handles [?}INCLUDE directives.
-#
-#	    - Conditionally detects and handles ?SECTION directives.
-#	      File processing functions can supply a callback to be
-#	      called during this processing.
-#
-#   File processing routines may need to open a second (third, fourth, ...)
-#   file while processing the main file (macro and/or action files). Two
-#   functions are provided to make that possible:
-#
-#      push_open() - open a file while leaving the current file open.
-#
-#      pop_open() - close the current file, and make the previous
-#		    file (if any) the current one.
-#
-#   Because this module expands variables, it must be aware of action
-#   parameters.
-#
-#	push_action_params() - populates the %actparams hash and
-#			       returns a reference to the previous
-#			       contents of that hash. The caller is
-#			       expected to store those contents locally.
-#
-#	pop_action_params()  - Restores the %actparams hash from
-#			       the reference returned by
-#			       push_action_params().
-#
-#   The following routines are provided for INLINE PERL within
-#   action bodies:
-#
-#	default_action_params() - called to fill in omitted
-#				  arguments when a DEFAULTS
-#				  line is encountered.
-#
-#	get_action_params() - returns an array of arguments.
-#
-#	setup_audit_action() - helper for A_* actions.
-#
-#	get_action_logging() - returns log level and tag
-#			       from the action's invocation.
-#
-#	get_action_chain_name() - returns chain name.
-#
-#	set_action_name_to_caller() - replace chain name
-#				      with that of invoking
-#				      chain for logging purposes.
-#
-#	set_action_disposition() - set the current action
-#				   disposition for logging purposes.
-#
-#	get_action_disposition() - get the current action disposition.
-#
-#	set_action_param() - set the value of an argument.
-#
 package Shorewall::Config;
 
 use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
-use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
-use Errno qw(:POSIX);
 
 our @ISA = qw(Exporter);
 #
@@ -189,7 +109,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
-				       emithd
 				       emitstd
 				       emit_unindented
 				       save_progress_message
@@ -303,10 +222,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                        DO_SECTION
 				       NORMAL_READ
 
-				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
+				       OPTIMIZE_USE_FIRST
 				       OPTIMIZE_ALL
 				     ) , ] ,
 		   protocols => [ qw (
@@ -396,7 +315,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -494,10 +413,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  WAIT_OPTION     => 'iptables --wait option',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                  NETMAP_TARGET   => 'NETMAP Target',
-                 NFLOG_SIZE      => '--nflog-size support',
-		 RESTORE_WAIT_OPTION
-				 => 'iptables-restore --wait option',
-                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -545,8 +461,9 @@ use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
-               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
+
+	       OPTIMIZE_USE_FIRST      => 0x1000 # Always use interface 'first' chains -- undocumented
 	     };
 
 our %helpers = ( amanda          => UDP,
@@ -571,55 +488,53 @@ our %helpers_aliases;
 our %helpers_enabled;
 
 our %config_files = ( #accounting      => 1,
-		      actions	       => 1,
-		      blacklist	       => 1,
-		      clear	       => 1,
-		      conntrack	       => 1,
-		      ecn	       => 1,
-		      findgw	       => 1,
-		      hosts	       => 1,
-		      init	       => 1,
-		      initdone	       => 1,
+		      actions          => 1,
+		      blacklist        => 1,
+		      clear            => 1,
+		      conntrack        => 1,
+		      ecn              => 1,
+		      findgw           => 1,
+		      hosts            => 1,
+		      init             => 1,
+		      initdone         => 1,
 		      interfaces       => 1,
-		      isusable	       => 1,
-		      maclist	       => 1,
-		      mangle	       => 1,
-		      masq	       => 1,
-		      nat	       => 1,
-		      netmap	       => 1,
-		      params	       => 1,
-		      policy	       => 1,
-		      providers	       => 1,
-		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
-		      restored	       => 1,
-		      rawnat	       => 1,
+		      isusable         => 1,
+		      maclist          => 1,
+		      masq             => 1,
+		      nat              => 1,
+		      netmap           => 1,
+		      params           => 1,
+		      policy           => 1,
+		      providers        => 1,
+		      proxyarp         => 1,
+		      refresh          => 1,
+		      refreshed        => 1,
+		      restored         => 1,
+		      rawnat           => 1,
 		      route_rules      => 1,
-		      routes	       => 1,
+		      routes           => 1,
 		      routestopped     => 1,
-		      rtrules	       => 1,
-		      rules	       => 1,
-		      scfilter	       => 1,
-		      secmarks	       => 1,
-		      snat	       => 1,
-		      start	       => 1,
-		      started	       => 1,
-		      stop	       => 1,
-		      stopped	       => 1,
+		      rtrules          => 1,
+		      rules            => 1,
+		      scfilter         => 1,
+		      secmarks         => 1,
+		      start            => 1,
+		      started          => 1,
+		      stop             => 1,
+		      stopped          => 1,
 		      stoppedrules     => 1,
-		      tcclasses	       => 1,
-		      tcclear	       => 1,
-		      tcdevices	       => 1,
-		      tcfilters	       => 1,
+		      tcclasses        => 1,
+		      tcclear          => 1,
+		      tcdevices        => 1,
+		      tcfilters        => 1,
 		      tcinterfaces     => 1,
-		      tcpri	       => 1,
-		      tcrules	       => 1,
-		      tos	       => 1,
-		      tunnels	       => 1,
-		      zones	       => 1 );
+		      tcpri            => 1,
+		      tcrules          => 1,
+		      tos              => 1,
+		      tunnels          => 1,
+		      zones            => 1 );
 #
-# Options that involve the AUDIT target
+# Options that involve the the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -676,7 +591,6 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 
 our $family;                 # Protocol family (4 or 6)
-our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -709,8 +623,8 @@ our %validlevels;            # Valid log levels.
 #
 # Deprecated options with their default values
 #
-our %deprecated = ( LEGACY_RESTART => 'no' ,
-		    INLINE_MATCHES => 'no' ,
+our %deprecated = (
+		   LEGACY_RESTART => 'no'
 		  );
 #
 # Deprecated options that are eliminated via update
@@ -730,7 +644,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
-                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -790,8 +703,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+sub initialize( $;$$) {
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -835,8 +748,8 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.12",
-		    CAPVERSION              => 50112 ,
+		    VERSION                 => "5.1.4-Beta1",
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -931,6 +844,7 @@ sub initialize( $;$$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
+	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -994,7 +908,6 @@ sub initialize( $;$$$) {
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
-	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1090,7 +1003,7 @@ sub initialize( $;$$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => undef,
+	       LOG_TARGET => 1,         # Assume that we have it.
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1128,9 +1041,6 @@ sub initialize( $;$$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
-	       NFLOG_SIZE => undef,
-	       RESTORE_WAIT_OPTION => undef,
-	       NAT_INPUT_CHAIN => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1256,7 +1166,7 @@ sub initialize( $;$$$) {
     #
     # Process the global shorewallrc file
     #
-    #   Note: The build script calls this function passing only the protocol family
+    #   Note: The build file executes this function passing only the protocol family
     #
     process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1307,9 +1217,10 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
+    my $linenumber = $currentlinenumber || 1;
+
     if ( $currentfilename ) {
-	my $linenumber = $currentlinenumber || 1;
-	my $lineinfo   = " $currentfilename ";
+	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
@@ -1690,7 +1601,6 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		$line =~ s/[ \t]+\n/\n/gm;
 		print $script "$line\n" if $script;
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 
@@ -1711,15 +1621,6 @@ sub emit {
     }
 }
 
-#
-# Used to emit a 'here documents' string without introducing an unwanted blank line at the end
-#
-sub emithd( $ ) {
-    my ( $line ) = @_; #make writable
-    chomp $line;
-    emit $line;
-}
-
 #
 # Version of emit() that writes to standard out unconditionally
 #
@@ -1730,7 +1631,6 @@ sub emitstd {
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
-	    $line =~ s/[ \t]+\n/\n/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
@@ -2086,7 +1986,6 @@ sub find_file($)
     for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
-	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
     }
 
     "$config_path[0]$filename";
@@ -2417,10 +2316,6 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
 
 	    $currline = $columns;
-	    #
-	    # Remove trailing white space
-	    #
-	    $currline =~ s/\s*$//;
 
 	    $inline_matches = $pairs;
 	    #
@@ -2443,11 +2338,9 @@ sub split_line2( $$;$$$ ) {
 	if ( $inlinematches ) {
 	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
 
-	    warning_message "This entry needs to be changed (replace ';' with ';;') before the INLINE_MATCHES option is removed in Shorewall 5.2";
-
 	    $inline_matches = $pairs;
 
-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2463,9 +2356,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 
-		warning_message "This entry needs to be changed before Shorewall 5.2 (replace ';' with ';;'). '$globals{PRODUCT} update' will do that for you";
-
-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2479,7 +2370,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -2677,7 +2568,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;
+	do_open_file $fname;;
     } else {
 	$ifstack = @ifstack;
 	'';
@@ -4154,7 +4045,7 @@ sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
 
-my @suffixes;
+my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
 
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4390,7 +4281,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
 
     my $modulesdir = $config{MODULESDIR};
 
@@ -4423,20 +4314,25 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-      MODULE:
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+
+	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
+
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		if ( $moduleloader =~ /modprobe$/ ) {
-		    system( "modprobe -q $module $arguments" );
-		    $loadedmodules{ $module } = 1;
-		} else {
-		    for my $directory ( @moduledirectories ) {
-			for my $modulefile ( <$directory/$module.*> ) {
-			    system ("insmod $modulefile $arguments" );
+		for my $directory ( @moduledirectories ) {
+		    for my $suffix ( @suffixes ) {
+			my $modulefile = "$directory/$module.$suffix";
+			if ( -f $modulefile ) {
+			    if ( $moduleloader eq 'insmod' ) {
+				system ("insmod $modulefile $arguments" );
+			    } else {
+				system( "modprobe $module $arguments" );
+			    }
+
 			    $loadedmodules{ $module } = 1;
-			    next MODULE;
 			}
 		    }
 		}
@@ -4467,12 +4363,6 @@ sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
 }
 
-sub Nat_Input_Chain {
-    have_capability( 'NAT_ENABLED' ) || return '';
-
-    qt1( "$iptables $iptablesw -t nat -L INPUT -n" );
-}
-
 sub Persistent_Snat() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4927,10 +4817,6 @@ sub NFLog_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }
 
