Ipcalc: Fail when missing arguments

Signed-off-by: Matt Darfeuille <matdarf@gmail.com>
Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.cli

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50112
+SHOREWALL_CAPVERSION=50200
 
 if [ -z "$g_basedir" ]; then
     #
@@ -87,6 +87,8 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
+    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
+
     case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -415,9 +417,9 @@ resolve_arptables() {
 savesets() {
     local supported
 
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
 }
 
 #
@@ -426,9 +428,9 @@ savesets() {
 savesets1() {
     local supported
 
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 
 #
@@ -439,9 +441,9 @@ do_save() {
     local arptables
     status=0
 
-    if [ -f ${VARDIR}/firewall ]; then
+    if [ -f $g_firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    cp -f $g_firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -453,7 +455,7 @@ do_save() {
 	    status=1
 	fi
     else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	echo "   ERROR: $g_firewall does not exist" >&2
 	status=1
     fi
 
@@ -1189,6 +1191,32 @@ show_ipsec_command() {
     show_ipsec
 }
 
+show_saves_command() {
+    local f
+    local fn
+    local mtime
+
+    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
+    echo "Saved snapshots are:"
+    echo
+
+    for f in ${VARDIR}/*-iptables; do
+	case $f in
+	    *\**)
+	        ;;
+	    *)
+		fn=$(basename $f)
+		fn=${fn%-iptables}
+		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
+    done
+
+    echo
+}
+
 #
 # Show Command Executor
 #
@@ -1410,6 +1438,17 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+        rc)
+            shift
+	    [ $# -gt 1 ] && too_many_arguments $2
+            if [ -n "$1" -a -d "$1" ]; then
+                cat $1/shorewallrc
+            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
+                cat $g_basedir/shorewallrc
+            else
+                fatal_error "Can not determine the location of the shorewallrc file."
+            fi
+            ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
@@ -1478,6 +1517,10 @@ show_command() {
 	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
+	saves)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    show_saves_command
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -2767,7 +2810,6 @@ determine_capabilities() {
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
-    USEPKTTYPE=
     KLUDGEFREE=
     MARK=
     XMARK=
@@ -3114,7 +3156,6 @@ determine_capabilities() {
 	fi
     fi
 
-    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3228,7 +3269,6 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
     fi
-    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
     report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
     report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
     report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3345,8 +3385,6 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
     fi
 
-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
 }
 
 report_capabilities_unsorted1() {
@@ -3363,7 +3401,6 @@ report_capabilities_unsorted1() {
     report_capability1 CONNTRACK_MATCH
     report_capability1 NEW_CONNTRACK_MATCH
     report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
     report_capability1 PHYSDEV_BRIDGE
@@ -3738,7 +3775,7 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
     else
 	too_many_arguments $4
@@ -3784,7 +3821,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3827,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
     if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -3927,7 +3964,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4081,15 +4118,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
 
-	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	if [ -x $g_firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it ${VARDIR}/firewall $g_debugging start
+		run_it $g_firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "${VARDIR}/firewall is missing or is not executable"
+	    error_message "$g_firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4218,11 +4255,11 @@ restart_command() {
 
     [ -n "$g_nolock" ] || mutex_on
 
-    if [ -x ${VARDIR}/firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+    if [ -x $g_firewall ]; then
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
     else
-	error_message "${VARDIR}/firewall is missing or is not executable"
+	error_message "$g_firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
@@ -4232,10 +4269,10 @@ restart_command() {
 }
 
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	run_it $g_firewall $g_debugging $@
     else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
     fi
 }
 
@@ -4293,7 +4330,6 @@ usage() # $1 = exit status
 
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
 
     if [ -n "$g_lite" ]; then
@@ -4303,9 +4339,11 @@ usage() # $1 = exit status
     fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4348,7 +4386,9 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] rc"
     echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] saves"
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
@@ -4397,7 +4437,6 @@ shorewall_cli() {
     g_use_verbosity=
     g_debug=
     g_export=
-    g_refreshchains=:none:
     g_confess=
     g_update=
     g_annotate=
@@ -4416,6 +4455,7 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
+    g_havemutex=
 
     VERBOSE=
     VERBOSITY=1
@@ -4621,7 +4661,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it ${VARDIR}/firewall $g_debugging $@
+		run_it $g_firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi

Shorewall-core/lib.common

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
 #     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
@@ -751,36 +751,44 @@ mutex_on()
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
     local lockd
+    local lockbin
+    local openwrt
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
 
 	lockd=$(dirname $LOCKFILE)
 
 	[ -d "$lockd" ] || mkdir -p "$lockd"
 
+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
+		    rm -f ${lockf}
+		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+		fi
 	    fi
 	fi
 
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-            lock ${lockf}
-            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -790,10 +798,15 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
+		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
+
+	if [ -n "$g_havemutex" ]; then
+	    trap mutex_off EXIT
+	fi
     fi
 }
 
@@ -802,7 +815,10 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
+    if [ -n "$g_havemutex" ]; then
+	eval $g_havemutex
+	g_havemutex=
+	trap '' exit
+    fi
 }
 

Shorewall-core/lib.core

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.installer

@@ -1,6 +1,5 @@
 #
-#
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,6 +1,5 @@
 #
-#
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
@@ -61,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
     if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
             rm -f $1
             echo "$1 Removed"
         fi
@@ -85,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
             if [ -d $f ] ; then
                 rm -rf $f
                 echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                 rm -f $f
                 echo "$f Removed"
             fi

Shorewall-core/manpages/shorewall.xml

@@ -405,20 +405,6 @@
       <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>options</arg>
-
-      <arg
-      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
-      <replaceable>directory</replaceable> </arg><arg
-      rep="repeat"><replaceable>chain</replaceable></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -459,6 +445,54 @@
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getcaps</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-R</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getrc</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -813,7 +847,7 @@
 
       <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg choice="plain"><option>tc</option></arg>
+      <arg choice="plain"><option>saves</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1316,7 +1350,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1773,63 +1807,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
-        </option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
-
-        <listitem>
-          <para>Not available with Shorewall[6]-lite.</para>
-
-          <para>All steps performed by <command>restart</command> are
-          performed by <command>refresh</command> with the exception that
-          <command>refresh</command> only recreates the chains specified in
-          the command while <command>restart</command> recreates the entire
-          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
-          the static blacklisting chain <emphasis
-          role="bold">blacklst</emphasis> is assumed.</para>
-
-          <para>The listed chains are assumed to be in the filter table. You
-          can refresh chains in other tables by prefixing the chain name with
-          the table name followed by ":" (e.g., nat:net_dnat). Chain names
-          which follow are assumed to be in that table until the end of the
-          list or until an entry in the list names another table. Built-in
-          chains such as FORWARD may not be refreshed.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.5.3
-          causes Shorewall to avoid updating the routing table(s).</para>
-
-          <para>The <option>-d</option> option was added in Shorewall 4.5.3
-          causes the compiler to run under the Perl debugger.</para>
-
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
-          and causes a Perl stack trace to be included with each
-          compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <para>The <option>-D</option> option was added in Shorewall 4.5.3
-          and causes Shorewall to look in the given
-          <emphasis>directory</emphasis> first for configuration files.</para>
-
-          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
-
-          <para>The <emphasis role="bold">refresh</emphasis> command has
-          slightly different behavior. When no chain name is given to the
-          <emphasis role="bold">refresh</emphasis> command, the mangle table
-          is refreshed along with the blacklist chain (if any). This allows
-          you to modify <filename>/etc/shorewall/tcrules </filename>and
-          install the changes using <emphasis
-          role="bold">refresh</emphasis>.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">reject</emphasis><replaceable>
         address</replaceable></term>
@@ -1941,6 +1918,57 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">remote-getcaps</emphasis>
+        [-<option>R</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command executes <emphasis
+          role="bold">shorewall[6]-lite show capabilities -f &gt;
+          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
+          <replaceable>system</replaceable> via ssh then the generated file is
+          copied to <replaceable>directory</replaceable> on the local system.
+          If no <replaceable>directory</replaceable> is given, the current
+          working directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
+          shorewallrc file is also copied to
+          <replaceable>directory</replaceable>.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">remote-getrc</emphasis>
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
+          file from the remote <replaceable>system</replaceable> to
+          <replaceable>directory</replaceable> on the local system. If no
+          <replaceable>directory</replaceable> is given, the current working
+          directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
+          capabilities are also copied to
+          <replaceable>directory</replaceable>, as is done by the
+          <command>remote-getcaps</command> command.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -1992,9 +2020,9 @@
           role="bold">shorewall-lite save</emphasis> via ssh.</para>
 
           <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall-lite show capabilities -f
-          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
-          ssh then the generated file is copied to
+          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
+          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
+          via ssh then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -2005,13 +2033,6 @@
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2430,11 +2451,11 @@
         <replaceable>filename</replaceable> ]</term>
 
         <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
-          The state of the firewall is stored in
+          <para>Creates a snapshot of the currently running firewall. The
+          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
+          the firewall is stored in
           /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
-          role="bold">shorewall -f start</emphasis> commands. If
+          <emphasis role="bold">shorewall restore</emphasis> command. If
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2737,6 +2758,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">rc</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Displays the contents of
+                $SHAREDIR/shorewall/shorewallrc.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>[-<option>c</option>]<emphasis role="bold">
               routing</emphasis></term>
@@ -2762,6 +2792,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>saves</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
+                <command>save</command> command. Each snapshot is listed with
+                the date and time when it was taken. If there is a snapshot
+                with the name specified in the RESTOREFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
+                snapshot is listed as the <emphasis>default</emphasis>
+                snapshot for the <command>restore</command> command.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -2921,7 +2965,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-empty, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.sandbox

@@ -0,0 +1,28 @@
+#
+# Shorewall 5.2 rc file for installing into a Sandbox
+#
+BUILD=                                       # Default is to detect the build system
+HOST=linux
+INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
+PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
+PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
+CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
+SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
+MANDIR=		     			     # Leave empty
+INITDIR=				     # Leave empty				     				
+INITSOURCE=				     # Leave empty
+INITFILE=				     # Leave empty
+AUXINITSOURCE=				     # Leave empty
+AUXINITFILE=				     # Leave empty
+SERVICEDIR=				     # Leave empty
+SERVICEFILE=    			     # Leave empty
+SYSCONFFILE=				     # Leave empty
+SYSCONFDIR=				     # Leave empty			
+SPARSE=					     # Leave empty			
+ANNOTATED=				     # If non-empty, annotated configuration files are installed				
+VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
+VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
+DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
+SANDBOX=Yes				     # Indicates SANDBOX installation

