Correct convertion of tcrules->mangle when a writable mangle exists

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct logging in inline policy actions
2017-03-07 15:23:58 -08:00 · 2017-03-07 13:37:59 -08:00 · 2017-03-07 13:03:49 -08:00 · 2017-03-07 11:53:47 -08:00 · 2017-03-07 11:51:40 -08:00 · 2017-03-07 11:44:45 -08:00
66 changed files with 710 additions and 235 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1451,15 +1451,7 @@ show_command() {
 				fi
 			    done
 			    case $2 in
 				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
 				    echo "   WARNING: $2 is a built-in action" >&2
 				    ;;
 				*)
 			    echo "   WARNING: Action $2 not found" >&2
 				    ;;
 			    esac
 			    return
 			    ;;
 			actions)
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -0,0 +1,11 @@
 #
 # Shorewall -- /usr/share/shorewall/action.AllowICMPs
 #
 # This action ACCEPTs needed ICMP types.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DEFAULTS ACCEPT
@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -20,7 +20,7 @@
 #         @2.
 ###############################################################################
 ?if $1 eq 'BLACKLIST'
-   ?if $BLACKLIST_LOGLEVEL
+   ?if $BLACKLIST_LOG_LEVEL
       blacklog
   ?else
       $BLACKLIST_DISPOSITION
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -30,7 +30,6 @@ DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@@ -50,9 +49,6 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -59,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Limit
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Limit(<recent-set>,<num-connections>,<timeout>)
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -0,0 +1,50 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Multicast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
 ?endif
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -62,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowBcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowBcast[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowMcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowMcast[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowinUPnP
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowinUPnP[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropBcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropBcast[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropMcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropMcast[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropNotSyn
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropNotSyn[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.forwardUPnP
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # forwardUPnP
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -0,0 +1,27 @@
 #
 # Shorewall -- /usr/share/shorewall/action.rejNotSyn
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # rejNotSyn[([audit])]
 #
 # This is a built-in action.
 #
 ###############################################################################
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -1,13 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.AllowICMPs
 #
 # This macro ACCEPTs needed ICMP types.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?COMMENT Needed ICMP types
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed
 PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -792,6 +792,7 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -2994,15 +2995,18 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  ERROR => sub() {
 	      unless ( $omitting ) {
 		  directive_error( evaluate_expression( $expression ,
 							$filename ,
 							$linenumber ,
 							1 ) ,
 				   $filename ,
 				   $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  WARNING => sub() {
 	      unless ( $omitting ) {
 		  directive_warning( $config{VERBOSE_MESSAGES} ,
 				     evaluate_expression( $expression ,
 							  $filename ,
@@ -3010,9 +3014,11 @@ sub process_compiler_directive( $$$$ ) {
 							  1 ),
 				     $filename ,
 				     $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  INFO => sub() {
 	      unless ( $omitting ) {
 		  directive_info( $config{VERBOSE_MESSAGES} ,
 				  evaluate_expression( $expression ,
 						       $filename ,
@@ -3020,9 +3026,11 @@ sub process_compiler_directive( $$$$ ) {
 						       1 ),
 				  $filename ,
 				  $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  'WARNING!' => sub() {
 	      unless ( $omitting ) {
 		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
 				     evaluate_expression( $expression ,
 							  $filename ,
@@ -3030,9 +3038,11 @@ sub process_compiler_directive( $$$$ ) {
 							  1 ),
 				     $filename ,
 				     $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  'INFO!' => sub() {
 	      unless ( $omitting ) {
 		  directive_info( ! $config{VERBOSE_MESSAGES} ,
 				  evaluate_expression( $expression ,
 						       $filename ,
@@ -3040,12 +3050,15 @@ sub process_compiler_directive( $$$$ ) {
 						       1 ),
 				  $filename ,
 				  $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
+		  fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
 		  require_capability( $expression, "The $actparams{action} action", 's' );
 	      }
 	  } ,
 	);
@@ -6475,6 +6488,12 @@ sub get_configuration( $$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
 	validate_level( $val );
    } else {
 	$config{LOG_LEVEL} = 'info';
    }
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -363,7 +363,7 @@ sub initialize( $ ) {
    @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
    if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -372,10 +372,11 @@ sub initialize( $ ) {
 			    'icmp-host-prohibited'   => 1,
 			    'icmp-admin-prohibited'  => 1,
 			    'icmp-tcp-reset'         => 2,
 			    'tcp-reset'              => 2,
 	                  );
    } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -777,7 +778,11 @@ sub process_a_policy() {
    our @zonelist;
    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+	split_line2( 'policy file',
 		     { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, rate => 4, connlimit => 5 } ,
 		     {} , # nopad
 		     6  , # maxcolumns
 		    );
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
@@ -943,13 +948,14 @@ sub add_policy_rules( $$$$$ ) {
 		#
 		# Default action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
-				$loglevel,    #Log Level and Tag
+				$level || '', #Log Level and Tag
 				$paction,     #Target
 				$param || '', #Param
 				'-',          #Source
@@ -1736,12 +1742,18 @@ sub dropBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
 }
 sub dropMcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit ( 'DROP', $audit );
    if ( $family == F_IPV4 ) {
-	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
-	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
@@ -1771,12 +1783,18 @@ sub allowBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
 }
 sub allowMcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'ACCEPT', $audit );