-sub NFLog_Size() {
-    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
-}
-
 sub Logmark_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -5054,10 +4940,6 @@ sub Cpu_Fanout() {
     have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 
-sub Restore_Wait_Option() {
-    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
-}
-
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -5110,7 +4992,6 @@ our %detect_capability =
       LOG_TARGET => \&Log_Target,
       ULOG_TARGET => \&Ulog_Target,
       NFLOG_TARGET => \&NFLog_Target,
-      NFLOG_SIZE => \&NFLog_Size,
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
@@ -5118,7 +4999,6 @@ our %detect_capability =
       MASQUERADE_TGT => \&Masquerade_Tgt,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
-      NAT_INPUT_CHAIN => \&Nat_Input_Chain,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
       NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -5139,7 +5019,6 @@ our %detect_capability =
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
-      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
       RPFILTER_MATCH => \&RPFilter_Match,
       SANE_HELPER => \&SANE_Helper,
       SANE0_HELPER => \&SANE0_Helper,
@@ -5218,7 +5097,6 @@ sub determine_capabilities() {
 	#
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
 
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
@@ -5307,9 +5185,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5358,13 +5233,7 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
     }
 
-    my $path = $config{CONFIG_PATH};
-
-    my $chop = ( $path =~ s/^:// );
-
-    @config_path = split /:/, $path;
-
-    shift @config_path if $chop && ( $export || $> != 0 );
+    @config_path = split /:/, $config{CONFIG_PATH};
 
     #
     # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5493,11 +5362,11 @@ sub update_config_file( $ ) {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
     }
 
-    update_default( 'EXPORTMODULES',         'No' );
-    update_default( 'RESTART',               'reload' );
-    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',              '' );
+    update_default( 'EXPORTMODULES',     'No' );
+    update_default( 'RESTART',           'reload' );
+    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',          '' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -6034,8 +5903,6 @@ sub export_params() {
 
 #
 # Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
-# Convert single semicolons to double semicolons in lines beginning with 'INLINE',
-# IPTABLES or IP6TABLES
 #
 sub convert_to_directives() {
     my $sharedir = $shorewallrc{SHAREDIR};
@@ -6048,7 +5915,7 @@ sub convert_to_directives() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives and replacing single semicolons in INLINE, IPTABLES and IP6TABLES rules...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -6077,9 +5944,6 @@ sub convert_to_directives() {
                                                  s/COMMENT/?COMMENT/;
                                              } elsif ( /^\\s*COMMENT\\s*\$/ ) {
                                                  s/COMMENT/?COMMENT/;
-                                             }
-                                             if ( /^\\s*(?:INLINE|IP6?TABLES)/ ) {
-                                                 s/;/;;/ unless /;;/;
                                              }' $file
 EOF
 			    if ( $result == 0 ) {
@@ -6187,6 +6051,7 @@ sub get_configuration( $$$$ ) {
     #
     # get_capabilities requires that the true settings of these options be established
     #
+    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
     if ( ! $export && $> == 0 ) {
@@ -6372,7 +6237,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
     }
 
-    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
+    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
     default_yes_no 'ADD_SNAT_ALIASES'           , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6525,19 +6390,8 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
-    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
+    default_yes_no 'TRACK_PROVIDERS'            , '';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
-    default_yes_no 'USE_NFLOG_SIZE'             , '';
-
-    if ( $config{USE_NFLOG_SIZE} ) {
-	if ( have_capability( 'NFLOG_SIZE' ) ) {
-	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
-	} else {
-	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
-	}
-    } else {
-	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
-    }
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6901,7 +6755,7 @@ sub get_configuration( $$$$ ) {
     } else {
 	$val = numeric_value $config{OPTIMIZE};
 
-	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && $val <= OPTIMIZE_ALL;
+	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
     }
 
     require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
@@ -6958,12 +6812,6 @@ sub get_configuration( $$$$ ) {
 	}
     }
 
-    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
-	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
-    } else {
-	$config{MUTEX_TIMEOUT} = 60;
-    }
-
     add_variables %config;
 
     while ( my ($var, $val ) = each %renamed ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -63,6 +63,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
+		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -73,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
+		  validate_port
+		  validate_portpair
+		  validate_portpair1
+		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -406,6 +411,114 @@ sub proto_name( $ ) {
     $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 
+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -459,6 +572,67 @@ sub validate_icmp( $ ) {
     fatal_error "Invalid ICMP Type ($type)"
 }
 
+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
 sub valid_6address( $ ) {
     my $address = $_[0];
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -667,7 +667,6 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
     add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {
@@ -718,7 +717,7 @@ sub add_common_rules ( $ ) {
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
     } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -2448,7 +2447,7 @@ sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
     my @match;
-    my $chainref = $mangle_table->{FORWARD};
+    my $chainref = $filter_table->{FORWARD};
 
     if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
@@ -2646,6 +2645,7 @@ EOF
 
         rm -f ${VARDIR}/proxyarp
     fi
+
 EOF
     } else {
 	emit <<'EOF';
@@ -2659,6 +2659,7 @@ EOF
 
         rm -f ${VARDIR}/proxyndp
     fi
+
 EOF
     }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -941,17 +941,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
-	    my @servers;
-
-	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
-		$server = record_runtime_address( $1, $2 );
-		$server =~ s/ $//;
-		@servers = ( $server );
-	    } else {
-		@servers = validate_address $server, 1;
-	    }
-
+	    my @servers = validate_address $server, 1;
 	    $server = join ',', @servers;
 	}
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -125,7 +125,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask   = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -161,15 +161,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
-
-		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
-			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    }
-		}
-
 		$marked_interfaces{$interface} = 1;
 	    }
 
@@ -338,22 +329,22 @@ sub balance_default_route( $$$$ ) {
     if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
-		emit qq(DEFAULT_ROUTE="dev $interface $realm");
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_default_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -368,22 +359,22 @@ sub balance_fallback_route( $$$$ ) {
     if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
-		emit qq(FALLBACK_ROUTE="dev $interface $realm");
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_fallback_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -511,7 +502,7 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
@@ -521,9 +512,6 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
     } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
-
-	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
-
 	validate_address $gateway, 0;
 
 	if ( defined $mac ) {
@@ -614,7 +602,6 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
-		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -701,6 +688,7 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
+
     }
 
     unless ( $loose || $pseudo ) {
@@ -859,7 +847,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
 
@@ -875,8 +863,8 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -885,25 +873,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( '',
-			"find_interface_addresses $physical | while read address; do",
-			"    qt \$IP -$family rule del from \$address",
-			"    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "    qt \$IP -$family rule del from \$address" );
+		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
-	}
 
-	if ( @{$providerref->{persistent_routes}} ) {
-	    emit '';
-	    emit $_ for @{$providers{$table}->{persistent_routes}};
-	}
+	    if ( @{$providerref->{persistent_routes}} ) {
+		emit '';
+		emit $_ for @{$providers{$table}->{persistent_routes}};
+	    }
 
-	if ( @{$providerref->{persistent_rules}} ) {
-	    emit '';
-	    emit $_ for @{$providers{$table}->{persistent_rules}};
+	    if ( @{$providerref->{persistent_rules}} ) {
+		emit '';
+		emit $_ for @{$providers{$table}->{persistent_rules}};
+	    }
 	}
 
 	pop_indent;
@@ -911,6 +898,7 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
+
 	pop_indent;
 
 	emit( "}\n" );
@@ -936,7 +924,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
     }
@@ -968,7 +956,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
 
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -997,7 +985,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
-	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
     }
 
     if ( $balance ) {
@@ -1009,16 +997,14 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route replace default table $id dev $physical metric $number);
+	    emit qq(run_ip route add default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 
-	emit( 'g_fallback=Yes' ) if $persistent;
-
 	$metrics = 1;
     }
 
@@ -1040,13 +1026,12 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
-			  qq(    qt \$IP -$family rule del from $address pref 20000),
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1103,21 +1088,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
-	    );
-
-	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit  ( '#',
-		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
-		    '#',
-		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
-		    '    true',
-		    'done',
-		    ''
-		);
-	}
-
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1251,7 +1222,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1262,14 +1233,12 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
-	    );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
 
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}
 
 	pop_indent;
@@ -1370,7 +1339,7 @@ sub add_an_rtrule1( $$$$$ ) {
 
     $priority = "pref $priority";
 
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
     push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
 
     if ( $persistent ) {
@@ -1468,22 +1437,22 @@ sub add_a_route( ) {
 
     if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
     } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
+	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
     }
 
@@ -1585,7 +1554,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1594,8 +1563,7 @@ sub finish_providers() {
 	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( '',
-		    "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1607,7 +1575,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1634,7 +1602,7 @@ sub finish_providers() {
 	}
 
 	emit ( '#',
-	       '# Delete any default routes with metric 0 in the \'balance\' table',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1649,7 +1617,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 
@@ -1662,10 +1630,7 @@ sub finish_providers() {
 	      'fi',
 	      '' );
     } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( '#',
-	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
-	      '#',
-	      "delete_default_routes $default",
+	emit( "delete_default_routes $default",
 	      ''
 	    );
     }
@@ -1710,7 +1675,7 @@ sub process_providers( $ ) {
     }
 
     if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
 
 	my $fn = open_file( 'route_rules' );
 
@@ -1741,7 +1706,7 @@ sub process_providers( $ ) {
 
     add_a_provider( $providers{$_}, $tcdevices ) for @providers;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
 
 #
 # Enable an optional provider
@@ -1787,11 +1752,12 @@ EOF
     pop_indent;
     pop_indent;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
         *)
             startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
+
 }
 
 #
@@ -1895,19 +1861,20 @@ sub setup_providers() {
 
 	start_providers;
 
-	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 
-	if ( @providers ) {
-	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
-	}
+	emit '';
+
+	emit "start_$providers{$_}->{what}_$_" for @providers;
+
+	emit '';
 
 	finish_providers;
 
 	emit "\nrun_ip route flush cache";
 
 	pop_indent;
-	emit 'fi';
+	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
     } else {
@@ -1918,10 +1885,9 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
+	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1946,8 +1912,9 @@ sub setup_providers() {
 
 	pop_indent;
 