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -1,9 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
-#
-# This action A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE		DEST	PROTO		DPORT
-
-AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -1,57 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Drop
-#
-# The audited default DROP common rules
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-Auth(A_DROP)
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Don't log broadcasts and multicasts
-#
-dropBcast(audit)
-dropMcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep

Shorewall/Actions/action.A_Reject.deprecated

@@ -1,54 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Reject
-#
-# The audited default REJECT action common rules
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Drop Broadcasts and multicasts so they don't clutter up the log
-# (these must *not* be rejected).
-#
-dropBcast(audit)
-dropMcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep

Shorewall/Actions/action.Drop.deprecated

@@ -1,84 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Drop
-#
-# The former default DROP common rules. Use of this action is now deprecated
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing special
-#     with them.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Don't log broadcasts or multicasts
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,@1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)

Shorewall/Actions/action.IfEvent

@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Actions/action.Reject.deprecated

@@ -1,85 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Reject
-#
-# The former default REJECT action common rules. Use of this action is deprecated.
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing
-#     special with them.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,@1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)

Shorewall/Macros/macro.IPFS-API

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001

Shorewall/Macros/macro.IPFS-gateway

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080

Shorewall/Macros/macro.IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Macros/macro.SNMPTrap.deprecated

@@ -1,9 +0,0 @@
-#
-# Shorewall - /usr/share/shorewall/macro.SNMPtrap
-#
-# This macro deprecated by SNMPtrap.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-SNMPtrap

Shorewall/Perl/Shorewall/ARP.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -172,6 +172,12 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
+				       rules_log
+				       blacklist_log
+				       established_log
+				       related_log
+				       invalid_log
+				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -419,7 +425,7 @@ our $VERSION = 'MODULEVERSION';
 #      Established     - ^<z1-z2>
 #      Related         - +<z1-z2>
 #      Invalid         - _<z1-z2>
-#      Untracked       - &<z1-z2>
+#      Untracked       - =<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -2263,7 +2269,57 @@ sub invalid_chain($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_chain($$) {
-    '&' . &rules_chain(@_);
+    '=' . &rules_chain(@_);
+}
+
+#
+# Logname for chains between an ordered pair of zones
+#
+sub rules_log( $$ ) {
+    my $logchain = $config{LOG_ZONE};
+
+    if ( $logchain eq 'both' ) {
+	join "$config{ZONE2ZONE}", @_;
+    } elsif ( $logchain eq 'src' ) {
+	$_[0];
+    } else {
+	$_[1];
+    }
+}
+
+#
+# Log name of the blacklist chain between an ordered pair of zones
+#
+sub blacklist_log($$) {
+    &rules_log(@_) . '~';
+}
+
+#
+# Log name of the established chain between an ordered pair of zones
+#
+sub established_log($$) {
+    '^' . &rules_log(@_)
+}
+
+#
+# Log name of the related chain between an ordered pair of zones
+#
+sub related_log($$) {
+    '+' . &rules_log(@_);
+}
+
+#
+# Log name of the invalid chain between an ordered pair of zones
+#
+sub invalid_log($$) {
+    '_' . &rules_log(@_);
+}
+
+#
+# Name of the untracked chain between an ordered pair of zones
+#
+sub untracked_log($$) {
+    '&' . &rules_log(@_);
 }
 
 #
@@ -2585,13 +2641,14 @@ sub reserved_name( $ ) {
 #
 # Create a new chain and return a reference to it.
 #
-sub new_chain($$)
+sub new_chain($$;$)
 {
-    my ($table, $chain) = @_;
+    my ($table, $chain, $logchain) = @_;
 
     assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );
 
     my $chainref = { name           => $chain,
+		     logname        => $logchain || $chain,
 		     rules          => [],
 		     table          => $table,
 		     loglevel       => '',
@@ -2612,7 +2669,7 @@ sub new_chain($$)
 #
 # Find a chain
 #
-sub find_chain($$) {
+sub find_chain($$;$) {
     my ($table, $chain) = @_;
 
     assert( $table && $chain && $chain_table{$table} );
@@ -2623,7 +2680,7 @@ sub find_chain($$) {
 #
 # Create a chain if it doesn't exist already
 #
-sub ensure_chain($$)
+sub ensure_chain($$;$)
 {
     &find_chain( @_ ) || &new_chain( @_ );
 }
@@ -3923,7 +3980,7 @@ sub optimize_level8( $$$ ) {
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
 
-		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
+		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -4506,16 +4563,22 @@ sub valid_tables() {
 
 sub optimize_ruleset() {
 
+    my $optimize = $config{OPTIMIZE};
+
     for my $table ( valid_tables ) {
 
 	my $tableref = $chain_table{$table};
 	my $passes   = 0;
-	my $optimize = $config{OPTIMIZE};
 
 	$passes = optimize_level4(  $table, $tableref )           if $optimize & 4;
-	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
 	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
 
+	my $savepasses = $passes;
+
+	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
+
+	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16 && $passes > $savepasses + 1;
+
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
     }
@@ -4628,7 +4691,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{name} ,
+		       $chainref->{logname} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@@ -6807,13 +6870,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
-    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }
 
 sub log_irule( $$$;@ ) {
     my ( $level, $chainref, $disposition, @matches ) = @_;
 
-    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }
 
 #
@@ -7034,14 +7097,17 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
     my ( $logical, $provider ) = @_;
-
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 
     $global_variables |= ALL_COMMANDS;
 
-    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    if ( $interface eq loopback_interface ) {
+	$interfaceaddr{$interface} = "$variable=" . loopback_address;
+    } else {
+	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+	$interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    }
 
     set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
 
@@ -8519,7 +8585,7 @@ sub save_dynamic_chains() {
     my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
 
-    emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
+    emit ( 'if [ "$COMMAND" = reload ]; then' );
     push_indent;
 
     emit( 'if [ -n "$g_counters" ]; then' ,
@@ -8884,9 +8950,6 @@ sub create_load_ipsets() {
 
 	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
 	    ensure_ipsets( @ipsets );
-
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
-	    ensure_ipsets( @ipsets );
 	};
 
 	emit ( 'fi' );
@@ -9161,156 +9224,6 @@ sub preview_netfilter_load() {
     print "\n";
 }
 
-#
-# Generate the netfilter input for refreshing a list of chains
-#
-sub create_chainlist_reload($) {
-
-    my $chains = $_[0];
-
-    my @chains;
-
-    unless ( $chains eq ':none:' ) {
-	if ( $chains eq ':refresh:' ) {
-	    $chains = '';
-	} else {
-	    @chains =  split_list $chains, 'chain';
-	}
-
-	unless ( @chains ) {
-	    @chains = qw( blacklst ) if $filter_table->{blacklst};
-	    push @chains, 'blackout' if $filter_table->{blackout};
-
-	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
-		push @chains, $_->{name} if $_->{blacklistsection};
-	    }
-
-	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-	    $chains = join( ',', @chains ) if @chains;
-	}
-    }
-
-    $mode = NULL_MODE;
-
-    emit(  'chainlist_reload()',
-	   '{'
-	   );
-
-    push_indent;
-
-    if ( @chains ) {
-	my $word = @chains == 1 ? 'chain' : 'chains';
-
-	progress_message2 "Compiling iptables-restore input for $word @chains...";
-	save_progress_message "Preparing iptables-restore input for $word @chains...";
-
-	emit '';
-
-	my $table = 'filter';
-
-	my %chains;
-
-	my %tables;
-
-	for my $chain ( @chains ) {
-	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
-
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
-
-	    $chains{$table} = {} unless $chains{$table};
-
-	    if ( $chain ) {
-		my $chainref;
-		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
-		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
-
-		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
-		    $tables{$table} = 1;
-		} else {
-		    $chains{$table}{$chain} = $chainref;
-		}
-	    } else {
-		$tables{$table} = 1;
-	    }
-	}
-
-	for $table ( keys %tables ) {
-	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
-		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
-	    }
-	}
-
-	emit 'exec 3>${VARDIR}/.iptables-restore-input';
-
-	enter_cat_mode;
-
-	for $table ( qw(raw nat mangle filter) ) {
-	    my $tableref=$chains{$table};
-
-	    next unless $tableref;
-
-	    @chains = sort keys %$tableref;
-
-	    emit_unindented "*$table";
-
-	    for my $chain ( @chains ) {
-		my $chainref = $tableref->{$chain};
-		emit_unindented ":$chainref->{name} - [0:0]";
-	    }
-
-	    for my $chain ( @chains ) {
-		my $chainref = $tableref->{$chain};
-		my @rules = @{$chainref->{rules}};
-		my $name = $chainref->{name};
-
-		@rules = () unless @rules;
-		#
-		# Emit the chain rules
-		#
-		emitr($chainref, $_) for @rules;
-	    }
-	    #
-	    # Commit the changes to the table
-	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
-
-	    emit_unindented 'COMMIT';
-	}
-
-	enter_cmd_mode;
-
-	#
-	# Now generate the actual ip[6]tables-restore command
-	#
-	emit(  'exec 3>&-',
-	       '' );
-
-	if ( $family == F_IPV4 ) {
-	    emit ( 'progress_message2 "Running iptables-restore..."',
-		   '',
-		   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
-		   'if [ $? != 0 ]; then',
-		   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
-		   "fi\n"
-		 );
-	} else {
-	    emit ( 'progress_message2 "Running ip6tables-restore..."',
-		   '',
-		   'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
-		   'if [ $? != 0 ]; then',
-		   '    fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
-		   "fi\n"
-		 );
-	}
-    } else {
-	emit('true');
-    }
-
-    pop_indent;
-
-    emit "}\n";
-}
-
 #
 # Generate the netfilter input to stop the firewall
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -356,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3($) {
+sub generate_script_3() {
 
     if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -366,7 +366,6 @@ sub generate_script_3($) {
 
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
-    create_chainlist_reload( $_[0] );
     create_save_ipsets;
     create_load_ipsets;
 
