Correct convertion of tcrules->mangle when a writable mangle exists

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1451,15 +1451,7 @@ show_command() {
 				fi
 			    done
 
-			    case $2 in
-				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
-				    echo "   WARNING: $2 is a built-in action" >&2
-				    ;;
-				*)
-				    echo "   WARNING: Action $2 not found" >&2
-				    ;;
-			    esac
-
+			    echo "   WARNING: Action $2 not found" >&2
 			    return
 			    ;;
 			actions)

Shorewall-lite/shorewall-lite.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/Actions/action.AllowICMPs

@@ -0,0 +1,11 @@
+#
+# Shorewall -- /usr/share/shorewall/action.AllowICMPs
+#
+# This action ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS ACCEPT
+@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}

Shorewall/Actions/action.BLACKLIST

@@ -20,7 +20,7 @@
 #         @2.
 ###############################################################################
 ?if $1 eq 'BLACKLIST'
-   ?if $BLACKLIST_LOGLEVEL
+   ?if $BLACKLIST_LOG_LEVEL
        blacklog
    ?else
        $BLACKLIST_DISPOSITION

Shorewall/Actions/action.Broadcast

@@ -30,7 +30,6 @@ DEFAULTS DROP,-
 
 ?if __ADDRTYPE
 @1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 @1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@@ -50,9 +49,6 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
-
 1;
 
 ?end perl;

Shorewall/Actions/action.Drop.deprecated

@@ -59,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/Actions/action.Limit

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Limit
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Limit(<recent-set>,<num-connections>,<timeout>)
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.Multicast

@@ -0,0 +1,50 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Multicast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Multicast[([<action>|-[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?if __ADDRTYPE
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+?else
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action )         = get_action_params( 1 );
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;
+
+log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+
+1;
+
+?end perl;
+?endif

Shorewall/Actions/action.Reject.deprecated

@@ -62,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/Actions/action.allowBcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowBcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.allowMcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowMcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.allowinUPnP

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowinUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowinUPnP[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.dropBcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.dropMcast

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropMcast[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.dropNotSyn

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropNotSyn[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.forwardUPnP

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.forwardUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# forwardUPnP
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Actions/action.rejNotSyn

@@ -0,0 +1,27 @@
+#
+# Shorewall -- /usr/share/shorewall/action.rejNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# rejNotSyn[([audit])]
+#
+# This is a built-in action.
+#
+###############################################################################

Shorewall/Macros/macro.AllowICMPs

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
-#
-# This macro ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Needed ICMP types
-
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded

Shorewall/Perl/Shorewall/Config.pm

@@ -792,6 +792,7 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
+	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -2994,58 +2995,70 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 
 	  ERROR => sub() {
-	      directive_error( evaluate_expression( $expression ,
-						    $filename ,
-						    $linenumber ,
-						    1 ) ,
-			       $filename ,
-			       $linenumber ) unless $omitting;
+	      unless ( $omitting ) {
+		  directive_error( evaluate_expression( $expression ,
+							$filename ,
+							$linenumber ,
+							1 ) ,
+				   $filename ,
+				   $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  WARNING => sub() {
-	      directive_warning( $config{VERBOSE_MESSAGES} ,
-		                 evaluate_expression( $expression ,
-						      $filename ,
-						      $linenumber ,
-						      1 ),
-				 $filename ,
-				 $linenumber ) unless $omitting;
+	      unless ( $omitting ) {
+		  directive_warning( $config{VERBOSE_MESSAGES} ,
+				     evaluate_expression( $expression ,
+							  $filename ,
+							  $linenumber ,
+							  1 ),
+				     $filename ,
+				     $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  INFO => sub() {
-	      directive_info( $config{VERBOSE_MESSAGES} ,
-			      evaluate_expression( $expression ,
-						   $filename ,
-						   $linenumber ,
-						   1 ),
-			      $filename ,
-			      $linenumber ) unless $omitting;
+	      unless ( $omitting ) {
+		  directive_info( $config{VERBOSE_MESSAGES} ,
+				  evaluate_expression( $expression ,
+						       $filename ,
+						       $linenumber ,
+						       1 ),
+				  $filename ,
+				  $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  'WARNING!' => sub() {
-	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
-		                 evaluate_expression( $expression ,
-						      $filename ,
-						      $linenumber ,
-						      1 ),
-				 $filename ,
-				 $linenumber ) unless $omitting;
+	      unless ( $omitting ) {
+		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
+				     evaluate_expression( $expression ,
+							  $filename ,
+							  $linenumber ,
+							  1 ),
+				     $filename ,
+				     $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  'INFO!' => sub() {
-	      directive_info( ! $config{VERBOSE_MESSAGES} ,
-			      evaluate_expression( $expression ,
-						   $filename ,
-						   $linenumber ,
-						   1 ),
-			      $filename ,
-			      $linenumber ) unless $omitting;
+	      unless ( $omitting ) {
+		  directive_info( ! $config{VERBOSE_MESSAGES} ,
+				  evaluate_expression( $expression ,
+						       $filename ,
+						       $linenumber ,
+						       1 ),
+				  $filename ,
+				  $linenumber ) unless $omitting;
+	      }
 	  } ,
 