-	emit 'fi';
+	emit "fi\n";
     }
+
 }
 
 #
@@ -2196,13 +2163,17 @@ sub provider_realm( $ ) {
 }
 
 #
-# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
-
+# This function is called by the compiler when it is generating the detect_configuration() function.
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {
 
     my @interfaces;
     my $wildcards;
+
     #
     # First do the provider interfacess. Those that are real providers will never have wildcard physical
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2226,6 +2197,10 @@ sub handle_optional_interfaces() {
 
     if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
+
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2389,6 +2364,8 @@ sub handle_optional_interfaces() {
 
 	return 1;
     }
+
+    verify_required_interfaces( shift );
 }
 
 #

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,6 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
     }
 
     emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
 
     push @proxyarp, "$address $interface $external $haveroute";

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $disposition = $action;
     my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
     my $level = '';
 
     if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
-	if ( $proto ne '-' ) {
-	    if ( $proto =~ s/:all$// ) {
-		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
-	    } else {
-		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
-	    }
-	}
-
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -207,9 +199,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 do_proto( $proto, $ports, $sports ) . 
-		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 $rule,
 		 $source ,
 		 $dest ,
 		 '' ,

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
     if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
     } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,8 +90,9 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
+		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -113,31 +114,31 @@ our $VERSION = 'MODULEVERSION';
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
-#			 super	 =>    0|1
-#			 options =>    { in_out	 => < policy match string >
-#					 in	 => < policy match string >
-#					 out	 => < policy match string >
-#				       }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
-#										...
-#									      }
-#								   hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
-#								 }
-#						 <interface2> => ...
-#					       }
-#					     ]
-#			}
-#	      <zone2> => ...
-#	    }
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
+#                                        in      => < policy match string >
+#                                        out     => < policy match string >
+#                                      }
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
+#                        children =>   [ <children> ]
+#                        interfaces => { <interfaces1> => 1, ... }
+#                        bridge =>     <bridge>
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                                                                  options => { <option1> => <value1>
+#                                                                               ...
+#                                                                             }
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
+#                                                                  origin   => <where defined>
+#                                                                }
+#                                                <interface2> => ...
+#                                              }
+#                                            ]
+#                       }
+#             <zone2> => ...
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -159,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
-#				      root	  => <name without trailing '+'>
-#				      options	  => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
-#						       ...
-#						     }
-#				      zone	  => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
-#				      origin	  => <where defined>
-#				    }
-#		  }
+#     %interfaces { <interface1> => { name        => <name of interface>
+#                                     root        => <name without trailing '+'>
+#                                     options     => { port => undef|1
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      ...
+#                                                    }
+#                                     zone        => <zone name>
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     ports       => <number of port on this bridge>
+#                                     ipsec       => undef|1 # Has an ipsec host group
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
+#                                     wildcard    => undef|1 # Wildcard Name
+#                                     zones       => { zone1 => 1, ... }
+#                                     origin      => <where defined>
+#                                   }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -252,17 +253,6 @@ use constant { NO_UPDOWN   => 1,
 
 our %validinterfaceoptions;
 
-our %procinterfaceoptions=( accept_ra   => 1,
-			    arp_filter  => 1,
-			    arp_ignore  => 1,
-			    forward     => 1,
-			    logmartians => 1,
-			    proxyarp    => 1,
-			    proxyndp    => 1,
-			    routefilter => 1,
-			    sourceroute => 1,
-			  );
-
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -327,7 +317,7 @@ sub initialize( $$ ) {
     %mapbase = ();
     %mapbase1 = ();
     $baseseq = 0;
-    $minroot = undef;
+    $minroot = 0;
     $loopback_interface = '';
 
     %validzoneoptions = ( mss            => NUMERIC,
@@ -349,7 +339,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -373,9 +363,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION,
+				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -400,7 +390,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -412,18 +402,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION,
+				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -711,40 +701,6 @@ sub haveipseczones() {
     0;
 }
 
-#
-# Returns 1 if the two interfaces passed are related
-#
-sub interface_match( $$ ) {
-    my ( $piface, $ciface ) = @_;
-
-    return 1 if $piface eq $ciface;
-
-    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
-
-    return 1 if $piface eq $cifaceref->{bridge};
-    return 1 if $ciface eq $pifaceref->{bridge};
-
-    if ( defined $minroot ) {
-	if ( $piface =~ /\+$/ ) {
-	    my $root    = $pifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $ciface ) >= $rlength ) {
-		return 1 if $ciface eq $root;
-		chop $ciface;
-	    }
-	} elsif ( $ciface =~ /\+$/ ) {
-	    my $root    = $cifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $piface ) >= $rlength ) {
-		return 1 if $piface eq $root;
-		chop $piface;
-	    }
-	}
-    }
-
-    0;
-}
-
 #
 # Report about zones.
 #
@@ -782,7 +738,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -791,17 +747,6 @@ sub zone_report()
 	    }
 	}
 
-      PARENT:
-	for my $p ( @{$zoneref->{parents}} ) {
-	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
-		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
-		    next PARENT if interface_match( $pi, $ci );
-		}
-	    }
-
-	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
-	}
-
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1214,16 +1159,15 @@ sub process_interface( $$ ) {
     }
 
     my $wildcard = 0;
-    my $physwild = 0;
     my $root;
 
     if ( $interface =~ /\+$/ ) {
-	$wildcard = $physwild = 1; # Default physical name is the logical name
+	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
 
-	if ( defined $minroot ) {
+	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1269,6 +1213,8 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 
 	for my $option (split_list1 $options, 'option' ) {
+	    next if $option eq '-';
+
 	    ( $option, my $value ) = split /=/, $option;
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1305,6 +1251,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1328,6 +1275,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1379,9 +1327,7 @@ sub process_interface( $$ ) {
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
-		    $physwild = ( $value =~ /\+$/ );
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
-
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1409,14 +1355,6 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 
-	for my $option ( keys %options ) {
-	    if ( $root ) {
-		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
-	    } else {
-		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
-	    }
-	}
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1475,7 +1413,6 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1634,11 +1571,13 @@ sub known_interface($)
 
     my $iface = $interface;
 
-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
+	    chop $iface;
+
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1660,8 +1599,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
-
-	    chop $iface;
 	}
     }
 
@@ -1875,8 +1812,7 @@ sub find_interfaces_by_option( $;$ ) {
     for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
-	next unless $interfaceref->{root};                                   # Don't return '+' interface
-	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
+	next unless $interfaceref->{root};
 
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1891,6 +1827,35 @@ sub find_interfaces_by_option( $;$ ) {
     \@ints;
 }
 
+#
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
+#
+sub find_interfaces_by_option1( $ ) {
+    my $option = $_[0];
+    my @ints = ();
+    my $wild = 0;
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+
+	next unless defined $interfaceref->{physical};
+
+	my $optionsref = $interfaceref->{options};
+
+	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= $interfaceref->{wildcard};
+	    push @ints , $interface
+	}
+    }
+
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
+}
+
 #
 # Return the value of an option for an interface
 #
@@ -2021,7 +1986,6 @@ sub verify_required_interfaces( $ ) {
 
 	emit( "esac\n" );
 
-	$returnvalue = 1;
     }
 
     $interfaces = find_interfaces_by_option( 'required' );
@@ -2067,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( "esac\n" );
+	    emit( 'esac' );
 	}
 
 	$returnvalue = 1;

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
     $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route table $1
+	qt $IP -$g_family route del $route
     done
 } 
 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
             conntrack -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
     local interface
     interface=$1
@@ -912,8 +912,6 @@ detect_gateway() # $1 = interface $2 = table number
     # Maybe there's a default route through this gateway already
     #
     [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-
-    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #
@@ -1065,6 +1063,8 @@ clear_firewall() {
     run_iptables -F
     qt $IPTABLES -t raw -F
 
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
     if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,6 +1373,8 @@ clear_firewall() {
     run_iptables -F
     qt $IP6TABLES -t raw -F
 
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
     run_clear_exit
 
     set_state "Cleared"

Shorewall/Perl/prog.footer

@@ -1,23 +1,5 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
-#
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
-#
-#	This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#	Free Software Foundation, either version 2 of the license or, at your
-#	option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
 ###############################################################################
 #
 # Give Usage Information
@@ -96,13 +78,11 @@ reload_command() {
     detect_configuration
     define_firewall
     status=$?
-
-    if [ $status -eq 0 ]; then
-	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-	progress_message3 "done."
-    else
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    if [ -n "$SUBSYSLOCK" ]; then
+ 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
     fi
+
+    [ $status -eq 0 ] && progress_message3 "done."
 }
 
 ################################################################################
@@ -147,10 +127,8 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
-g_dockeringress=
 g_dockernetwork=
 g_forcereload=
-g_fallback=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -286,10 +264,8 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    for table in raw mangle nat filter; do
-		qt $g_tool -t $table -Z
-	    done
-
+	    $g_tool -Z
+	    $g_tool -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -373,7 +349,6 @@ case "$COMMAND" in
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -443,12 +418,9 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    COMMAND=disable
 	    detect_configuration $1
-	    disable_provider $1 Yes
-	    COMMAND=enable
-	    detect_configuration $1
-	    enable_provider  $1 Yes
+	    COMMAND=enable  disable_provider $1 Yes
+	    COMMAND=disable enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0

Shorewall/Samples/Universal/shorewall.conf

@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -183,7 +183,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
@@ -205,6 +205,8 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -247,8 +249,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/shorewall.conf

@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
@@ -216,6 +216,8 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -258,8 +260,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
-dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -85,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -191,7 +191,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
@@ -213,6 +213,8 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -255,8 +257,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
-ACCEPT		-		LOC_IF
-ACCEPT		DMZ_IF		-
-ACCEPT		-		DMZ_IF
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
 

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
@@ -216,6 +216,8 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -258,8 +260,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/two-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
-ACCEPT		-		LOC_IF
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/actions.std

@@ -21,46 +21,33 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-?if __ADDRTYPE
-Broadcast    inline,audit	# Handles Broadcast/Anycast
-?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
-?endif
-DNSAmp	     proto=17		# Matches one-question recursive DNS queries
+DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit,\	# Handles ACK,FIN packets
-	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
-?if __ADDRTYPE
-Multicast    inline,audit	# Handles Multicast
-?else
 Multicast    noinline,audit	# Handles Multicast
-?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
-	     proto=6
-rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit,\	# Handle packets with RST set
-	     proto=6
+RST	     inline,audit	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handle bad flag combinations.
+TCPFlags			# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#