@@ -398,16 +397,10 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
     }
 
-    emit '';
-
-    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	   '   run_refresh_exit' ,
-	   'else' ,
-	   '    run_init_exit',
-	   'fi',
-	   '' );
-
-    emit( 'load_ipsets' ,
+    emit( '' ,
+	  'run_init_exit',
+	  '' ,
+	  'load_ipsets' ,
 	  '' );
 
     create_nfobjects;
@@ -465,11 +458,6 @@ sub generate_script_3($) {
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
-    emit( '',
-	  'if [ "$COMMAND" != refresh ]; then' );
-
-    push_indent;
-
     emit 'cat > ${VARDIR}/zones << __EOF__';
     dump_zone_contents;
     emit_unindented '__EOF__';
@@ -482,10 +470,6 @@ sub generate_script_3($) {
     dump_mark_layout;
     emit_unindented '__EOF__';
 
-    pop_indent;
-
-    emit "fi\n";
-
     emit '> ${VARDIR}/nat';
 
     add_addresses;
@@ -527,26 +511,9 @@ sub generate_script_3($) {
     emithd <<"EOF";
     set_state Started $config_dir
     run_restored_exit
-elif [ \$COMMAND = refresh ]; then
-    chainlist_reload
+else
+    setup_netfilter
 EOF
-    push_indent;
-    setup_load_distribution;
-    setup_forwarding( $family , 0 );
-    pop_indent;
-    #
-    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-    #
-    emit( '    run_refreshed_exit',
-	  '    do_iptables -N shorewall' );
-
-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-
-    emit( "    set_state Started $config_dir",
-	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-	  'else',
-	  '    setup_netfilter'	);
-
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
@@ -581,9 +548,6 @@ case $COMMAND in
     reload)
         mylogger kern.info "$g_product reloaded"
         ;;
-    refresh)
-        mylogger kern.info "$g_product refreshed"
-        ;;
     restore)
         mylogger kern.info "$g_product restored"
         ;;
@@ -618,8 +582,8 @@ sub compile_info_command() {
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
+       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
     $test           = 0;
@@ -648,7 +612,6 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
-		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -656,7 +619,6 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
-		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -693,7 +655,7 @@ sub compiler {
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate , $inline );
+    get_configuration( $export , $update , $annotate );
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
     # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -816,7 +778,7 @@ sub compiler {
     #
     # Setup Masquerade/SNAT
     #
-    setup_snat( $update );
+    setup_snat;
     #
     # Setup Nat
     #
@@ -919,7 +881,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3( $chains );
+	generate_script_3();
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall

Shorewall/Perl/Shorewall/Config.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -414,7 +414,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
-		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -498,6 +497,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                  NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 #
+		 # Helpers
+		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -560,7 +562,9 @@ our %helpers = ( amanda          => UDP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP,
-	       );
+    );
+
+use constant { INCLUDE_LIMIT     => 20 };
 
 our %helpers_map;
 
@@ -591,8 +595,6 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -667,7 +669,6 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
-our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -709,14 +710,14 @@ our %validlevels;            # Valid log levels.
 #
 # Deprecated options with their default values
 #
-our %deprecated = ( LEGACY_RESTART => 'no' ,
-		    INLINE_MATCHES => 'no' ,
+our %deprecated = (
+		   LEGACY_RESTART => 'no' ,
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		  LEGACY_RESTART => 1
+		    LEGACY_RESTART => 1 ,
 		 );
 #
 # Eliminated options
@@ -731,6 +732,8 @@ our %eliminated = ( LOGRATE          => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                     MODULE_SUFFIX    => 1,
+                    MAPOLDACTIONS    => 1,
+		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -835,8 +838,8 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.12",
-		    CAPVERSION              => 50112 ,
+		    VERSION                 => '5.2.0-Beta1',
+		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -880,6 +883,7 @@ sub initialize( $;$$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
+	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -938,7 +942,6 @@ sub initialize( $;$$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
-	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -981,7 +984,6 @@ sub initialize( $;$$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
-	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -995,6 +997,7 @@ sub initialize( $;$$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
+	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1052,7 +1055,6 @@ sub initialize( $;$$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
-	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -2393,8 +2395,6 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
     my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
 
-    my $inlinematches = $config{INLINE_MATCHES};
-
     my ( $columns, $pairs, $rest );
 
     my $currline = $currentline;
@@ -2426,11 +2426,11 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = $inlinematches = '';
+	    $inline = '';
 	}
     }
     #
-    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
+    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
     #
     ( $columns, $pairs, $rest ) = split( ';', $currline );
 
@@ -2439,46 +2439,6 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
-
-	if ( $inlinematches ) {
-	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
-
-	    warning_message "This entry needs to be changed (replace ';' with ';;') before the INLINE_MATCHES option is removed in Shorewall 5.2";
-
-	    $inline_matches = $pairs;
-
-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
-		#
-		# Pairs are enclosed in curly brackets.
-		#
-		$columns = $1;
-		$pairs   = $2;
-	    } else {
-		$pairs = '';
-	    }
-	} elsif ( $inline ) {
-	    #
-	    # This file supports INLINE or IPTABLES
-	    #
-	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
-		$inline_matches = $pairs;
-
-		warning_message "This entry needs to be changed before Shorewall 5.2 (replace ';' with ';;'). '$globals{PRODUCT} update' will do that for you";
-
-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
-		    #
-		    # Pairs are enclosed in curly brackets.
-		    #
-		    $columns = $1;
-		    $pairs   = $2;
-		} else {
-		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
-		    $pairs = '';
-		}
-	    } 
-	} elsif ( $checkinline ) {
-	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
-	}
     } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -2569,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
     # Delete trailing comment
     #
     $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
 
     my @result = &split_line2( @_ );
 
@@ -3066,9 +3030,9 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      my $val = $actparams{$var} = evaluate_expression ( $expression,
-									$filename,
-									$linenumber,
-									0  );
+									 $filename,
+									 $linenumber,
+									 0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
@@ -3362,7 +3326,7 @@ sub copy1( $ ) {
 			my @line = split / /;
 
 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 			my $filename = find_file $line[1];
 
@@ -3572,7 +3536,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
     my $multiline = shift;
 
-    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
     my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
 
     $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3659,7 +3623,7 @@ sub embedded_perl( $ ) {
     $embedded--;
 
     if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 	assert( close $perlscript );
 
@@ -4013,7 +3977,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;
 
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 		my $filename = find_file $line[1];
 
@@ -4796,10 +4760,6 @@ sub IPSET_V5() {
     $result;
 }
 
-sub Usepkttype() {
-    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
-}
-
 sub Addrtype() {
     qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -5155,7 +5115,6 @@ our %detect_capability =
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
       UDPLITEREDIRECT => \&Udpliteredirect,
-      USEPKTTYPE => \&Usepkttype,
       XCONNMARK_MATCH => \&Xconnmark_Match,
       XCONNMARK => \&Xconnmark,
       XMARK => \&Xmark,
@@ -5266,7 +5225,6 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5503,7 +5461,33 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
     } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
-    }	
+    }
+
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
+	my $policy = $config{ $_ };
+
+	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
+	    } else {
+		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+	    }
+	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
+	    } else {
+		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+	    }
+	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
+	    } else {
+		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
+	    }
+	}
+
+	$config{$_} = $policy;
+    }
 
     my $fn;
 
@@ -5544,7 +5528,13 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
+			if ( $default eq 'Yes' || $default eq 'No' ) {
+			    $config{$var} = $val = $default;
+			} elsif ( $var eq 'CONFIG_PATH' ) {
+			    $val =~ s|^/etc/|\${CONFDIR}|;
+			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
+			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
+			}
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5552,7 +5542,6 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;
 
 		    }
-
 		}
 		if ( supplied $val ) {
 		    #
@@ -6033,11 +6022,12 @@ sub export_params() {
 }
 
 #
-# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
-# Convert single semicolons to double semicolons in lines beginning with 'INLINE',
-# IPTABLES or IP6TABLES
+# Walk the CONFIG_PATH converting
+# - FORMAT and COMMENT lines to compiler directives
+# - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
+# - Rename macros/actions to their 5.2 counterparts
 #
-sub convert_to_directives() {
+sub convert_to_version_5_2() {
     my $sharedir = $shorewallrc{SHAREDIR};
     #
     # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -6048,7 +6038,7 @@ sub convert_to_directives() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives and replacing single semicolons in INLINE, IPTABLES and IP6TABLES rules...";
+    progress_message3 "Performing Shorewall 5.2 conversions...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -6059,43 +6049,129 @@ sub convert_to_directives() {
 
 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";
 