    if ( $family == F_IPV4 ) {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
@@ -1866,7 +1884,9 @@ sub Limit( $$$$ ) {
 }
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'dropMcast'      => \&dropMcast,
 		   'allowBcast'     => \&allowBcast,
 		   'allowMcast'     => \&allowMcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
@@ -1912,12 +1932,12 @@ sub process_action(\$\$$) {
    progress_message2 "$doing $actionfile for chain $chainref->{name}...";
    push_open $actionfile, 2, 1, undef, 2;
    my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
    my $options = $actionref->{options};
    my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
    push_open $actionfile, 2, 1, undef, 2;
    setup_audit_action( $action ) if $options & AUDIT_OPT;
    $active{$action}++;
@@ -2899,6 +2919,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			  # tcp-reset
 			  #
 			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
 			  $exceptionrule = '-p 6 ';
 			  $param = 'tcp-reset';
 		      }
 		      $action = "REJECT --reject-with $param";
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2312,9 +2312,10 @@ EOF
 EOF
 	}
    }
    return ( $mangle, $fn1 );
-    }
+
 }
 #
--- a/Shorewall/Samples/Universal/params
+++ b/Shorewall/Samples/Universal/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
@@ -7,7 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
-net	all	DROP		$LOG
+net	all	DROP		$LOG_LEVEL
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall.conf"
+#  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
@@ -33,6 +33,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 UNTRACKED_LOG_LEVEL=
@@ -107,12 +109,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/one-interface/params
+++ b/Shorewall/Samples/one-interface/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 $FW	net		ACCEPT
-net		all		DROP		$LOG
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL="$LOG"
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL="$LOG"
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
-SFILTER_LOG_LEVEL="$LOG"
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
-SMURF_LOG_LEVEL="$LOG"
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL="$LOG"
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
@@ -118,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/three-interfaces/params
+++ b/Shorewall/Samples/three-interfaces/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 loc	net		ACCEPT
-net		all		DROP		$LOG
+net	all		DROP		$LOG_LEVEL
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -11,7 +11,7 @@
 #
 # See the file README.txt for further details.
 #
-# For $LOGrmation about the settings in this file, type "man shorewall.conf"
+# For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
@@ -41,6 +41,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -61,19 +63,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 UNTRACKED_LOG_LEVEL=
@@ -115,12 +117,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/two-interfaces/params
+++ b/Shorewall/Samples/two-interfaces/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -11,10 +11,10 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 loc	net		ACCEPT
-net		all		DROP		$LOG
+net	all		DROP		$LOG_LEVEL
-# THE FOLLOWING POLICY MUST BE LAST
+# THE FOLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 UNTRACKED_LOG_LEVEL=
@@ -118,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcast			# Silently Allow Broadcast/multicast
+allowBcast			# Silently Allow Broadcast
-dropBcast			# Silently Drop Broadcast/multicast
+allowMcast			# Silently Allow Multicast
 dropBcast			# Silently Drop Broadcast
 dropMcast			# Silently Drop Multicast
 dropNotSyn			# Silently Drop Non-syn TCP packets
 rejNotSyn			# Silently Reject Non-syn TCP packets
 allowinUPnP			# Allow UPnP inbound (to firewall) traffic
@@ -23,13 +25,14 @@ A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline             # Allow Required ICMP packets
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
-Drop				# Default Action for DROP policy
+Drop				# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
@@ -39,9 +42,10 @@ GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-Reject				# Default Action for REJECT policy
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
--- a/Shorewall/configfiles/params
+++ b/Shorewall/configfiles/params
@@ -22,4 +22,3 @@
 #	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 ###############################################################################
 LOG=info # Default Log Level
--- a/Shorewall/configfiles/policy
+++ b/Shorewall/configfiles/policy
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall.conf"
+#  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
@@ -33,6 +33,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 UNTRACKED_LOG_LEVEL=
@@ -108,11 +110,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=dropBcasts,dropInvalid:$LOG
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -481,6 +481,16 @@ if [ -z "$first_install" ]; then
    delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
    delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
    delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
    if [ $PRODUCT = shorewall ]; then
 	#
 	# Delete deprecated macros and actions
 	#
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/macro.SNMPTrap
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
    fi
 fi
 #
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -283,7 +283,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
        [-|<replaceable>limit</replaceable>]</term>
        <listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1356,6 +1356,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.2. Beginning with that release, the
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
          will expand to this value.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
+ExecStop=/sbin/shorewall $OPTIONS clear
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -15,7 +15,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall6-lite $OPTIONS clear
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload
 [Install]
--- a/Shorewall6/Actions/action.Broadcast
+++ b/Shorewall6/Actions/action.Broadcast
@@ -45,12 +45,11 @@ fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $aud
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
    }
    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
    add_commands $chainref, 'for address in $ALL_ACASTS; do';
@@ -59,9 +58,6 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 1;
--- a/Shorewall6/Actions/action.Multicast
+++ b/Shorewall6/Actions/action.Multicast
@@ -0,0 +1,59 @@
 #
 # Shorewall6 -- /usr/share/shorewall6/action.Multicast
 #
 # Multicast/Anycast IPv6 Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref           = get_action_chain;
 my ( $action, $audit ) = get_action_params( 2 );
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
 	log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
    }