Shorewall/configfiles/disabled

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/disabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully disabled using the 'disable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any

Shorewall/configfiles/enabled

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/enabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully enabled using the 'enable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any

Shorewall/configfiles/shorewall.conf

@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -205,6 +205,8 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
+MODULE_SUFFIX=ko
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -241,14 +243,12 @@ TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=Yes
+TRACK_PROVIDERS=No
 
 TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/configpath

@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

Shorewall/lib.cli-std

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli-std.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,10 +47,11 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$g_shorewalldir" ]; then
-	config="$g_shorewalldir/$PRODUCT.conf"
-    else
+    if [ "$(id -u)" -eq 0 ]; then
 	config=$(find_file ${PRODUCT}.conf)
+    else
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	config="$g_shorewalldir/$PRODUCT.conf"
     fi
 
     if [ -f $config ]; then
@@ -210,35 +211,30 @@ get_config() {
 	LOG_VERBOSITY=-1
     fi
 
-    if [ -z "${g_export}${g_test}" ]; then
-	if [ -n "$SHOREWALL_SHELL" ]; then
-	    if [ ! -x "$SHOREWALL_SHELL" ]; then
-		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-		SHOREWALL_SHELL=/bin/sh
-	    fi
+    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
+	if [ ! -x "$SHOREWALL_SHELL" ]; then
+	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+	    SHOREWALL_SHELL=/bin/sh
 	fi
+    fi
 
-	if [ -n "$IP" ]; then
-	    case "$IP" in
-		*/*)
-		    if [ ! -x "$IP" ] ; then
-			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		    fi
-		    ;;
-		*)
-		    prog="$(mywhich $IP 2> /dev/null)"
-		    if [ -z "$prog" ] ; then
-			fatal_error "Can't find $IP executable"
-		    fi
-		    IP=$prog
-		    ;;
-	    esac
-	else
-	    IP='ip'
-	fi
+    if [ -n "$IP" ]; then
+	case "$IP" in
+	    */*)
+		if [ ! -x "$IP" ] ; then
+		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IP 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    fatal_error "Can't find $IP executable"
+		fi
+		IP=$prog
+		;;
+	esac
     else
-	[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
-	[ -n "$IP" ]              || IP='ip'
+	IP='ip'
     fi
 
     case $VERBOSITY in
@@ -341,12 +337,8 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
-	case $COMMAND in
-	    blacklist|allow|drop|logdrop|reject)
-		setup_dbl
-		;;
-	esac
+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	setup_dbl
     fi
 
     if [ -z "$PERL_HASH_SEED" ]; then
@@ -366,17 +358,6 @@ get_config() {
     [ -f $lib ] && . $lib
 }
 
-#
-# Ensure that the effective UID is 0 or that we are dealing with a private configuration
-#
-ensure_root() {
-    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the default $PRODUCT configuration"
-	fi
-    fi
-}
-
 #
 # Determine if there are config files newer than the passed object
 #
@@ -384,27 +365,20 @@ uptodate() {
     [ -x $1 ] || return 1
 
     local dir
-    local busybox
-    local find
+    local ifs
 
-    find=$(mywhich find)
+    ifs="$IFS"
+    IFS=':'
 
-    [ -n "${find}" ] || return 1
-    [ -h "${find}" ] && busybox=Yes
-
-    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
-	if [ -n "${busybox}" ]; then
-	    #
-	    # Busybox 'find' doesn't support -quit.
-	    #
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print)" ]; then
-		return 1;
-	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+    for dir in $g_shorewalldir $CONFIG_PATH; do
+	if [ -n "$(find ${dir} -newer $1)" ]; then
+	    IFS="$ifs"
 	    return 1;
 	fi
     done
 
+    IFS="$ifs"
+
     return 0
 }
 
@@ -434,7 +408,11 @@ compiler() {
 
     pc=${LIBEXECDIR}/shorewall/compiler.pl
 
-    ensure_root
+    if [ $(id -u) -ne 0 ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	fi
+    fi
     #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
@@ -792,10 +770,6 @@ check_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
-			t*)
-			    g_test=Yes
-			    option=${option#t}
-			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -880,10 +854,6 @@ update_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
-			t*)
-			    g_test=Yes
-			    option=${option#t}
-			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -1154,41 +1124,6 @@ refresh_command() {
     return $rc
 }
 
-read_yesno_with_timeout() {
-    local timeout
-    timeout=${1:-60}
-
-    case $timeout in
-	*s)
-	    ;;
-	*m)
-	    timeout=$((${timeout%m} * 60))
-	    ;;
-	*h)
-	    timeout=$((${timeout%h} * 3600))
-	    ;;
-    esac
-
-    read -t $timeout yn 2> /dev/null
-    if [ $? -eq 2 ]
-    then
-	# read doesn't support timeout
-	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
-	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
-	return $?
-    else
-	# read supports timeout
-	case "$yn" in
-	    y|Y)
-		return 0
-		;;
-	    *)
-		return 1
-		;;
-	esac
-    fi
-}
-
 #
 # Safe-start/safe-reload/safe-restart Command Executor
 #
@@ -1592,8 +1527,6 @@ remote_reload_command() # $* = original arguments less the command.
 	litedir="${VARDIR}-lite"
     fi
 
-    g_export=Yes
-
     if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
@@ -1623,16 +1556,18 @@ remote_reload_command() # $* = original arguments less the command.
 
 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
     fi
 
     file=$(resolve_file $g_shorewalldir/firewall)
 
+    g_export=Yes
+
     program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR
@@ -1793,7 +1728,6 @@ compiler_command() {
 	    compile_command $@
 	    ;;
 	refresh)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    refresh_command $@
@@ -1815,13 +1749,11 @@ compiler_command() {
 	    export_command $@
 	    ;;
 	try)
-	    only_root
 	    get_config Yes
 	    shift
 	    try_command $@
 	    ;;
 	safe-reload|safe-restart|safe-start)
-	    only_root
 	    get_config Yes
 	    shift
 	    safe_commands $@

Shorewall/manpages/shorewall-accounting.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/accounting</command>
+      <command>/etc/shorewall/accounting</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -783,19 +783,29 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/accounting</para>
-
-    <para>/etc/shorewall6/accounting</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
     <para><ulink
-    url="shorewall-logging.htm">shorewall-logging(5)</ulink></para>
+    url="/Accounting.html">http://www.shorewall.net/Accounting.html
+    </ulink></para>
+
+    <para><ulink
+    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
 
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-actions.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/actions</command>
+      <command>/etc/shorewall/actions</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -148,8 +148,8 @@
               <listitem>
                 <para>Added in Shorewall 5.0.7. Specifies that this action is
                 to be used in <ulink
-                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                rather than <ulink
+                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
                 url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
               </listitem>
             </varlistentry>
@@ -160,11 +160,11 @@
               <listitem>
                 <para>Added in Shorewall 5.0.13. Specifies that this action is
                 to be used in <ulink
-                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
-                rather than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
-                The <option>mangle</option> and <option>nat</option> options
-                are mutually exclusive.</para>
+                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
               </listitem>
             </varlistentry>
 
@@ -191,27 +191,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.10. Specifies that the action is
-                only usable with the specified
-                <replaceable>protocol</replaceable> (name or number). When the
-                action is invoked with no protocol specified in the PROTO
-                column, or if the action is used as a Policy Action, the named
-                <replaceable>protocol</replaceable> will be assumed. If a
-                protocol is specified in the PROTO column of an invocation,
-                then it must match the named
-                <replaceable>protocol</replaceable>.</para>
-
-                <para>The <option>proto</option> option has no effect if the
-                <option>inline</option> or <option>builtin</option> option is
-                specified. A warning is issued if <option>proto</option> is
-                specified along with <option>builtin</option>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><option>section</option></term>
 
@@ -227,7 +206,7 @@
                 <para>Given that neither the <filename>snat</filename> nor the
                 <filename>mangle</filename> file is sectioned, this parameter
                 has no effect when <option>mangle</option> or
-                <option>nat</option> is specified.</para>
+                <option>nat</option> is specified. </para>
               </listitem>
             </varlistentry>
 
@@ -260,8 +239,6 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/actions</para>
-
-    <para>/etc/shorewall6/actions</para>
   </refsect1>
 
   <refsect1>
@@ -270,6 +247,14 @@
     <para><ulink
     url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-arprules.xml

@@ -25,8 +25,6 @@
   <refsect1>
     <title>Description</title>
 
-    <para>IPv4 only.</para>
-
     <para>This file was added in Shorewall 4.5.12 and is used to describe
     low-level rules managed by arptables (8). These rules only affect Address
     Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@@ -379,10 +377,4 @@ SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlis
 
     <para>/etc/shorewall/arprules</para>
   </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para>shorewall(8)</para>
-  </refsect1>
 </refentry>

Shorewall/manpages/shorewall-blrules.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/blrules</command>
+      <command>/etc/shorewall/blrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -27,9 +27,12 @@
 
     <para>This file is used to perform blacklisting and whitelisting.</para>
 
-    <para>Rules in this file are applied depending on the setting of BLACKLIST
-    in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    <para>Rules in this file are applied depending on the setting of
+    BLACKLISTNEWONLY in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
+    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+    connections in the NEW and INVALID states.</para>
 
     <para>The format of rules in this file is the same as the format of rules
     in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@@ -115,10 +118,10 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_DROP</term>
+              <term>A_DROP and A_DROP!</term>
 
               <listitem>
-                <para>Audited version of DROP. Requires AUDIT_TARGET support
+                <para>Audited versions of DROP. Requires AUDIT_TARGET support
                 in the kernel and ip6tables.</para>
               </listitem>
             </varlistentry>
@@ -167,7 +170,7 @@
               <listitem>
                 <para>queues matching packets to a back end logging daemon via
                 a netlink socket then continues to the next rule. See <ulink
-                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -258,7 +261,7 @@
           <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
           (must be in upper case) as a log level.This will log to the NFLOG
           target for routing to a separate log through use of ulogd (<ulink
-          url="shorewall-logging.html">shorewall-logging.htm</ulink>).</para>
+          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
 