-		while ( my $file = readdir( $dirhandle ) ) {
-		    unless ( $file eq 'capabilities'       ||
-			     $file eq 'params'             ||
-			     $file =~ /^shorewall6?.conf$/ ||
-			     $file =~ /\.bak$/ ) {
-			$file = "$dir/$file";
-		
-			if ( -f $file && -w _ ) {
+		while ( my $fname = readdir( $dirhandle ) ) {
+		    unless ( $fname eq 'capabilities'       ||
+			     $fname eq 'params'             ||
+			     $fname =~ /^shorewall6?.conf$/ ||
+			     $fname =~ /\.bak$/ ) {
+			#
+			# File we are interested in
+			#
+			my $fullname = "$dir/$fname";
+
+			if ( -f $fullname && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $result = system << "EOF";
-			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
-                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
-                                             if ( /^\\s*COMMENT\\s+/ ) {
-                                                 s/COMMENT/?COMMENT/;
-                                             } elsif ( /^\\s*COMMENT\\s*\$/ ) {
-                                                 s/COMMENT/?COMMENT/;
-                                             }
-                                             if ( /^\\s*(?:INLINE|IP6?TABLES)/ ) {
-                                                 s/;/;;/ unless /;;/;
-                                             }' $file
-EOF
-			    if ( $result == 0 ) {
-				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
-				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
-				} elsif ( rename "${file}.bak" , $file ) {
-				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
-				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
+			    my $v5_2_update = ( $fname eq 'rules'          ||
+						$fname =~ /^action\./      ||
+						$fname =~ /^macro\./       ||
+						$fname eq 'snat'           ||
+						$fname eq 'mangle'         ||
+						$fname eq 'conntrack'      ||
+						$fname eq 'accounting'     ||
+						$fname eq 'masq'           ||
+						$fname eq 'policy' );
+			    my $is_policy   = ( $fname eq 'policy' );
+			    my @file;
+			    my ( $ifile, $ofile );
+			    my $omitting = 0;
+			    my $changed;
+
+			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
+
+			    while ( <$ifile> ) {
+				if ( $omitting ) {
+				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
 				} else {
-				    warning message "Unable to rename ${file}.bak to $file:$!";
+				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
 				}
+
+				unless ( $omitting || /^\s*[#?]/ ) {
+				    if ( /^\s*FORMAT\s+/ ) {
+					s/FORMAT/?FORMAT/;
+					$changed = 1;
+				    }
+
+				    if ( /^\s*SECTION\s+/ ) {
+					s/SECTION/?SECTION/;
+					$changed = 1;
+				    }
+
+				    if ( /^\s*COMMENT\s+/ ) {
+					s/COMMENT/?COMMENT/;
+					$changed = 1;
+				    } elsif ( /^\\s*COMMENT\\s*\$/ ) {
+					s/COMMENT/?COMMENT/;
+				    }
+
+				    if ( $v5_2_update ) {
+					if ( /\bA_AllowICMPs\b/ ) {
+					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
+					    $changed = 1;
+					}
+
+					if ( $is_policy ) {
+					    if ( /\bA_(?:Drop|Reject)\b/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
+						} else {
+						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+						}
+
+						$changed = 1;
+					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
+						} else {
+						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+						}
+
+						$changed = 1;
+					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
+						} else {
+						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
+						}
+
+						$changed = 1;
+					    }
+					} else {
+					    unless ( /;;/ ) {
+						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
+						    s/;/;;/;
+						    $changed = 1;
+						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
+						    s/;/;;/;
+						    $changed = 1;
+						}
+					    }
+
+					    if ( /\bSMTPTrap\b/ ) {
+						s/SMTPTrap/SMTPtrap/;
+						$changed = 1;
+					    }
+					}
+				    }
+				}
+
+				push @file, $_;
+			    }
+
+			    close $ifile;
+
+			    if ( $changed ) {
+				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
+				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
+				print $ofile $_ for @file;
+				close $ofile;
+				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
 			    } else {
-				warning_message ("Unable to update file $file" );
+				progress_message "   File $file not updated -- no update required";
 			    }
 			} else {
-			    warning_message( "$file skipped (not writeable)" ) unless -d _;
+			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -6112,9 +6188,9 @@ EOF
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$$ ) {
+sub get_configuration( $$$ ) {
 
-    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;
+    my ( $export, $update, $annotate ) = @_;
 
     $globals{EXPORT} = $export;
 
@@ -6416,7 +6492,6 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'SAVE_ARPTABLES'             , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
-    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
 
     warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
 
@@ -6472,6 +6547,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'RENAME_COMBINED'            , 'Yes';
 
     if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6491,7 +6567,6 @@ sub get_configuration( $$$$ ) {
 	$origin{$_} ||= '';
     }
 	    
-    default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
     default_yes_no 'DOCKER'                     , '';
@@ -6524,11 +6599,14 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
-    default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
+	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
+    }
+
     if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6725,6 +6803,13 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_BACKEND} = $val;
     }
 
+    if ( supplied( $val = $config{LOG_ZONE} ) ) {
+	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
+	$config{LOG_ZONE} = lc( $val );
+    } else {
+	$config{LOG_ZONE} = 'both';
+    }
+
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
     default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6970,7 +7055,7 @@ sub get_configuration( $$$$ ) {
 	$variables{$var} = $config{$val};
     }
 
-    convert_to_directives if $update;
+    convert_to_version_5_2 if $update;
 
     cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -60,6 +60,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
+		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -98,12 +99,14 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
+our $loopback_address;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
+	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -370,6 +373,10 @@ sub rfc1918_networks() {
     @rfc1918_networks
 }
 
+sub loopback_address() {
+    $loopback_address;
+}
+
 #
 # Protocol/port validation
 #
@@ -755,6 +762,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
+	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -767,6 +775,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
+	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -810,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2554,9 +2554,6 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
-	        refresh)
-	            mylogger kern.err "ERROR:$g_product refresh failed"
-	            ;;
                 enable)
                     mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -37,7 +37,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
+    my $have_masq_rules;
+
     if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 
-	my $have_masq_rules;
-
 	directive_callback(
 	    sub ()
 	    {
@@ -647,6 +647,8 @@ sub convert_masq() {
 
 	close $snat, directive_callback( 0 );
     }
+
+    $have_masq_rules;
 }
 
 #

Shorewall/Perl/Shorewall/Proc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -2368,7 +2368,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore|refresh)'
+		  '        start|reload|restore)'
 		);
 
 	    if ( $family == F_IPV4 ) {

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -112,6 +112,13 @@ our %section_functions = ( ALL_SECTION ,        \&rules_chain,
 			   UNTRACKED_SECTION,   \&untracked_chain,
 			   NEW_SECTION,         \&rules_chain );
 
+our %log_functions = ( ALL_SECTION ,         \&rules_log ,
+		       BLACKLIST_SECTION ,   \&blacklist_log ,
+		       ESTABLISHED_SECTION , \&established_log ,
+		       RELATED_SECTION ,     \&related_log ,
+		       INVALID_SECTION ,     \&invalid_log ,
+		       UNTRACKED_SECTION ,   \&untracked_log ,
+		       NEW_SECTION ,         \&rules_log );
 #
 # Section => STATE map - initialized in process_rules().
 #
@@ -403,8 +410,8 @@ sub initialize( $ ) {
 #
 # Create a rules chain
 #
-sub new_rules_chain( $ ) {
-    my $chainref = new_chain( 'filter', $_[0] );
+sub new_rules_chain( $$ ) {
+    my $chainref = new_chain( 'filter', &rules_chain( @_ ), &rules_log( @_ ) );
 
     if ( $config{FASTACCEPT} ) {
 	if ( $globals{RELATED_TARGET} eq 'ACCEPT' && ! $config{RELATED_LOG_LEVEL} ) {
@@ -445,7 +452,7 @@ sub new_policy_chain($$$$$)
 {
     my ($source, $dest, $policy, $provisional, $audit) = @_;
 
-    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_rules_chain( ${source}, ${dest} );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
 
@@ -455,9 +462,11 @@ sub new_policy_chain($$$$$)
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
-sub set_policy_chain($$$$$$)
+sub set_policy_chain($$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ( $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+
+    my $chain = rules_chain( $source, $dest );
 
     my $chainref = $filter_table->{$chain};
 
@@ -467,7 +476,7 @@ sub set_policy_chain($$$$$$)
 	    $chainref->{provisional} = '';
 	}
     } else {
-	$chainref = new_rules_chain $chain;
+	$chainref = new_rules_chain( $source, $dest );
     }
 
     unless ( $chainref->{policychain} ) {
@@ -483,6 +492,7 @@ sub set_policy_chain($$$$$$)
 	    if ( defined $polchainref->{synparams} ) {
 		$chainref->{synparams}   = $polchainref->{synparams};
 		$chainref->{synchain}    = $polchainref->{synchain};
+		$chainref->{synlog}      = $polchainref->{synlog};
 	    }
 
 	    $chainref->{pactions}    = $polchainref->{pactions} || [];
@@ -743,7 +753,8 @@ sub process_a_policy1($$$$$$$) {
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
-	$chainref->{synchain}  = $chain
+	$chainref->{synchain}  = $chain;
+	$chainref->{synlog}    = '@' . $chainref->{logname};
     }
 
     $chainref->{pactions} = $pactionref;
@@ -753,19 +764,19 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
     } else {
@@ -832,6 +843,8 @@ sub save_policies() {
     }
 }
 
+sub ensure_rules_chain( $$ );
+
 #
 # Process the policy file
 #
@@ -881,19 +894,15 @@ sub process_policies()
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
-		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
-		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -1062,7 +1071,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
     progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
 
-sub ensure_rules_chain( $ );
+sub finish_chain_sections( $ );
 
 #
 # Finish all policy Chains
@@ -1086,13 +1095,13 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
-						  $loglevel          ||
-						  $synparams         ||
-						  $config{MULTICAST} ||
-						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
+		    finish_chain_sections( $chainref ) if ( @$defaults         ||
+							    $loglevel          ||
+							    $synparams         ||
+							    $config{MULTICAST} ||
+							    ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
-		    ensure_rules_chain $name;
+		    finish_chain_sections( $chainref );
 		}
 	    }
 
@@ -1149,13 +1158,14 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = @zones > 1 ?
-		    new_chain 'filter' , syn_flood_chain $chainref :
-		    new_chain( 'filter' , '@' . $chainref->{name} );
+	    my $synchainref =
+		@zones > 1 ?
+		new_chain( 'filter' , syn_flood_chain $chainref , $chainref->{synlog} ) :
+		new_chain( 'filter' , '@' . $chainref->{name}   , '@' . $chainref->{logname} );
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $synchainref->{name} ,
+			     $synchainref->{logname} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1222,12 +1232,12 @@ sub finish_chain_section ($$$) {
 		    if ( $twochains ) {
 			$chain2ref = $chainref;
 		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" );
+			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
 		    }
 
 		    log_rule_limit( $level,
 				    $chain2ref,
-				    $chain2ref->{name},
+				    $chain2ref->{logname},
 				    uc $target,
 				    $globals{LOGLIMIT},
 				    $tag ,
@@ -1306,20 +1316,9 @@ sub finish_chain_section ($$$) {
     pop_comment( $save_comment );
 }
 
-#
-# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
-#
-# Return a reference to the chain's table entry.
-#
-sub ensure_rules_chain( $ )
-{
-    my ($chain) = @_;
+sub finish_chain_sections( $ ) {
+    my ( $chainref ) = @_;
 
-    my $chainref = $filter_table->{$chain};
-
-    $chainref = new_rules_chain( $chain ) unless $chainref;
-
-    unless ( $chainref->{referenced} ) {
 	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
@@ -1331,7 +1330,24 @@ sub ensure_rules_chain( $ )
 	}
 
 	$chainref->{referenced} = 1;
-    }
+}
+ 
+#
+# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+#
+# Return a reference to the chain's table entry.
+#
+sub ensure_rules_chain( $$ )
+{
+    my ($source, $dest) = @_;
+
+    my $chain = rules_chain( $source, $dest );
+
+    my $chainref = $filter_table->{$chain};
+
+    $chainref = new_rules_chain( $source, $dest ) unless $chainref;
+
+    finish_chain_sections( $chainref ) unless $chainref->{referenced};
 