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
 } else {
    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 1;
 ?end perl;
--- a/Shorewall6/Samples6/Universal/params
+++ b/Shorewall6/Samples6/Universal/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall6/Samples6/Universal/policy
+++ b/Shorewall6/Samples6/Universal/policy
@@ -7,8 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 #				LEVEL	BURST		MASK
 fw	net	ACCEPT
-net	all	DROP		$LOG
+net	all	DROP		$LOG_LEVEL
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -72,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/Samples6/one-interface/params
+++ b/Shorewall6/Samples6/one-interface/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall6/Samples6/one-interface/policy
+++ b/Shorewall6/Samples6/one-interface/policy
@@ -11,9 +11,9 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 #
-###############################################################################
+##############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 $FW	net		ACCEPT
-net		all		DROP		$LOG
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -35,6 +35,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -106,11 +108,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/Samples6/three-interfaces/params
+++ b/Shorewall6/Samples6/three-interfaces/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall6/Samples6/three-interfaces/policy
+++ b/Shorewall6/Samples6/three-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 loc	net		ACCEPT
-net		all		DROP		$LOG
+net	all		DROP		$LOG_LEVEL
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/Samples6/two-interfaces/params
+++ b/Shorewall6/Samples6/two-interfaces/params
@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall6/Samples6/two-interfaces/policy
+++ b/Shorewall6/Samples6/two-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 loc	net		ACCEPT
-net		all		DROP		$LOG
+net	all		DROP		$LOG_LEVEL
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcasts                     # Accept multicast and anycast packets
+allowBcasts                     # Accept anycast packets
-dropBcasts                      # Silently Drop multicast and anycast packets
+allowMcasts                     # Accept multicast packets
 dropBcasts                      # Silently Drop anycast packets
 dropMcasts                      # Silently Drop multicast packets
 dropNotSyn		        # Silently Drop Non-syn TCP packets
 rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
@@ -23,18 +25,20 @@ AllowICMPs   	                # Accept needed ICMP6 types
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
+Broadcast    noinline      	# Handles Broadcast/Anycast
-Drop		        	# Default Action for DROP policy
+Drop		        	# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
             state=INVALID
 Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		        	# Default Action for REJECT policy
+Reject		        	# Default Action for REJECT policy (deprecated)
 Related      inline,\		# Handles packets in the RELATED conntrack state
             state=RELATED
 ResetEvent   inline		# Reset an Event
--- a/Shorewall6/configfiles/params
+++ b/Shorewall6/configfiles/params
@@ -21,4 +21,3 @@
 #	net	eth0		-	dhcp,nosmurfs
 #
 ###############################################################################
 LOG=info # Default Log Level
--- a/Shorewall6/configfiles/policy
+++ b/Shorewall6/configfiles/policy
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall6.conf"
+#  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
 #  http://www.shorewall.net/manpages6/shorewall6.conf.html
@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -52,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 STARTUP_LOG=/var/log/shorewall6-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 UNTRACKED_LOG_LEVEL=
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=AllowICMPs,dropBcasts
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -281,7 +281,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
        [-|<replaceable>limit</replaceable>]</term>
        <listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1185,6 +1185,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.2. Beginning with that release, the
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
          url="shorewall6-params.html">shorewall6-params(5)</ulink>),
          $LOG_LEVEL will expand to this value.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
+ExecStop=/sbin/shorewall -6 $OPTIONS clear
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -299,7 +299,17 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
        <term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
        <listitem>
-          <para>Handles broadcasts and multicasts based on the
+          <para>Handles broadcasts based on the
          <replaceable>disposition</replaceable>. The default
          <replaceable>disposition</replaceable> is DROP.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Multicast[(<replaceable>disposition</replaceable>)]</term>
        <listitem>
          <para>Handles multicasts based on the
          <replaceable>disposition</replaceable>. The default
          <replaceable>disposition</replaceable> is DROP.</para>
        </listitem>
@@ -340,6 +350,30 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The recommended settings for the 6 policy actions for IPv4 are:
    </para>
    <programlisting>        ACCEPT_DEFAULT=none
        BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
        DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
        NFQUEUE_DEFAULT=none
        QUEUE_DEFAULT=none
        REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 </programlisting>
    <para>The recommended settings for IPv6 are:</para>
    <programlisting>        ACCEPT_DEFAULT=none
        BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
        DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
        NFQUEUE_DEFAULT=none
        QUEUE_DEFAULT=none
        REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 </programlisting>
    <para>Note that in both cases, logging occurs based on the setting of
    LOG_LEVEL in shorewall[6].conf.</para>
  </section>
  <section id="Defining">
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -406,6 +406,14 @@ DNAT       net      loc:192.168.1.3:22  tcp      1022</programlisting>
        the net. Is it possible to only redirect 4104 to the localhost port 22
        and have connection attempts to port 22 from the net dropped?</title>
        <important>
          <para>On systems with the "Extended Conntrack Match"
          (NEW_CONNTRACK_MATCH) capability (see the output of
          <command>shorewall show capabilities</command>), port 22 is opened
          only to connections whose original destination port is 4104 and this
          FAQ does not apply.</para>
        </important>
        <para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
        that the IP address of your local firewall interface is 192.168.1.1.