           <para>Actions specifying logging may be followed by a log tag (a
           string of alphanumeric characters) which is appended to the string
@@ -273,11 +276,11 @@
   </refsect1>
 
   <refsect1>
-    <title>Examples</title>
+    <title>Example</title>
 
     <variablelist>
       <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
 
         <listitem>
           <para>Drop Teredo packets from the net.</para>
@@ -287,28 +290,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 2:</term>
-
-        <listitem>
-          <para>Don't subject packets from 2001:DB8::/64 to the remaining
-          rules in the file.</para>
-
-          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Drop Teredo packets from the net.</para>
-
-          <programlisting>DROP          net:[2001::/32]            all</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>Don't subject packets from 2001:DB8::/64 to the remaining
@@ -324,8 +306,6 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/blrules</para>
-
-    <para>/etc/shorewall6/blrules</para>
   </refsect1>
 
   <refsect1>
@@ -337,6 +317,12 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-conntrack.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/conntrack</command>
+      <command>/etc/shorewall/conntrack</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -35,7 +35,7 @@
     <emphasis role="bold">conntrack</emphasis>.</para>
 
     <para>The file supports three different column layouts: FORMAT 1, FORMAT
-    2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
+    2, and FORMAT 3, FORMAT 1 being the default. The three differ as
     follows:</para>
 
     <itemizedlist>
@@ -84,7 +84,7 @@
         role="bold">CT</emphasis>:<emphasis
         role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
         role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IP[6]TABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
           <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -272,32 +272,9 @@
               will also be logged at that level.</para>
             </listitem>
 
-            <listitem>
-              <para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
-
-              <para>IPv6 only.</para>
-
-              <para>Added in Shorewall 4.6.0. Allows you to specify any
-              iptables <replaceable>target</replaceable> with target options
-              (e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
-              recognized by Shorewall, the following error message will be
-              issued:</para>
-
-              <simplelist>
-                <member>ERROR: Unknown target
-                (<replaceable>target</replaceable>)</member>
-              </simplelist>
-
-              <para>This error message may be eliminated by adding
-              <replaceable>target</replaceable> as a builtin action in <ulink
-              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
-            </listitem>
-
             <listitem>
               <para><option>IPTABLES</option>(<replaceable>target</replaceable>)</para>
 
-              <para>IPv4 only.</para>
-
               <para>Added in Shorewall 4.6.0. Allows you to specify any
               iptables <replaceable>target</replaceable> with target options
               (e.g., "IPTABLES(AUDIT --type drop)"). If the target is not one
@@ -334,9 +311,9 @@
             <listitem>
               <para><option>ULOG</option></para>
 
-              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
-              a backend logging daemon using the ULOG netfilter target with
-              the specified <replaceable>ulog-parameters</replaceable>.</para>
+              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
+              logging daemon using the ULOG netfilter target with the
+              specified <replaceable>ulog-parameters</replaceable>.</para>
             </listitem>
           </itemizedlist>
 
@@ -470,7 +447,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
+                both the incoming interace and source address match.</para>
               </listitem>
             </varlistentry>
 
@@ -566,7 +543,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the outgoing interface and destination address
+                both the outgoing interace and destination address
                 match.</para>
               </listitem>
             </varlistentry>
@@ -602,23 +579,14 @@
 
         <listitem>
           <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number. tcp and 6 may be optionally followed by <emphasis
-          role="bold">:syn </emphasis>to match only the SYN packet (first
-          packet in the three-way handshake).</para>
+          protocol number.</para>
 
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols and either <emphasis
+          <para>Beginning with Shorewall 4.5.12, this column is labeled
+          <emphasis role="bold">PROTOS</emphasis> and can accept a
+          comma-separated list of protocols. Either <emphasis
           role="bold">proto</emphasis> or <emphasis
           role="bold">protos</emphasis> is accepted in the alternate input
           format.</para>
-
-          <para>Beginning with Shorewall 5.1.11, when <emphasis
-          role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
-          specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
-          compiler will default to <emphasis role="bold">:syn</emphasis>. If
-          you wish the rule to match packets with any valid combination of TCP
-          flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
-          <emphasis role="bold">6:all</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -721,57 +689,31 @@
   <refsect1>
     <title>EXAMPLE</title>
 
-    <para>IPv4 Example 1:</para>
+    <para>Example 1:</para>
 
     <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
 
-    <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
 
     <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
 
-    <programlisting>?FORMAT 2
+    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
 
-    <para>or<programlisting>?FORMAT 3
+    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
-
-    <para>IPv6 Example 1:</para>
-
-    <para>Use the FTP helper for TCP port 21 connections from the firewall
-    itself.</para>
-
-    <programlisting>FORMAT 2
-#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
-CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
-
-    <para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
-
-    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
-
-    <programlisting>FORMAT 2
-#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
-DROP                          all-:2001:1.2.3::4 -
-DROP                          all                2001:1.2.3::4
-</programlisting>
-
-    <para>or<programlisting>FORMAT 3
-#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
-DROP:P                        2001:1.2.3::4      -
-DROP:PO                       -                  2001:1.2.3::4</programlisting></para>
   </refsect1>
 
   <refsect1>
     <title>FILES</title>
 
     <para>/etc/shorewall/conntrack</para>
-
-    <para>/etc/shorewall6/conntrack</para>
   </refsect1>
 
   <refsect1>
@@ -780,6 +722,14 @@ DROP:PO                       -                  2001:1.2.3::4</programlisting><
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-ecn.xml

@@ -25,12 +25,8 @@
   <refsect1>
     <title>Description</title>
 
-    <para>IPv4 only.</para>
-
     <para>Use this file to list the destinations for which you want to disable
-    ECN (Explicit Congestion Notification). Use of this file is deprecated in
-    favor of ECN rules in <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
+    ECN (Explicit Congestion Notification).</para>
 
     <para>The columns in the file are as follows.</para>
 
@@ -69,6 +65,14 @@
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-exclusion.xml

@@ -49,10 +49,9 @@
 
     <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
     allowed after <emphasis role="bold">all</emphasis> and <emphasis
-    role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
-    url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
-    you to omit arbitrary zones from the list generated by those key
-    words.</para>
+    role="bold">any</emphasis> in the SOURCE and DEST columns of
+    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
+    generated by those key words.</para>
 
     <warning>
       <para>If you omit a sub-zone and there is an explicit or explicit
@@ -118,7 +117,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
 
     <variablelist>
       <varlistentry>
-        <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
+        <term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
 
         <listitem>
           <para>!192.168.3.4</para>
@@ -126,8 +125,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 2 - All IPv4 addresses except the network
-        192.168.1.0/24 and the host 10.2.3.4</term>
+        <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
+        and the host 10.2.3.4</term>
 
         <listitem>
           <para>!192.168.1.0/24,10.1.3.4</para>
@@ -135,7 +134,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 3 - All IPv4 addresses except the range
+        <term>Example 3 - All IPv4 addresses except the range
         192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
 
         <listitem>
@@ -144,8 +143,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
-        192.168.1.3 and 192.168.1.9</term>
+        <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
+        and 192.168.1.9</term>
 
         <listitem>
           <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
@@ -177,6 +176,14 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-hosts.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/hosts</command>
+      <command>/etc/shorewall/hosts</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -270,8 +270,6 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <title>FILES</title>
 
     <para>/etc/shorewall/hosts</para>
-
-    <para>/etc/shorewall6/hosts</para>
   </refsect1>
 
   <refsect1>
@@ -280,6 +278,14 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-init.xml

@@ -165,6 +165,14 @@
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-interfaces.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/interfaces</command>
+      <command>/etc/shorewall/interfaces</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -104,7 +104,9 @@ loc     eth2            -</programlisting>
           <para>You may use wildcards here by specifying a prefix followed by
           the plus sign ("+"). For example, if you want to make an entry that
           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, …</para>
+          ppp1, ppp2, … Please note that the '+' means '<emphasis
+          role="bold">one</emphasis> or more additional characters' so 'ppp'
+          does not match 'ppp+'.</para>
 
           <para>When using Shorewall versions before 4.1.4, care must be
           exercised when using wildcards where there is another zone that uses
@@ -112,10 +114,7 @@ loc     eth2            -</programlisting>
           url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
           for a discussion of this problem.</para>
 
-          <para>Shorewall allows '+' as an interface name, but that usage is
-          deprecated. A better approach is to specify
-          '<option>physical</option>=+' in the OPTIONS column (see
-          below).</para>
+          <para>Shorewall allows '+' as an interface name.</para>
 
           <para>There is no need to define the loopback interface (lo) in this
           file.</para>
@@ -196,76 +195,27 @@ loc     eth2            -</programlisting>
           should have no embedded white-space.</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
-
-              <listitem>
-                <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>0</term>
-
-                    <listitem>
-                      <para>Do not accept Router Advertisements.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>1</term>
-
-                    <listitem>
-                      <para>Accept Route Advertisements if forwarding is
-                      disabled.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>2</term>
-
-                    <listitem>
-                      <para>Overrule forwarding behavior. Accept Route
-                      Advertisements even if forwarding is enabled.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>If the option is specified without a value, then the
-                value 1 is assumed.</para>
-
-                <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
 
               <listitem>
-                <para>IPv4 only. If specified, this interface will only
-                respond to ARP who-has requests for IP addresses configured on
-                the interface. If not specified, the interface can respond to
-                ARP who-has requests for IP addresses on any of the firewall's
-                interface. The interface must be up when Shorewall is
-                started.</para>
+                <para>If specified, this interface will only respond to ARP
+                who-has requests for IP addresses configured on the interface.
+                If not specified, the interface can respond to ARP who-has
+                requests for IP addresses on any of the firewall's interface.
+                The interface must be up when Shorewall is started.</para>
 
                 <para>Only those interfaces with the
                 <option>arp_filter</option> option will have their setting
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
+                <para/>
+
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
+                  <para>This option does not work with a wild-card
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
+                  the INTERFACE column.</para>
                 </note>
               </listitem>
             </varlistentry>
@@ -275,8 +225,8 @@ loc     eth2            -</programlisting>
               role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
 