     $chainref;
 }
@@ -1714,34 +1730,6 @@ sub isolate_basic_target( $ ) {
     $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
 
-#
-# Map pre-3.0 actions to the corresponding Macro invocation
-#
-
-sub find_old_action ( $$$ ) {
-    my ( $target, $macro, $param ) = @_;
-
-    if ( my $actiontype = find_macro( $macro ) ) {
-	( $macro, $actiontype , $param );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
-sub map_old_actions( $ ) {
-    my $target = shift;
-
-    if ( $target =~ /^Allow(.*)$/ ) {
-	find_old_action( $target, $1, 'ACCEPT' );
-    } elsif ( $target =~ /^Drop(.*)$/ ) {
-	find_old_action( $target, $1, 'DROP' );
-    } elsif ( $target = /^Reject(.*)$/ ) {
-	find_old_action( $target, $1, 'REJECT' );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -2630,10 +2618,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
-    if ( $config{ MAPOLDACTIONS } ) {
-	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
-    }
-
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
     $usergenerated = $actiontype & IPTABLES;
@@ -2999,7 +2983,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
-	$chainref = ensure_rules_chain $chain;
+	$chainref = ensure_rules_chain ${sourcezone}, ${destzone};
 	#
 	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
 	#
@@ -3009,7 +2993,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	    unless ( $auxref ) {
 		my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain;
+		$auxref = new_chain 'filter', $auxchain, $log_functions{$section}->( $sourcezone, $destzone );
 		$auxref->{blacklistsection} = 1 if $blacklist;
 
 		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
@@ -5867,23 +5851,15 @@ sub process_snat( )
 }
 
 #
-# Process the masq or snat file
+# Process the snat file. Convert the masq file if found and non-empty
 #
-sub setup_snat( $ ) # Convert masq->snat if true
+sub setup_snat()
 {
     my $fn;
-    my $have_masq;
 
-    if ( $_[0] ) {
-	convert_masq();
-    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
-    }
-
-    unless ( $have_masq ) {
+    unless ( convert_masq ) {
 	#
-	# Masq file empty or didn't exist
+	# Masq file was empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
+		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
 
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
 
-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
+	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
 
 	$gateways = ALLIP if $gateways eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -2031,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore|refresh)' );
+	    emit( 'start|reload|restore)' );
 	    push_indent;
 	}
 

Shorewall/Perl/compiler.pl

@@ -32,7 +32,6 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
-#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -40,7 +39,6 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
-#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -64,7 +62,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --timestamp ]
     [ --debug ]
     [ --confess ]
-    [ --refresh=<chainlist> ]
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
@@ -75,7 +72,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --shorewallrc=<pathname> ]
     [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
-    [ --inline ]
 _EOF_
 
 exit shift @_;
@@ -90,7 +86,6 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
-my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -102,7 +97,6 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
-my $inline        = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -117,8 +111,6 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
-			'r=s'             => \$chains,
-			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -132,7 +124,6 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
-			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -147,7 +138,6 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
-	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -159,5 +149,4 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
-	  inline          => $inline,
 	);

Shorewall/Perl/lib.runtime

@@ -675,7 +675,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1101,7 +1101,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?

Shorewall/Samples/Universal/shorewall.conf

@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -199,8 +199,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -219,6 +217,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=Yes
 
 RESTART=restart

Shorewall/Samples/one-interface/shorewall.conf

@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Off
@@ -210,8 +210,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -230,6 +228,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -53,6 +53,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -191,8 +193,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -207,8 +207,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -227,6 +225,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -210,8 +210,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -230,6 +228,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/actions.std

@@ -8,11 +8,8 @@
 #
 ###############################################################################
 #ACTION
-A_AllowICMPs inline		# Audited version of AllowICMPs
-A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
-A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -27,7 +24,6 @@ Broadcast    inline,audit	# Handles Broadcast/Anycast
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 ?endif
 DNSAmp	     proto=17		# Matches one-question recursive DNS queries
-Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
@@ -54,7 +50,6 @@ New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
 	     proto=6
 rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
-Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event

Shorewall/configfiles/masq

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/masq
-#
-# For information about entries in this file, type "man shorewall-masq"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-masq.html
-#
-###################################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/configfiles/shorewall.conf

@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -199,8 +199,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
@@ -219,6 +217,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/install.sh

@@ -1231,6 +1231,19 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
+#
+# Remove deleted actions and macros
+#
+if [ $PRODUCT = shorewall ]; then
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_AllowICMPs
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Drop
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Reject
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Drop
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Reject
+
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
+fi
+
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then

Shorewall/lib.cli-std

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -281,10 +281,18 @@ get_config() {
 
     case $AUTOMAKE in
 	Yes|yes)
+	    AUTOMAKE=1
 	    ;;
 	No|no)
 	    AUTOMAKE=
 	    ;;
+	[1-9])
+	    ;;
+	[1-9][0-9])
+	    ;;
+	[Rr]ecursive)
+	    AUTOMAKE=recursive
+	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
 		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
@@ -397,10 +405,22 @@ uptodate() {
 	    #
 	    # Busybox 'find' doesn't support -quit.
 	    #
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print)" ]; then
+	    if [ $AUTOMAKE = recursive ]; then
+		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
+		    return 1;
+		fi
+	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+	elif [ "$AUTOMAKE" = recursive ]; then
+	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
+	elif [ -z "$AUTOMAKE" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
+	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
     done
@@ -445,7 +465,7 @@ compiler() {
     get_config Yes
 
     case $COMMAND in
-	*start|try|refresh|reload|restart|safe-*)
+	*start|try|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -487,11 +507,9 @@ compiler() {
     [ -n "$g_test" ]           && options="$options --test"
     [ -n "$g_preview" ]        && options="$options --preview"
     [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
     [ -n "$g_confess" ]        && options="$options --confess"
     [ -n "$g_update" ]         && options="$options --update"
     [ -n "$g_annotate" ]       && options="$options --annotate"
-    [ -n "$g_inline" ]         && options="$options --inline"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -596,10 +614,6 @@ start_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
@@ -641,24 +655,24 @@ start_command() {
     esac
 
     if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/firewall; then
+	if ! uptodate $g_firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
     fi
 
     if [ -n "$AUTOMAKE" ]; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging start
+	[ -n "$g_nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging start
 	rc=$?
-	[ -n "$nolock" ] || mutex_off
+	[ -n "$g_nolock" ] || mutex_off
     else
 	g_file="${VARDIR}/.start"
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.start $g_debugging start
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product start failed"
@@ -710,10 +724,6 @@ compile_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			-)
 			    finished=1
 			    option=
@@ -734,7 +744,7 @@ compile_command() {
 
     case $# in
 	0)
-	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=$g_firewall
 	    ;;
 	1)
 	    g_file=$1
@@ -808,10 +818,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -848,7 +854,7 @@ check_command() {
 
     g_doing="Checking"
 
-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }
 
 #
@@ -896,16 +902,11 @@ update_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			a*)
 			    g_annotate=Yes
 			    option=${option#a}
 			    ;;
 			A*)
-			    g_inline=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -944,7 +945,7 @@ update_command() {
 
     g_doing="Updating"
 
-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }
 
 #
@@ -995,7 +996,6 @@ restart_command() {
 			    option=${option#T}
 			    ;;
 			i*)
-			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
@@ -1041,114 +1041,27 @@ restart_command() {
     [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
 
     if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate ${VARDIR}/firewall && g_fast=Yes
+	uptodate $g_firewall && g_fast=Yes
     fi
 
     g_file="${VARDIR}/.${COMMAND}"
 
     if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
     else
-	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
-	rc=$?
-	[ -n "$nolock" ] || mutex_off
-    fi
-
-    return $rc
-}
-
-#
-# Refresh Command Executor
-#
-refresh_command() {
-    local finished
-    finished=0
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			d*)
-			    g_debug=Yes
-			    option=${option#d}
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
-			D)
-			    if [ $# -gt 1 ]; then
-				g_shorewalldir="$2"
-				option=
-				shift
-			    else
-				fatal_error "The -D option requires a directory name"
-			    fi
-			    ;;
-			*)
-			    option_error $option
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    if [ $# -gt 0 ]; then
-	g_refreshchains=$1
-	shift
-
-	while [ $# -gt 0 ]; do
-	    g_refreshchains="$g_refreshchains,$1"
-	    shift
-	done
-    else
-	g_refreshchains=:refresh:
-    fi
-
-    product_is_started || fatal_error "$g_product is not running"
-
-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
-
-    g_file="${VARDIR}/.refresh"
-
-    if compiler $g_debugging $nolock compile "$g_file"; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/.refresh $g_debugging refresh
-	rc=$?
-	[ -n "$nolock" ] || mutex_off
-    else
+	[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
+	[ -n "$g_nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
+	[ -n "$g_nolock" ] || mutex_off
     fi
 
     return $rc
@@ -1311,7 +1224,7 @@ safe_commands() {
 	    ;;
     esac
 
-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
@@ -1326,7 +1239,7 @@ safe_commands() {
 		run_it ${VARDIR}/.$command clear
 	    fi
 
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 
 	    echo "New configuration has been rejected and the old one restored"
 	    exit 2
@@ -1334,7 +1247,7 @@ safe_commands() {
 
     fi
 
-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
 }
 
 #
@@ -1424,7 +1337,7 @@ try_command() {
 
     g_file="${VARDIR}/.$command"
 
-    if ! compiler $g_debugging $nolock compile "$g_file"; then
+    if ! compiler $g_debugging $g_nolock compile "$g_file"; then
 	status=$?
 	exit $status
     fi
@@ -1444,7 +1357,7 @@ try_command() {
 	    ;;
     esac
 
-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on
 
     if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
@@ -1456,7 +1369,7 @@ try_command() {
 	fi
     fi
 