        If you configure SSHD to only listen on that address and add the
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -266,7 +266,16 @@
      <para>You will need to change all instances of log levels (usually
      <quote>info</quote>) in your Shorewall configuration files to
      <quote>NFLOG</quote> - this includes entries in the policy, rules and
-      shorewall.conf files. Here's what I had at one time:</para>
+      shorewall.conf files. If you initially installed using Shorewall 5.1.2
      or later, you can simply change the setting of LOG_LEVEL in
      shorewall.conf.</para>
      <para>Otherwise, you must search for all instances of log levels in your
      configuration and change them accordingly. If you currently run
      Shorewall 5.1.2 or later, then change them to $LOG_LEVEL and set
      LOG_LEVEL accordingly. If you are running an earlier release, using a
      shell variable simplifies future changes. Here's what I had at one
      time:</para>
      <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
 params:LOG=NFOG
Author	SHA1	Message	Date
Tom Eastep	a98c1d5b35	Correct convertion of tcrules->mangle when a writable mangle exists Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 15:23:58 -08:00
Tom Eastep	928f54d37c	Correct logging in inline policy actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 13:37:59 -08:00
Tom Eastep	073235aa48	Correct typo in action.AllowICMPs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 13:03:49 -08:00
Tom Eastep	519fef5e87	Clear the firewall on Debian systemd 'stop' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:53:47 -08:00
Tom Eastep	944651e46d	Correct compiler directives WRT omitting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:51:40 -08:00
Tom Eastep	bdf0950317	Correct the handling of tcp-reset Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:44:45 -08:00
Tom Eastep	2fb1f9db01	Change AllowICMPs to an inline action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:41:05 -08:00
Tom Eastep	c3661ad476	Change macro.ICMPs to an inline action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:30:38 -08:00
Tom Eastep	a4dcc3f555	Restore logging to the BLACKLIST action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-03 10:19:07 -08:00
Tom Eastep	e585ce04f4	Rename action.allowUPnP to action.allowinUPnP - Allows 'show action allowinUPnP' to work correctly. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-02 10:06:01 -08:00
Tom Eastep	e8a5c45aae	Correct FAQ 1e Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-25 09:10:40 -08:00
Tom Eastep	6966270822	Allow 'show action' on buitin actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-19 13:43:23 -08:00
Tom Eastep	118e4f73c9	Correct validation of LOG_LEVEL Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-19 10:25:44 -08:00
Tom Eastep	10b39f3855	Correct typo (allowMast -> allowMcast) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-19 10:25:27 -08:00
Tom Eastep	c4f21ffefb	Additional documentation changes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-15 13:11:52 -08:00
Tom Eastep	a71b61c238	Delete the deprecated macros and actions during install Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-15 10:16:53 -08:00
Tom Eastep	944888c04f	Handle broadcast and muticast separately Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-15 10:16:20 -08:00
Tom Eastep	48d301b2cf	Rename the policy LIMIT column to RATE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-12 10:17:43 -08:00
Tom Eastep	735919d8d3	Add LOG_LEVEL option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-12 09:52:55 -08:00
Tom Eastep	b4561e97c8	Deprecate Drop and Reject in actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-12 09:28:38 -08:00
Tom Eastep	66a63a4da5	Fix instances of $LOGrmation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-12 08:33:56 -08:00
Tom Eastep	8c9fb501fd	Adjust .conf files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-02-11 13:41:28 -08:00