               <listitem>
-                <para>IPv4 only. If specified, this interface will respond to
-                arp requests based on the value of <emphasis>number</emphasis>
+                <para>If specified, this interface will respond to arp
+                requests based on the value of <emphasis>number</emphasis>
                 (defaults to 1).</para>
 
                 <para>1 - reply only if the target IP address is local address
@@ -294,14 +244,16 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
+                <para/>
+
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
+                  <para>This option does not work with a wild-card
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
+                  the INTERFACE column.</para>
                 </note>
 
+                <para/>
+
                 <warning>
                   <para>Do not specify <emphasis
                   role="bold">arp_ignore</emphasis> for any interface involved
@@ -459,8 +411,8 @@ loc     eth2            -</programlisting>
 
                   <listitem>
                     <para>the interface is a <ulink
-                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    server on one port and DHCP clients on another
+                    url="/SimpleBridge.html">simple bridge</ulink> with a
+                    DHCP server on one port and DHCP clients on another
                     port.</para>
 
                     <note>
@@ -479,25 +431,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
-
-              <listitem>
-                <para>IPv6 only Sets the
-                /proc/sys/net/ipv6/conf/interface/forwarding option to the
-                specified value. If no value is supplied, then 1 is
-                assumed.</para>
-
-                <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">ignore[=1]</emphasis></term>
 
@@ -534,15 +467,15 @@ loc     eth2            -</programlisting>
               role="bold">logmartians[={0|1}]</emphasis></term>
 
               <listitem>
-                <para>IPv4 only. Turn on kernel martian logging (logging of
-                packets with impossible source addresses. It is strongly
-                suggested that if you set <emphasis
-                role="bold">routefilter</emphasis> on an interface that you
-                also set <emphasis role="bold">logmartians</emphasis>. Even if
-                you do not specify the <option>routefilter</option> option, it
-                is a good idea to specify <option>logmartians</option> because
-                your distribution may have enabled route filtering without you
-                knowing it.</para>
+                <para>Turn on kernel martian logging (logging of packets with
+                impossible source addresses. It is strongly suggested that if
+                you set <emphasis role="bold">routefilter</emphasis> on an
+                interface that you also set <emphasis
+                role="bold">logmartians</emphasis>. Even if you do not specify
+                the <option>routefilter</option> option, it is a good idea to
+                specify <option>logmartians</option> because your distribution
+                may have enabled route filtering without you knowing
+                it.</para>
 
                 <para>Only those interfaces with the
                 <option>logmartians</option> option will have their setting
@@ -564,11 +497,9 @@ loc     eth2            -</programlisting>
                 <para/>
 
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
+                  <para>This option does not work with a wild-card
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
+                  the INTERFACE column.</para>
                 </note>
 
                 <blockquote>
@@ -645,8 +576,8 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">nosmurfs</emphasis></term>
 
               <listitem>
-                <para>IPv4 only. Filter packets for smurfs (packets with a
-                broadcast address as the source).</para>
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>
 
                 <para>Smurfs will be optionally logged based on the setting of
                 SMURF_LOG_LEVEL in <ulink
@@ -665,9 +596,9 @@ loc     eth2            -</programlisting>
                 <itemizedlist>
                   <listitem>
                     <para>a <filename
-                    class="directory">/proc/sys/net/ipv[46]/conf/</filename>
+                    class="directory">/proc/sys/net/ipv4/conf/</filename>
                     entry for the interface cannot be modified (including for
-                    proxy ARP or proxy NDP).</para>
+                    proxy ARP).</para>
                   </listitem>
 
                   <listitem>
@@ -695,10 +626,7 @@ loc     eth2            -</programlisting>
 
                 <para>If the <emphasis>interface</emphasis> name is a wildcard
                 name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'. The physical
-                <replaceable>name</replaceable> may end in '+' (or be exactly
-                '+') when the <replaceable>interface</replaceable> name is not
-                a wildcard name.</para>
+                <emphasis>name</emphasis> must also end in '+'.</para>
 
                 <para>If <option>physical</option> is not specified, then it's
                 value defaults to the <emphasis>interface</emphasis>
@@ -710,7 +638,7 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
 
               <listitem>
-                <para>IPv4 only. Sets
+                <para>Sets
                 /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                 Do NOT use this option if you are employing Proxy ARP through
                 entries in <ulink
@@ -720,13 +648,9 @@ loc     eth2            -</programlisting>
                 url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                 </ulink></para>
 
-                <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
+                <para><emphasis role="bold">Note</emphasis>: This option does
+                not work with a wild-card <replaceable>interface</replaceable>
+                name (e.g., eth0.+) in the INTERFACE column.</para>
 
                 <para>Only those interfaces with the <option>proxyarp</option>
                 option will have their setting changed; the value assigned to
@@ -735,28 +659,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
-
-              <listitem>
-                <para>IPv6 only. Sets
-                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
-
-                <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
-
-                <para>Only those interfaces with the <option>proxyndp</option>
-                option will have their setting changed; the value assigned to
-                the setting will be the value specified (if any) or 1 if no
-                value is given.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">required</emphasis></term>
 
@@ -798,8 +700,8 @@ loc     eth2            -</programlisting>
               role="bold">routefilter[={0|1|2}]</emphasis></term>
 
               <listitem>
-                <para>IPv4 only. Turn on kernel route filtering for this
-                interface (anti-spoofing measure).</para>
+                <para>Turn on kernel route filtering for this interface
+                (anti-spoofing measure).</para>
 
                 <para>Only those interfaces with the
                 <option>routefilter</option> option will have their setting
@@ -812,11 +714,9 @@ loc     eth2            -</programlisting>
                 filtering.</para>
 
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
+                  <para>This option does not work with a wild-card
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
+                  the INTERFACE column.</para>
                 </note>
 
                 <para>This option can also be enabled globally via the
@@ -925,11 +825,9 @@ loc     eth2            -</programlisting>
                 specified (if any) or 1 if no value is given.</para>
 
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
+                  <para>This option does not work with a wild-card
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
+                  the INTERFACE column.</para>
                 </note>
               </listitem>
             </varlistentry>
@@ -987,14 +885,11 @@ loc     eth2            -</programlisting>
                       <member><emphasis
                       role="bold">routefilter</emphasis></member>
 
-                      <member><emphasis
-                      role="bold">proxyarp</emphasis></member>
-
-                      <member><emphasis
-                      role="bold">proxyudp</emphasis></member>
-
                       <member><emphasis
                       role="bold">sourceroute</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">proxyndp</emphasis></member>
                     </simplelist>
                   </listitem>
                 </itemizedlist>
@@ -1007,9 +902,7 @@ loc     eth2            -</programlisting>
               <listitem>
                 <para>Incoming requests from this interface may be remapped
                 via UPNP (upnpd). See <ulink
-                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
-                Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
-                later.</para>
+                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -1023,8 +916,7 @@ loc     eth2            -</programlisting>
                 causes Shorewall to detect the default gateway through the
                 interface and to accept UDP packets from that gateway. Note
                 that, like all aspects of UPnP, this is a security hole so use
-                this option at your own risk. Supported in IPv4 and in IPv6 in
-                Shorewall 5.1.4 and later.</para>
+                this option at your own risk.</para>
               </listitem>
             </varlistentry>
 
@@ -1051,7 +943,7 @@ loc     eth2            -</programlisting>
 
     <variablelist>
       <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
 
         <listitem>
           <para>Suppose you have eth0 connected to a DSL modem and eth1
@@ -1064,7 +956,7 @@ loc     eth2            -</programlisting>
 
           <para>Your entries for this setup would look like:</para>
 
-          <programlisting>?FORMAT 1
+          <programlisting>FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
@@ -1079,7 +971,7 @@ dmz     eth2      192.168.2.255</programlisting>
           <para>The same configuration without specifying broadcast addresses
           is:</para>
 
-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     eth0      dhcp
 loc     eth1      
@@ -1094,7 +986,7 @@ dmz     eth2</programlisting>
           <para>You have a simple dial-in system with no Ethernet
           connections.</para>
 
-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
         </listitem>
@@ -1107,7 +999,7 @@ net     ppp0      -</programlisting>
           <para>You have a bridge with no IP address and you want to allow
           traffic through the bridge.</para>
 
-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 -       br0       bridge</programlisting>
         </listitem>
@@ -1119,8 +1011,6 @@ net     ppp0      -</programlisting>
     <title>FILES</title>
 
     <para>/etc/shorewall/interfaces</para>
-
-    <para>/etc/shorewall6/interfaces</para>
   </refsect1>
 
   <refsect1>
@@ -1129,6 +1019,13 @@ net     ppp0      -</programlisting>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-ipsets.xml

@@ -251,44 +251,34 @@
 
     <para>/etc/shorewall/accounting</para>
 
-    <para>/etc/shorewall6/accounting</para>
-
     <para>/etc/shorewall/blrules</para>
 
-    <para>/etc/shorewall6/blrules</para>
-
     <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
     Multiple matches enclosed in +[...] may not be used in this file.</para>
 
-    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
-    Multiple matches enclosed in +[...] may not be used in this file.</para>
-
     <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
     Multiple matches enclosed in +[...] may not be used in this file.</para>
 
-    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
-    Multiple matches enclosed in +[...] may not be used in this file.</para>
+    <para>/etc/shorewall/masq</para>
 
     <para>/etc/shorewall/rules</para>
 
-    <para>/etc/shorewall6/rules</para>
-
     <para>/etc/shorewall/secmarks</para>
 
-    <para>/etc/shorewall6/secmarks</para>
-
     <para>/etc/shorewall/mangle</para>
-
-    <para>/etc/shorewall6/mangle</para>
-
-    <para>/etc/shorewall/snat</para>
-
-    <para>/etc/shorewall6/snat</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-logging.xml