-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
 
     return 0
 }
@@ -1474,10 +1387,163 @@ rcp_command() {
     eval $RCP_COMMAND
 }
 
+#
+# Remote-{getcaps|getrc} command executer
+#
+remote_capture() # $* = original arguments less the command.
+{
+    local verbose
+    verbose=$(make_verbose)
+    local finished
+    finished=0
+    local system
+    local getrc
+    getrc=
+    local getcaps
+    getcaps=
+    local remote_sw_dir_path
+    remote_sw_dir_path=
+    local root
+    root=root
+    local libexec
+    libexec=${LIBEXECDIR}
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			R*)
+			    getrc=Yes
+			    option=${option#R}
+			    ;;
+			c*)
+			    getcaps=Yes
+			    option=${option#c}
+			    ;;
+			r)
+			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
+			    root=$2
+			    option=
+			    shift
+			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
+			p)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    remote_sw_dir_path=$2
+			    option=
+			    shift
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			*)
+			    option_error $option
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    ;;
+	1)
+	    g_shorewalldir="."
+	    system=$1
+	    ;;
+	2)
+	    g_shorewalldir=$1
+	    system=$2
+	    ;;
+	*)
+	    too_many_arguments $3
+	    ;;
+    esac
+
+    g_export=Yes
+
+    ensure_config_path
+
+    get_config Yes
+
+    g_haveconfig=Yes
+
+    if [ -z "$system" ]; then
+        system=$FIREWALL
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+    fi
+
+    case $COMMAND in
+        remote-getrc)
+            getrc=Yes
+            ;;
+        remote-getcaps)
+            getcaps=Yes
+            ;;
+    esac
+
+    [ -n "$getcaps" ] && getrc=Yes
+
+    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
+        progress_message2 "Getting shorewallrc file on system $system..."
+
+        if [ -n "$remote_sw_dir_path" ]; then
+            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
+                fatal_error "Capturing RC file on system $system failed"
+            fi
+        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
+            fatal_error "Capturing RC file on system $system failed"
+        fi
+    fi
+
+    remote_sw_dir_path=
+
+    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
+        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
+            . $g_shorewalldir/shorewallrc
+            libexec="$LIBEXECDIR"
+
+            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
+            progress_message2 "Getting Capabilities on system $system..."
+
+            if [ $g_family -eq 4 ]; then
+                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+                    fatal_error "Capturing capabilities on system $system failed"
+                fi
+            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+                fatal_error "Capturing capabilities on system $system failed"
+            fi
+        else
+            fatal_error "$g_shorewalldir/shorewallrc is not present."
+        fi
+    fi
+}
+
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_reload_command() # $* = original arguments less the command.
+remote_commands() # $* = original arguments less the command.
 {
     local verbose
     verbose=$(make_verbose)
@@ -1543,10 +1609,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -1594,34 +1656,26 @@ remote_reload_command() # $* = original arguments less the command.
 
     g_export=Yes
 
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
-	if [ -f $g_shorewalldir/params ]; then
-	    . $g_shorewalldir/params
-	fi
+    ensure_config_path
 
-	ensure_config_path
+    get_config Yes
 
-	get_config No
+    g_haveconfig=Yes
 
-	g_haveconfig=Yes
-
-	if [ -z "$system" ]; then
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
-    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+    if [ -z "$system" ]; then
+        system=$FIREWALL
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
     fi
 
     if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ -f $capabilities ] || getcaps=Yes
+	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
     fi
 
     if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
-	progress_message "Getting Capabilities on system $system..."
+	progress_message2 "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1637,6 +1691,7 @@ remote_reload_command() # $* = original arguments less the command.
     #
     # Handle nonstandard remote VARDIR
     #
+    progress_message2 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"
@@ -1777,11 +1832,11 @@ export_command() # $* = original arguments less the command.
 }
 
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	uptodate $g_firewall || echo "   WARNING: $g_firewall is not up to date" >&2
+	run_it $g_firewall $g_debugging $@
     else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
     fi
 }
 
@@ -1792,12 +1847,6 @@ compiler_command() {
 	    shift
 	    compile_command $@
 	    ;;
-	refresh)
-	    only_root
-	    get_config Yes Yes
-	    shift
-	    refresh_command $@
-	    ;;
 	check|ck)
 	    shift
 	    check_command $@
@@ -1808,7 +1857,7 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_reload_command $@
+	    remote_commands $@
 	    ;;
 	export)
 	    shift
@@ -1826,6 +1875,10 @@ compiler_command() {
 	    shift
 	    safe_commands $@
 	    ;;
+        remote-getrc|remote-getcaps)
+            shift
+            remote_capture $@
+            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;

Shorewall/manpages/shorewall-mangle.xml

@@ -374,8 +374,8 @@ DIVERTHA        -               -               tcp</programlisting>
 
               <listitem>
                 <para>Allows you to place your own ip[6]tables matches at the
-                end of the line following two semicolons (";;") (preferred) or
-                a single semicolon (";") (deprecated). If an
+                end of the line following a semicolon (";") (deprecated) or
+                two semicolons (";;") (preferred since Shoreall 5.0.0). If an
                 <replaceable>action</replaceable> is specified, the compiler
                 proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you

Shorewall/manpages/shorewall-masq.xml

@@ -1,781 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-masq</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>masq</refname>
-
-    <refpurpose>Shorewall Masquerade/SNAT definition file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall[6]/masq</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). While still supported, its use is deprecated in favor
-    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
-    introduced in Shorewall 5.0.14.</para>
-
-    <warning>
-      <para>The entries in this file are order-sensitive. The first entry that
-      matches a particular connection will be the one that is used.</para>
-    </warning>
-
-    <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
-      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
-      that.</para>
-    </warning>
-
-    <para>The columns in the file are as follows.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
-        role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>[<emphasis
-        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
-        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
-
-        <listitem>
-          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
-          comma-separated list of interface names. This is usually your
-          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
-
-          <para>Each interface must match an entry in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          entry that defines <filename
-          class="devicefile">ppp+</filename>.</para>
-
-          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          internet provider share a single interface</ulink>, the provider is
-          specified by including the provider name or number in
-          parentheses:</para>
-
-          <programlisting>        eth0(Avvanta)</programlisting>
-
-          <para>In that case, you will want to specify the interface's address
-          for that provider in the ADDRESS column.</para>
-
-          <para>The interface may be qualified by adding the character ":"
-          followed by a comma-separated list of destination host or subnet
-          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular destinations.
-          Exclusion is allowed (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
-
-          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
-          entry then include the ":" but omit the digit:</para>
-
-          <programlisting>        eth0(Avvanta):
-        eth2::192.0.2.32/27</programlisting>
-
-          <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, prefix the
-          interface name with "+":</para>
-
-          <programlisting>        +eth0
-        +eth0:192.0.2.32/27
-        +eth0:2</programlisting>
-
-          <para>This feature should only be required if you need to insert
-          rules in this file that preempt entries in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of ?COMMENT lines. These lines
-          begin with ?COMMENT; the remainder of the line is treated as a
-          comment which is attached to subsequent rules until another ?COMMENT
-          line is found or until the end of the file is reached. To stop
-          adding comments to rules, use a line containing only
-          ?COMMENT.</para>
-
-          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
-          With the exception of the leading '+', the interfacelist and
-          qualifiers may appear within the parentheses of <emphasis
-          role="bold">INLINE</emphasis>(...).</para>
-
-          <para>Example:</para>
-
-          <programlisting>        +INLINE(eth0)</programlisting>
-
-          <para>When this is done, you may augment the rule generated by
-          Shorewall with iptables matches of your own. These matches appear
-          after a semicolon (';') at the end of the line.</para>
-
-          <para>See example 8 below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        - Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
-
-        <listitem>
-          <para>Set of hosts that you wish to masquerade. You can specify this
-          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an
-          <emphasis>interface</emphasis> is deprecated). If you give the name
-          of an interface, the interface must be up before you start the
-          firewall and the Shorewall rules compiler will warn you of that
-          fact. (Shorewall will use your main routing table to determine the
-          appropriate addresses to masquerade).</para>
-
-          <para>The preferred way to specify the SOURCE is to supply one or
-          more host or network addresses separated by comma. You may use ipset
-          names preceded by a plus sign (+) to specify a set of hosts.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
-        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-        role="bold">:random</emphasis>][:persistent]|<emphasis
-        role="bold">detect</emphasis>|<emphasis
-        role="bold">random</emphasis>]</term>
-
-        <listitem>
-          <para>If you specify an address here, SNAT will be used and this
-          will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
-          in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
-          Shorewall will automatically add this address to the INTERFACE named
-          in the first column.</para>
-
-          <para>You may also specify a range of up to 256 IP addresses if you
-          want the SNAT address to be assigned from that range in a
-          round-robin fashion by connection. The range is specified by
-          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
-          You may follow the port range with<emphasis role="bold">
-          :random</emphasis> in which case assignment of ports from the list
-          will be random. <emphasis role="bold">random</emphasis> may also be
-          specified by itself in this column in which case random local port
-          assignments are made for the outgoing connections.</para>
-
-          <para>Example: 206.124.146.177-206.124.146.180</para>
-
-          <para>You may follow the port range (or <emphasis
-          role="bold">:random</emphasis>) with <emphasis
-          role="bold">:persistent</emphasis>. This is only useful when an
-          address range is specified and causes a client to be given the same
-          source/destination IP pair. This feature replaces the SAME modifier
-          which was removed from Shorewall in version 4.4.0. Unlike <emphasis
-          role="bold">random</emphasis>, <emphasis
-          role="bold">persistent</emphasis> may not be used by itself.</para>
-
-          <para>You may also use the special value "detect" which causes
-          Shorewall to determine the IP addresses configured on the interface
-          named in the INTERFACES column and substitute them in this
-          column.</para>
-
-          <para>Finally, you may also specify a comma-separated list of ranges
-          and/or addresses in this column.</para>
-
-          <para>This column may not contain DNS Names.</para>
-
-          <para>Normally, Netfilter will attempt to retain the source port
-          number. You may cause netfilter to remap the source port by
-          following an address or range (if any) by ":" and a port range with
-          the format
-          <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
-          is done, you must specify "tcp" or "udp" in the PROTO column.</para>
-
-          <para>Examples:</para>
-
-          <programlisting>        192.0.2.4:5000-6000
-        :4000-5000</programlisting>
-
-          <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
-          this column, no rewriting of the source IP address or port number
-          will be performed. This is useful if you want particular traffic to
-          be exempt from the entries that follow in the file.</para>
-
-          <para>If you want to leave this column empty but you need to specify
-          the next column then place a hyphen ("-") here.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
-
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
-        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
-          SCTP (132) or UDPLITE (136) then you may list one or more port
-          numbers (or names from services(5)) or port ranges separated by
-          commas.</para>
-
-          <para>Port ranges are of the form
-          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
-        [<emphasis>option</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
-
-        <listitem>
-          <para>If you specify a value other than "-" in this column, you must
-          be running kernel 2.6 and your kernel and iptables must include
-          policy match support.</para>
-
-          <para>Comma-separated list of options from the following. Only
-          packets that will be encrypted via an SA that matches these options
-          will have their source address changed.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is specified using
-                setkey(8) using the 'unique:<emphasis>number</emphasis> option
-                for the SPD level.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is the SPI of the SA
-                used to encrypt/decrypt packets.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto=</emphasis><emphasis
-              role="bold">ah</emphasis>|<emphasis
-              role="bold">esp</emphasis>|<emphasis
-              role="bold">ipcomp</emphasis></term>
-
-              <listitem>
-                <para>IPSEC Encapsulation Protocol</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>sets the MSS field in TCP packets</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">mode=</emphasis><emphasis
-              role="bold">transport</emphasis>|<emphasis
-              role="bold">tunnel</emphasis></term>
-
-              <listitem>
-                <para>IPSEC mode</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">strict</emphasis></term>
-
-              <listitem>
-                <para>Means that packets must match all rules.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">next</emphasis></term>
-
-              <listitem>
-                <para>Separates rules; can only be used with strict</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">yes</emphasis></term>
-
-              <listitem>
-                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated to match the rule.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
-        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
-        role="bold">:C</emphasis>]</term>
-
-        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don't want to define a test but need to specify
-          anything in the following columns, place a "-" in this field.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>!</term>
-
-              <listitem>
-                <para>Inverts the test (not equal)</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>value</emphasis></term>
-
-              <listitem>
-                <para>Value of the packet or connection mark.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>mask</emphasis></term>
-
-              <listitem>
-                <para>A mask to be applied to the mark before testing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">:C</emphasis></term>
-
-              <listitem>
-                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
-
-        <listitem>
-          <para>This column was formerly labelled USER/GROUP.</para>
-
-          <para>Only locally-generated connections will match if this column
-          is non-empty.</para>
-
-          <para>When this column is non-empty, the rule matches only if the
-          program generating the output is running under the effective
-          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
-          specified (or is NOT running under that id if "!" is given).</para>
-
-          <para>Examples:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>joe</term>
-
-              <listitem>
-                <para>program must be run by joe</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>:kids</term>
-
-              <listitem>
-                <para>program must be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>!:kids</term>
-
-              <listitem>
-                <para>program must not be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>#program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>Beginning with Shorewall 4.5.10, when the
-          <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) Added in Shorewall 4.5.6. This column may be
-          included and may contain one or more addresses (host or network)
-          separated by commas. Address ranges are not allowed. When this
-          column is supplied, rules are generated that require that the
-          original destination address matches one of the listed addresses. It
-          is useful for specifying that SNAT should occur only for connections
-          that were acted on by a DNAT when they entered the firewall.</para>
-
-          <para>This column was formerly labelled ORIGINAL DEST.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0. When non-empty, requires the
-          <firstterm>Statistics Match</firstterm> capability in your kernel
-          and ip6tables and causes the rule to match randomly but with the
-          given <replaceable>probability</replaceable>. The
-          <replaceable>probability</replaceable> is a number 0 &lt;
-          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
-          at up to 8 decimal points of precision.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>IPv4 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple masquerading setup where eth0 connects to a
-          DSL or cable modem and eth1 connects to your local network with
-          subnet 192.168.0.0/24.</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE
-        eth0    192.168.0.0/24</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 2:</term>
-
-        <listitem>
-          <para>You add a router to your local network to connect subnet
-          192.168.1.0/24 which you also want to masquerade. You then add a
-          second entry for eth0 to this file:</para>
-
-          <programlisting>        #INTERFACE   SOURCE
-        eth0         192.168.1.0/24</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 3:</term>
-
-        <listitem>
-          <para>You have an IPSEC tunnel through ipsec0 and you want to
-          masquerade packets coming from 192.168.1.0/24 but only if these
-          packets are destined for hosts in 10.1.1.0/24:</para>
-
-          <programlisting>        #INTERFACE              SOURCE
-        ipsec0:10.1.1.0/24      196.168.1.0/24</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 4:</term>
-
-        <listitem>
-          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
-          to use source address 206.124.146.176 which is NOT the primary
-          address of eth0. You want 206.124.146.176 to be added to eth0 with
-          name eth0:0.</para>
-
-          <programlisting>        #INTERFACE              SOURCE          ADDRESS
-        eth0:0                  192.168.1.0/24  206.124.146.176</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 5:</term>
-
-        <listitem>
-          <para>You want all outgoing SMTP traffic entering the firewall from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.177. You want all other outgoing traffic from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.176.</para>
-
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
-        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
-        eth0         172.20.1.0/29    206.124.146.176</programlisting>
-
-          <warning>
-            <para>The order of the above two rules is significant!</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 6:</term>
-
-        <listitem>
-          <para>Connections leaving on eth0 and destined to any host defined
-          in the ipset <emphasis>myset</emphasis> should have the source IP
-          address changed to 206.124.146.177.</para>
-
-          <programlisting>        #INTERFACE              SOURCE          ADDRESS
-        eth0:+myset[dst]        -               206.124.146.177</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 7:</term>
-
-        <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
-
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/masq:
-
-       #INTERFACE SOURCE         ADDRESS     ...
-       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
-       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 8:</term>
-
-        <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
-          70.90.191.123. You want to use the iptables statistics match to
-          masquerade outgoing connections evenly between these two
-          addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(eth1)  0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
-       eth1          0.0.0.0/0      70.90.191.123 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       eth1          0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
-       eth1          0.0.0.0/0      70.90.191.123 
-</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
-        eth0         2001:470:b:787::0/64    -</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          then these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/masq</para>
-
-    <para>/etc/shorewall6/masq</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall(8)</para>
-  </refsect1>
-</refentry>

Shorewall/manpages/shorewall-params.xml

@@ -26,10 +26,8 @@
     <title>Description</title>
 
     <para>Assign any shell variables that you need in this file. The file is
-    always processed by <filename>/bin/sh</filename> or by the shell specified
-    through SHOREWALL_SHELL in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
-    range of shell capabilities may be used.</para>
+    always processed by <filename>/bin/sh</filename> so the full range of
+    shell capabilities may be used.</para>
 
     <para>It is suggested that variable names begin with an upper case letter
     to distinguish them from variables used internally within the Shorewall

Shorewall/manpages/shorewall-providers.xml

@@ -84,8 +84,8 @@
 
           <para>If PROVIDER_OFFSET is non-zero in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the
-          number of significant bits may not exceed PROVIDER_OFFSET +
+          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
+          the number of significant bits may not exceed PROVIDER_OFFSET +
           PROVIDER_BITS.</para>
         </listitem>
       </varlistentry>
@@ -117,6 +117,12 @@
           specified unless <option>loose</option> is given in the OPTIONS
           column of this entry.</para>
 
+          <important>
+            <para>For IPv6, if the interface is an Ethernet device and an IP
+            address is supplied, it should be the upstream router's link-level
+            address, not its global address.</para>
+          </important>
+
           <para>Where more than one provider is serviced through a single
           interface, the <emphasis>interface</emphasis> must be followed by a
           colon and the IP <emphasis>address</emphasis> of the interface that

Shorewall/manpages/shorewall-rules.xml

@@ -462,7 +462,7 @@
                 <para>Added in Shorewall 4.5.16. This action allows you to
                 construct most of the rule yourself using iptables syntax. The
                 part that you specify must follow two semicolons (';;')
-                (preferred) or a single semicolon (';') (deprecated) and is
+		and is
                 completely free-form. If the target of the rule (the part
                 following 'j') is something that Shorewall supports in the
                 ACTION column, then you may enclose it in parentheses (e.g.,

Shorewall/manpages/shorewall-tcdevices.xml

@@ -112,7 +112,7 @@
           ppp interfaces, you need to put them all in here!</para>
 
           <para>If the device doesn't exist, a warning message will be issued
-          during "shorewall [re]start" and "shorewall refresh" and traffic
+          during "shorewall [re]start" and "shorewall reload" and traffic
           shaping configuration will be skipped for that device.</para>
 
           <para>Shorewall assigns a sequential <firstterm>interface

Shorewall/manpages/shorewall.conf.xml

@@ -463,7 +463,8 @@
 
       <varlistentry>
         <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>|<option>recursive</option>|<replaceable>depth</replaceable>]</term>
 
         <listitem>
           <para>If set, the behavior of the <command>start</command>,
@@ -481,6 +482,27 @@
           <command>restart</command> command includes a directory name
           (e.g.,<command> shorewall restart
           /etc/shorewall.new</command>).</para>
+
+          <para>When AUTOMAKE=Yes, each directory in the CONFIG_PATH was
+          originally searched recursively for files newer than the compiled
+          script. That was changed in Shorewall 5.1.10.2 such that only the
+          listed directories themselves were searched. That broke some
+          configurations that played tricks with embedded SHELL such as
+          "<command>SHELL cat /etc/shorewall/rules.d/loc/*.rules".</command>
+          Prior to 5.1.10.2, a change to a file in or adding a file to
+          /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
+          with 5.1.10.2, such changes would not trigger recompilation.
+          Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
+          obtained by setting AUTOMAKE=recursive.</para>
+
+          <para>Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
+          numeric <replaceable>depth</replaceable> which specifies how deeply
+          each listed directory is to be searched. AUTOMAKE=1 only searches
+          each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
+          will search each directory and its immediate sub-directories;
+          AUTOMAKE=3 will search each diretory, each of its immediate
+          sub-directories, and each of their immediate sub-directories,
+          etc.</para>
         </listitem>
       </varlistentry>
 