@@ -1,385 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-logging</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>logging</refname>
-
-    <refpurpose>Shorewall logging</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command><replaceable>action</replaceable>:<replaceable>level</replaceable></command>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>NFLOG(<replaceable>nflog-parameters</replaceable>)</command>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>ULOG(<replaceable>ulog-parameters</replaceable>)</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>The disposition of packets entering a Shorewall firewall is
-    determined by one of a number of Shorewall facilities. Only some of these
-    facilities permit logging.</para>
-
-    <orderedlist>
-      <listitem>
-        <para>The packet is part of an established connection. While the
-        packet can be logged using LOG rules in the ESTABLISHED section of
-        <ulink
-        url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
-        is not recommended because of the large amount of information that may
-        be logged.</para>
-      </listitem>
-
-      <listitem>
-        <para>The packet represents a connection request that is related to an
-        established connection (such as a <ulink url="FTP.html">data
-        connection associated with an FTP control connection</ulink>). These
-        packets may be logged using LOG rules in the RELATED section of <ulink
-        url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
-      </listitem>
-
-      <listitem>
-        <para>The packet is rejected because of an option in <ulink
-        url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) or <ulink
-        url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
-        These packets can be logged by setting the appropriate logging-related
-        option in <ulink
-        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
-      </listitem>
-
-      <listitem>
-        <para>The packet matches a rule in <ulink
-        url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5). By
-        including a syslog level (see below) in the ACTION column of a rule
-        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
-        22</quote>), the connection attempt will be logged at that
-        level.</para>
-      </listitem>
-
-      <listitem>
-        <para>The packet doesn't match a rule so it is handled by a policy
-        defined in <ulink
-        url="manpages/shorewall-policy.html">shorewall-policy(5)</ulink>.
-        These may be logged by specifying a syslog level in the LOG LEVEL
-        column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
-        role="bold">info</emphasis></quote>).</para>
-      </listitem>
-    </orderedlist>
-  </refsect1>
-
-  <refsect1>
-    <title>Default Logging</title>
-
-    <para>By default, Shorewall directs Netfilter to log using syslog (8).
-    Syslog classifies log messages by a <emphasis>facility</emphasis> and a
-    <emphasis>priority</emphasis> (using the notation
-    <emphasis>facility.priority</emphasis>).</para>
-
-    <para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
-    daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
-    <emphasis>local0</emphasis> through <emphasis>local7.</emphasis></para>
-
-    <para>Throughout the Shorewall documentation, the term
-    <emphasis>level</emphasis> rather than <emphasis>priority is used,
-    </emphasis>since <emphasis>level</emphasis> is the term used by Netfilter.
-    The syslog documentation uses the term
-    <emphasis>priority</emphasis>.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Syslog Levels</title>
-
-    <para>Syslog levels are a method of describing to syslog (8) the
-    importance of a message. A number of Shorewall parameters have a syslog
-    level as their value.</para>
-
-    <para>Valid levels are:</para>
-
-    <simplelist>
-      <member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
-      messages)</member>
-
-      <member>6 - <emphasis role="bold">info</emphasis>
-      (Informational)</member>
-
-      <member>5 - <emphasis role="bold">notice</emphasis> (Normal but
-      significant Condition)</member>
-
-      <member>4 - <emphasis role="bold">warning</emphasis> (Warning
-      Condition)</member>
-
-      <member>3 - <emphasis role="bold">err</emphasis> (Error
-      Condition)</member>
-
-      <member>2 - <emphasis role="bold">crit</emphasis> (Critical
-      Conditions)</member>
-
-      <member>1 - <emphasis role="bold">alert</emphasis> (must be handled
-      immediately)</member>
-
-      <member>0 - <emphasis role="bold">emerg</emphasis> (System is
-      unusable)</member>
-    </simplelist>
-
-    <para>For most Shorewall logging, a level of 6 (info) is appropriate.
-    Shorewall log messages are generated by Netfilter and are logged using the
-    <emphasis>kern</emphasis> facility and the level that you specify. If you
-    are unsure of the level to choose, 6 (info) is a safe bet. You may specify
-    levels by name or by number.</para>
-
-    <para>Beginning with Shorewall 4.5.5, the <replaceable>level</replaceable>
-    name or number may be optionally followed by a comma-separated list of one
-    or more<replaceable> log options</replaceable>. The list is enclosed in
-    parentheses. Log options cause additional information to be included in
-    each log message.</para>
-
-    <para>Valid log options are:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ip_options</emphasis></term>
-
-        <listitem>
-          <para>Log messages will include the option settings from the IP
-          header.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">macdecode</emphasis></term>
-
-        <listitem>
-          <para>Decode the MAC address and protocol.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">tcp_sequence</emphasis></term>
-
-        <listitem>
-          <para>Include TCP sequence numbers.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">tcp_options</emphasis></term>
-
-        <listitem>
-          <para>Include options from the TCP header.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">uid</emphasis></term>
-
-        <listitem>
-          <para>Include the UID of the sending program; only valid for packets
-          originating on the firewall itself.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>Example: <emphasis
-    role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
-
-    <para>Syslogd writes log messages to files (typically in <filename
-    class="directory">/var/log/</filename>*) based on their facility and
-    level. The mapping of these facility/level pairs to log files is done in
-    /etc/syslog.conf (5). If you make changes to this file, you must restart
-    syslogd before the changes can take effect.</para>
-
-    <para>Syslog may also write to your system console. See <ulink
-    url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
-    Shorewall messages written to the console.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
-
-    <para>There are a couple of limitations to syslogd-based logging:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>If you give, for example, kern.info its own log destination then
-        that destination will also receive all kernel messages of levels 5
-        (notice) through 0 (emerg).</para>
-      </listitem>
-
-      <listitem>
-        <para>All kernel.info messages will go to that destination and not
-        just those from Netfilter.</para>
-      </listitem>
-
-      <listitem>
-        <para>Netfilter (Shorewall) messages show up in
-        <command>dmesg</command>.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>If your kernel has NFLOG target support (and most vendor-supplied
-    kernels do), you may also specify a log level of NFLOG (must be all caps).
-    When NFLOG is used, Shorewall will direct Netfilter to log the related
-    messages via the NFLOG target which will send them to a process called
-    <quote>ulogd</quote>. The ulogd program is included in most
-    distributions.</para>
-
-    <note>
-      <para>The NFLOG logging mechanism is <emphasis
-      role="underline">completely separate</emphasis> from syslog. Once you
-      switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
-      have absolutely no effect on your Shorewall logging (except for
-      Shorewall status messages which still go to syslog).</para>
-    </note>
-
-    <para>You will need to change all instances of log levels (usually
-    <quote>info</quote>) in your Shorewall configuration files to
-    <quote>NFLOG</quote> - this includes entries in the policy, rules and
-    shorewall.conf files. If you initially installed using Shorewall 5.1.2 or
-    later, you can simply change the setting of LOG_LEVEL in
-    shorewall.conf.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Understanding the Contents of Shorewall Log Messages</title>
-
-    <para>For general information on the contents of Netfilter log messages,
-    see <ulink
-    url="http://logi.cc/en/2010/07/netfilter-log-format/">http://logi.cc/en/2010/07/netfilter-log-format/</ulink>.</para>
-
-    <para>For Shorewall-specific information, see <ulink
-    url="/FAQ.htm#faq17">FAQ #17</ulink>.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Customizing the Content of Shorewall Log Messages</title>
-
-    <para>In a Shorewall logging rule, the log level can be followed by a
-    <firstterm>log tag</firstterm> as in "DROP:NFLOG:junk". The generated log
-    message will include "<emphasis>chain-name</emphasis> junk DROP".</para>
-
-    <para>By setting the LOGTAGONLY option to Yes in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
-    disposition ('DROP' in the above example) will be omitted. Consider the
-    following rule:</para>
-
-    <programlisting>#ACTION                                    SOURCE          DEST           PROTO
-REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
-
-    <para>This rule generates the following warning at compile time:</para>
-
-    <simplelist>
-      <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
-      /etc/shorewall/rules (line 212)</member>
-    </simplelist>
-
-    <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
-    ".</para>
-
-    <para>Now consider this similar rule:</para>
-
-    <programlisting>#ACTION                                              SOURCE          DEST           PROTO
-REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
-
-    <para>With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
-    "Shorewall:IPv6:tunneling:"</para>
-
-    <para>See the <ulink url="shorewall.conf.html">shorewall[6].conf man
-    page</ulink> for further information about how LOGTAGONLY=Yes can be
-    used.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Log Backends</title>
-
-    <para>Netfilter logging allows configuration of multiple backends. Logging
-    backends provide the The low-level forward of log messages. There are
-    currently three backends:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>LOG (ipt_LOG and ip6t_LOG).</term>
-
-        <listitem>
-          <para>Normal kernel-based logging to a syslog daemon.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>ULOG (ipt_ULOG)</term>
-
-        <listitem>
-          <para>ULOG logging as described ablve. Only available for
-          IPv4.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>netlink (nfnetlink_log)</term>
-
-        <listitem>
-          <para>The logging backend behind NFLOG, defined above.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>The currently-available and currently-selected IPv4 and IPv6
-    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
-
-    <programlisting>cat /proc/net/netfilter/nf_log
- 0 NONE (nfnetlink_log)
- 1 NONE (nfnetlink_log)
- 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
- 3 NONE (nfnetlink_log)
- 4 NONE (nfnetlink_log)
- 5 NONE (nfnetlink_log)
- 6 NONE (nfnetlink_log)
- 7 NONE (nfnetlink_log)
- 8 NONE (nfnetlink_log)
- 9 NONE (nfnetlink_log)
-10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
-11 NONE (nfnetlink_log)
-12 NONE (nfnetlink_log)</programlisting>
-
-    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
-    is 2 and AF_INET6 is 10).</para>
-
-    <para>The name immediately following the number is the currently-selected
-    backend, and the ones in parentheses are the ones that are available. You
-    can change the currently selected backend by echoing it's name into
-    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
-
-    <para>Example - change the IPv4 backend to LOG:</para>
-
-    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
-
-    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
-    the LOG_BACKEND option in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-
-    <para><ulink
-    url="/shorewall_logging.htm">http://www.shorewall.net/shorewall_logging.html</ulink></para>
-  </refsect1>
-</refentry>

Shorewall/manpages/shorewall-maclist.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/maclist</command>
+      <command>/etc/shorewall/maclist</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -97,8 +97,6 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/maclist</para>
-
-    <para>/etc/shorewall6/maclist</para>
   </refsect1>
 
   <refsect1>
@@ -110,6 +108,14 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-mangle.xml