@@ -1141,36 +1163,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
-          semicolon separates column-oriented specifications on the left from
-          <ulink url="/configuration_file_basics.htm#Pairs">alternative
-          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
-          specified, the specifications on the right are interpreted as if
-          INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
-          and <ulink
-          url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
-          which also support INLINE. If not specified or if specified as the
-          empty value, the value 'No' is assumed for backward
-          compatibility.</para>
-
-          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
-          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          Beginning with 5.0.0, you may simply preface your text with a pair
-          of semicolons (";;"). If alternate input is also specified in the
-          rule, it should appear before the semicolons and may be separated
-          from normal column input by a single semicolon or enclosed in curly
-          braces ("{....}").</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
@@ -1348,10 +1340,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             running, you should remove the file
             <filename>/var/lib/shorewall/rt_tables</filename>
             (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>refresh</command>,
-            <command>restore</command>, <emphasis
-            role="bold">reload</emphasis> or <command>restart</command>
-            command.</para>
+            your next <command>stop</command>, <command>restore</command>,
+            <emphasis role="bold">reload</emphasis> or
+            <command>restart</command> command.</para>
           </blockquote>
 
           <para>IPv6:</para>
@@ -1365,10 +1356,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             is running, you should remove the file
             <filename>/var/lib/shorewall6/rt_tables</filename>
             (<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>refresh</command>,
-            <command>restore</command>, <emphasis
-            role="bold">reload</emphasis> or <command>restart</command>
-            command.</para>
+            your next <command>stop</command>, <command>restore</command>,
+            <emphasis role="bold">reload</emphasis> or
+            <command>restart</command> command.</para>
           </blockquote>
 
           <important>
@@ -1450,6 +1440,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">LOG_ZONE=</emphasis>[<emphasis
+        role="bold"><option>src</option>|<option>dst</option>|<option>both</option></emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.0. When a log message is issued from a
+          chain that relates to a pair of zones (e.g, 'fw-net'), the chain
+          name normally appears in the log message (unless LOGTAGONLY=Yes and
+          a log tag is specified). This can prevent OPTIMIZE category 8 from
+          combining chains which are identical except for the names of the
+          zones involved. LOG_ZONE allows for only the source or destination
+          zone to appear in the messages by setting LOG_ZONE to
+          <option>src</option> or <option>dest</option> respectively. If
+          LOG_ZONE=<option>both</option> (the default), then the full chain
+          name is included in log messages.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
@@ -1809,19 +1817,6 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>IPv4 only.</para>
-
-          <para>This option is included for compatibility with old Shorewall
-          configuration. New installs should always have
-          MAPOLDACTIONS=No.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2474,6 +2469,20 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">RENAME_COMBINED=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.0. Traditionally, when OPTIMIZE
+          category 8 is enabled, identical chains are combined under a name
+          beginning with '~comb' or '~blacklist'. This behavior is maintained
+          under the default setting RENAME_COMBINED=Yes. If
+          RENAMED_COMBINED=No, the chains are combined under the original name
+          of one of the chains.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">REQUIRE_INTERFACE=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2773,7 +2782,6 @@ INLINE          -       -       -       ;; -j REJECT
           of each <emphasis role="bold">start</emphasis>, <emphasis
           role="bold">reload</emphasis>, <emphasis
           role="bold">restart</emphasis>, <emphasis
-          role="bold">refresh</emphasis>, <emphasis
           role="bold">try</emphasis>, and <emphasis
           role="bold">safe-</emphasis>* command. Logging verbosity is
           determined by the setting of LOG_VERBOSITY above.</para>

Shorewall/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}

Shorewall6-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall6-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall6-lite/lib.base
 #
 #     (c) 2011, 2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -44,6 +44,8 @@ LOG_BACKEND=
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=Yes
 
 RESTART=restart

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -45,6 +45,8 @@ LOG_BACKEND=
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=
@@ -171,8 +173,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -201,6 +201,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -44,6 +44,8 @@ LOG_BACKEND=
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -44,6 +44,8 @@ LOG_BACKEND=
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall6/actions.std

@@ -8,9 +8,6 @@
 #
 ###############################################################################
 #ACTION
-A_Drop				# Audited Default Action for DROP policy
-A_Reject			# Audited Default Action for REJECT policy
-A_AllowICMPs proto=58		# Audited Accept needed ICMP6 types
 AllowICMPs   proto=58		# Accept needed ICMP6 types
 allowBcast   inline		# Silently Allow Broadcast
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
@@ -19,7 +16,6 @@ AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline		# Handles Broadcast/Anycast
-Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
@@ -38,7 +34,6 @@ Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 Multicast    noinline		# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,proto=6	# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject				# Default Action for REJECT policy (deprecated)
 rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED

Shorewall6/configfiles/shorewall6.conf

@@ -44,6 +44,8 @@ LOG_BACKEND=
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

docs/CompiledPrograms.xml

@@ -762,7 +762,6 @@ MANGLE_ENABLED=Yes
 MULTIPORT=Yes
 XMULTIPORT=Yes
 CONNTRACK_MATCH=Yes
-USEPKTTYPE=Yes
 POLICY_MATCH=Yes
 PHYSDEV_MATCH=Yes
 PHYSDEV_BRIDGE=Yes

docs/Events.xml

@@ -680,7 +680,7 @@ Knock                                          #Port Knocking</programlisting>
       <para><filename>/etc/shorewall/action.Knock</filename>:</para>
 
       <programlisting>#
-# Shorewall version 4 - SSH_BLACKLIST Action
+# Shorewall version 4 - Port-Knocking Action
 #
 ?format 2
 ###############################################################################

docs/PortKnocking.xml

@@ -42,7 +42,8 @@
 
   <note>
     <para>The techniques described in this article were superseded in
-    Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
+    Shorewall 4.5.19 with the introduction of <ulink
+    url="Events.html">Shorewall Events</ulink>.</para>
   </note>
 
   <note>

docs/Shorewall-5.xml

@@ -24,6 +24,8 @@
 
       <year>2017</year>
 
+      <year>2018</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -135,6 +137,21 @@
         <listitem>
           <para>CHAIN_SCRIPTS (Removed in Shorewall 5.1).</para>
         </listitem>
+
+        <listitem>
+          <para>MODULE_SUFFIX (Removed in Shorewall 5.1.7). Shorewall can now
+          locate modules independent of their suffix (extension).</para>
+        </listitem>
+
+        <listitem>
+          <para>INLINE_MATCHES (Removed in Shorewall 5.2). Inline matches are
+          now separated from column-oriented input by two adjacent semicolons
+          (";;").</para>
+        </listitem>
+
+        <listitem>
+          <para>MAPOLDACTIONS (Removed in Shorewall 5.2). </para>
+        </listitem>
       </itemizedlist>
 
       <para>A compilation warning is issued when any of these options are
@@ -173,17 +190,18 @@
       <title>Obsolete Configuration Files</title>
 
       <para>Support has been removed for the 'blacklist', 'tcrules',
-      'routestopped', 'notrack' and 'tos' files.</para>
+      'routestopped', 'notrack', 'tos' and 'masq' files.</para>
 
-      <para>The <option>-t</option> and <option>-b</option> options of the
-      <command>update</command> command are still available to convert the
-      'tcrules' and 'tos' files to the equivalent 'mangle' file and to convert
-      the 'blacklist' file into an equivalent 'blrules' file.</para>
+      <para>The <command>update</command> command is available to convert the
+      'tcrules' and 'tos' files to the equivalent 'mangle' file, to convert
+      the 'blacklist' file into an equivalent 'blrules' file, and to convert
+      the 'masq' file to the equivalent 'snat' file.</para>
 
-      <para>As in Shorewall 4.6.12, the <option>-s</option> option is
-      available to convert the 'routestopped' file into the equivalent
-      'stoppedrules' file and the <option>-n</option> option is available to
-      convert a 'notrack' file to the equivalent 'conntrack' file.</para>
+      <para>As in Shorewall 4.6.12, the <command>update</command> command
+      converts the 'routestopped' file into the equivalent 'stoppedrules' file
+      and converts a 'notrack' file to the equivalent 'conntrack' file.</para>
+
+      <para>Note that in Shorewall 5.2, the update command </para>
     </section>
 
     <section>
@@ -367,6 +385,33 @@
         equivalent RESTART setting.</para>
       </note>
     </section>
+
+    <section>
+      <title>refresh</title>
+
+      <para>Given the availability of ipset-based blacklisting, the
+      <command>refresh</command> command was eliminated in Shorewall
+      5.2.</para>
+
+      <para>Some users may have been using <command>refresh</command> as a
+      lightweight form of <command>reload</command>. The most common of these
+      uses seem to be for reloading traffic shaping after an interface has
+      gone down and come back up. The best way to handle this situation under
+      5.2 is to make the interface 'optional' in your
+      /etc/shorewall[6]/interfaces file, then either:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Install Shorewall-init and enable IFUPDOWN; or</para>
+        </listitem>
+
+        <listitem>
+          <para>Use the <command>reenable</command> command when the interface
+          comes back up in place of the <command>refresh</command>
+          command.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
   </section>
 
   <section>
@@ -423,9 +468,14 @@
   <section>
     <title>Upgrading to Shorewall 5</title>
 
-    <para>It is strongly recommended that you first upgrade your installation
-    to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
+    <para><important>
+        <para>For detailed upgrade information, please consult the 'Migration
+        Issues' section of the release notes for the version that you are
+        upgrading to.</para>
+      </important>It is strongly recommended that you first upgrade your
+    installation to a 4.6 release that supports the <option>-A</option> option
+    to the <command>update</command> command; 4.6.13.2 or later is
+    preferred.</para>
 
     <para>Once you are on that release, execute the <command>shorewall update
     -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -445,7 +495,9 @@
     have been removed -- the updates triggered by those options are now
     performed unconditionally. The <option>-i </option>and <option>-A
     </option>options have been retained - both enable checking for issues that
-    could result if INLINE_MATCHES were to be set to Yes.</para>
+    could result if INLINE_MATCHES were to be set to Yes. The -i option was
+    removed in Shorewall 5.2, given that the INLINE_MATCHES option was also
+    removed.</para>
 
     <section>
       <title id="CHAIN_SCRIPTS">CHAIN_SCRIPTS Removal</title>

docs/Shorewall-Lite.xml

@@ -709,7 +709,6 @@ MANGLE_ENABLED=Yes
 MULTIPORT=Yes
 XMULTIPORT=Yes
 CONNTRACK_MATCH=Yes
-USEPKTTYPE=Yes
 POLICY_MATCH=Yes
 PHYSDEV_MATCH=Yes
 PHYSDEV_BRIDGE=Yes

docs/support.xml

@@ -42,7 +42,7 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 and 5.1.</para>
+        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
 
         <note>
           <para>Shorewall versions earlier than 5.0.0 are no longer supported;