@@ -18,17 +18,31 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/mangle</command>
+      <command>/etc/shorewall/mangle</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
-    <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
+    <para>This file was introduced in Shorewall 4.6.0 and is intended to
+    replace <ulink
     url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
+    <orderedlist numeration="loweralpha">
+      <listitem>
+        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
+        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
+        or</para>
+      </listitem>
+
+      <listitem>
+        <para>The first file named 'tcrules' found on the CONFIG_PATH contains
+        no non-commentary entries.</para>
+      </listitem>
+    </orderedlist>
+
     <para>Entries in this file cause packets to be marked as a means of
     classifying them for traffic control or policy routing.</para>
 
@@ -103,7 +117,9 @@
           SOURCE is $FW, the generated rule is always placed in the OUTPUT
           chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
           Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body.</para>
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
 
           <para>Where a command takes parameters, those parameters are
           enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -349,9 +365,8 @@ DIVERTHA        -               -               tcp</programlisting>
 
               <listitem>
                 <para>Added in Shorewall 5.0.6 as an alternative to entries in
-                <ulink
-                url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
-                If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                <ulink url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                 supplied, TCP is assumed. This action causes all ECN bits in
                 the TCP header to be cleared.</para>
               </listitem>
@@ -374,8 +389,7 @@ DIVERTHA        -               -               tcp</programlisting>
 
               <listitem>
                 <para>Allows you to place your own ip[6]tables matches at the
-                end of the line following two semicolons (";;") (preferred) or
-                a single semicolon (";") (deprecated). If an
+                end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
                 proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
@@ -392,10 +406,22 @@ DIVERTHA        -               -               tcp</programlisting>
 
                 <programlisting>2:P                   eth0              -         tcp 22
 INLINE(MARK(2)):P     eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -                 ;; -p tcp
-INLINE                eth0              -         tcp 22  ;; -j MARK --set-mark 2
-INLINE                eth0              -                 ;; -p tcp -j MARK --set-mark 2
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
+
+                <para>If INLINE_MATCHES=Yes in <ulink
+                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+                then the third rule above can be specified as follows:</para>
+
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
+
+                <para>Beginning with Shorewall 5.0.0, the rule may also be
+                written this way, irrespective of the setting of
+                INLINE_MATCHES:</para>
+
+                <programlisting>MARK(2):P             eth0              -                 ;; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 
@@ -507,39 +533,12 @@ INLINE                eth0              -                 ;; -p tcp -j MARK --se
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">IP6TABLES({<replaceable>target</replaceable>
-              [<replaceable>option</replaceable> ...])</emphasis></term>
-
-              <listitem>
-                <para>IPv6 only.</para>
-
-                <para>This action allows you to specify an iptables target
-                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
-                If the target is not one recognized by Shorewall, the
-                following error message will be issued:</para>
-
-                <simplelist>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
-
-                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
-                <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">IPTABLES({<replaceable>target</replaceable>
               [<replaceable>option</replaceable> ...])</emphasis></term>
 
               <listitem>
-                <para>IPv4 only.</para>
-
                 <para>This action allows you to specify an iptables target
                 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
                 the target is not one recognized by Shorewall, the following
@@ -690,43 +689,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">TCPMSS</emphasis>([<replaceable>mss</replaceable>[,<replaceable>ipsec</replaceable>]])</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.9. This target only applies to
-                TCP traffic and alters the MSS value in SYN packets. It may be
-                used in the FORWARD and POSTROUTING chains; the default is
-                FORWARD.</para>
-
-                <para>The <replaceable>mss</replaceable> parameter may be
-                either <option>pmtu</option> or an integer in the range
-                500:65533. The value <option>pmtu</option> automatically
-                clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
-                IPv6). This may not function as desired where asymmetric
-                routes with differing path MTU exist — the kernel uses the
-                path MTU which it would use to send packets from itself to the
-                source and destination IP addresses. Prior to Linux 2.6.25,
-                only the path MTU to the destination IP address was considered
-                by this option; subsequent kernels also consider the path MTU
-                to the source IP address. If an integer is given, the MSS
-                option is set to the specified value. If the MSS of the packet
-                is already lower than <replaceable>mss</replaceable>, it will
-                not be increased (from Linux 2.6.25 onwards) to avoid more
-                problems with hosts relying on a proper MSS. If
-                <replaceable>mss</replaceable> is omitted,
-                <option>pmtu</option> is assumed.</para>
-
-                <para>The <replaceable>ipsec</replaceable> parameter
-                determines whether the rule applies to IPSEC traffic
-                (<option>ipsec</option> is passed), non-IPSEC traffic
-                (<option>none</option> is passed) or both
-                (<option>all</option> is passed). If omitted,
-                <option>all</option> is assumed.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</term>
@@ -763,7 +725,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
             <varlistentry>
               <term><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<replaceable>address</replaceable>]])</term>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</term>
 
               <listitem>
                 <para>Transparently redirects a packet without altering the IP
@@ -953,8 +915,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 Matches packets leaving the firewall through the named
                 interface. May not be used in the PREROUTING chain (:P in the
                 mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink
-                url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                in <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
                 (5)).</para>
               </listitem>
             </varlistentry>
@@ -1582,7 +1543,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
     <variablelist>
       <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
 
         <listitem>
           <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@@ -1611,7 +1572,7 @@ Normal-Service       =&gt; 0x00</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -1623,41 +1584,12 @@ Normal-Service       =&gt; 0x00</programlisting>
        #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
        CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
 
-/etc/shorewall/snat:
+/etc/shorewall/masq:
 
-       #ACTION          SOURCE              DEST     ...
-       SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
-       SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
-       SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
-          to peer traffic with packet mark 4.</para>
-
-          <para>This is a little more complex than otherwise expected. Since
-          the ipp2p module is unable to determine all packets in a connection
-          are P2P packets, we mark the entire connection as P2P if any of the
-          packets are determined to match.</para>
-
-          <para>We assume packet/connection mark 0 means unclassified.</para>
-
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
-       MARK(1):T  ::/0      ::/0         icmp    echo-request
-       MARK(1):T  ::/0      ::/0         icmp    echo-reply
-       RESTORE:T  ::/0      ::/0         all     -             -       -       0
-       CONTINUE:T ::/0      ::/0         all     -             -       -       !0
-       MARK(4):T  ::/0      ::/0         ipp2p:all
-       SAVE:T     ::/0      ::/0         all     -             -       -       !0</programlisting>
-
-          <para>If a packet hasn't been classified (packet mark is 0), copy
-          the connection mark to the packet mark. If the packet mark is set,
-          we're done. If the packet is P2P, set the packet mark to 4. If the
-          packet mark has been set, save it to the connection mark.</para>
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -1667,8 +1599,6 @@ Normal-Service       =&gt; 0x00</programlisting>
     <title>FILES</title>
 
     <para>/etc/shorewall/mangle</para>
-
-    <para>/etc/shorewall6/mangle</para>
   </refsect1>
 
   <refsect1>
@@ -1686,6 +1616,14 @@ Normal-Service       =&gt; 0x00</programlisting>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-masq.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall[6]/masq</command>
+      <command>/etc/shorewall/masq</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -579,7 +579,7 @@
 
     <variablelist>
       <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
 
         <listitem>
           <para>You have a simple masquerading setup where eth0 connects to a
@@ -594,7 +594,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>You add a router to your local network to connect subnet
@@ -607,7 +607,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 3:</term>
+        <term>Example 3:</term>
 
         <listitem>
           <para>You have an IPSEC tunnel through ipsec0 and you want to
@@ -620,7 +620,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 4:</term>
+        <term>Example 4:</term>
 
         <listitem>
           <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -634,7 +634,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 5:</term>
+        <term>Example 5:</term>
 
         <listitem>
           <para>You want all outgoing SMTP traffic entering the firewall from
@@ -654,7 +654,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 6:</term>
+        <term>Example 6:</term>
 
         <listitem>
           <para>Connections leaving on eth0 and destined to any host defined
@@ -667,7 +667,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 7:</term>
+        <term>Example 7:</term>
 
         <listitem>
           <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -689,7 +689,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IPv4 Example 8:</term>
+        <term>Example 8:</term>
 
         <listitem>
           <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -716,49 +716,6 @@
 </programlisting>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
-        eth0         2001:470:b:787::0/64    -</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          then these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2</programlisting>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -766,8 +723,6 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/masq</para>
-
-    <para>/etc/shorewall6/masq</para>
   </refsect1>
 
   <refsect1>
@@ -776,6 +731,14 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-modules.xml

@@ -18,11 +18,11 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/modules</command>
+      <command>/usr/share/shorewall/modules</command>
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/helpers</command>
+      <command>/usr/share/shorewall/helpers</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -51,7 +51,7 @@
 
     <para>The <replaceable>modulename</replaceable> names a kernel module
     (without suffix). Shorewall will search for modules based on your
-    MODULESDIR setting in <ulink
+    MODULESDIR and MODULE_SUFFIX settings in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
     <replaceable>moduleoption</replaceable>s are passed to modprobe (if
     installed) or to insmod.</para>
@@ -82,19 +82,19 @@
     <para>/etc/shorewall/modules</para>
 
     <para>/etc/shorewall/helpers</para>
-
-    <para>/usr/share/shorewall6/modules</para>
-
-    <para>/usr/share/shorewall6/helpers</para>
-
-    <para>/etc/shorewall6/modules</para>
-
-    <para>/etc/shorewall6/helpers</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-nat.xml

@@ -34,8 +34,6 @@
       url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
       in many cases, Proxy ARP (<ulink
       url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
-      or Proxy-NDP(<ulink
-      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
       is a better solution that one-to-one NAT.</para>
     </warning>
 
@@ -210,8 +208,6 @@ all		all		REJECT		info
     <title>FILES</title>
 
     <para>/etc/shorewall/nat</para>
-
-    <para>/etc/shorewall6/nat</para>
   </refsect1>
 
   <refsect1>
@@ -223,6 +219,14 @@ all		all		REJECT		info
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-nesting.xml

@@ -200,16 +200,6 @@
     <para>/etc/shorewall/policy</para>
 
     <para>/etc/shorewall/rules</para>
-
-    <para>/etc/shorewall6/zones</para>
-
-    <para>/etc/shorewall6/interfaces</para>
-
-    <para>/etc/shorewall6/hosts</para>
-
-    <para>/etc/shorewall6/policy</para>
-
-    <para>/etc/shorewall6/rules</para>
   </refsect1>
 
   <refsect1>