 	  REQUIRE => sub() {
-	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
-	      require_capability( $expression, "The $actparams{action} action", 's' );
+	      unless ( $omitting ) {
+		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
+		  fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
+		  require_capability( $expression, "The $actparams{action} action", 's' );
+	      }
 	  } ,
 
 	);
@@ -6475,6 +6488,12 @@ sub get_configuration( $$$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
+    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
+	validate_level( $val );
+    } else {
+	$config{LOG_LEVEL} = 'info';
+    }
+
     if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';

Shorewall/Perl/Shorewall/Rules.pm

@@ -363,7 +363,7 @@ sub initialize( $ ) {
     @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
 
     if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -372,10 +372,11 @@ sub initialize( $ ) {
 			    'icmp-host-prohibited'   => 1,
 			    'icmp-admin-prohibited'  => 1,
 			    'icmp-tcp-reset'         => 2,
+			    'tcp-reset'              => 2,
 	                  );
 			    
     } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -777,7 +778,11 @@ sub process_a_policy() {
     our @zonelist;
 
     my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+	split_line2( 'policy file',
+		     { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, rate => 4, connlimit => 5 } ,
+		     {} , # nopad
+		     6  , # maxcolumns
+		    );
 
     $loglevel  = '' if $loglevel  eq '-';
     $synparams = '' if $synparams eq '-';
@@ -943,13 +948,14 @@ sub add_policy_rules( $$$$$ ) {
 		#
 		# Default action is an inline 
 		#
+		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
 
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
-				$loglevel,    #Log Level and Tag
+				$level || '', #Log Level and Tag
 				$paction,     #Target
 				$param || '', #Param
 				'-',          #Source
@@ -1736,12 +1742,18 @@ sub dropBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
     }
+}
+
+sub dropMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit ( 'DROP', $audit );
 
     if ( $family == F_IPV4 ) {
-	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
@@ -1771,12 +1783,18 @@ sub allowBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
     }
+}
+
+sub allowMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
 
     if ( $family == F_IPV4 ) {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
@@ -1866,7 +1884,9 @@ sub Limit( $$$$ ) {
 }
 
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		   'dropMcast'      => \&dropMcast,
 		   'allowBcast'     => \&allowBcast,
+		   'allowMcast'     => \&allowMcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
@@ -1912,12 +1932,12 @@ sub process_action(\$\$$) {
 
     progress_message2 "$doing $actionfile for chain $chainref->{name}...";
 
-    push_open $actionfile, 2, 1, undef, 2;
-
     my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
     my $options = $actionref->{options};
     my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
 
+    push_open $actionfile, 2, 1, undef, 2;
+
     setup_audit_action( $action ) if $options & AUDIT_OPT;
 
     $active{$action}++;
@@ -2899,6 +2919,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			  # tcp-reset
 			  #
 			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
+			  $exceptionrule = '-p 6 ';
+			  $param = 'tcp-reset';
 		      }
 
 		      $action = "REJECT --reject-with $param";

Shorewall/Perl/Shorewall/Tc.pm

@@ -2312,9 +2312,10 @@ EOF
 EOF
 
 	}
-
-	return ( $mangle, $fn1 );
     }
+
+    return ( $mangle, $fn1 );
+
 }
 
 #

Shorewall/Samples/Universal/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall/Samples/Universal/policy

@@ -7,7 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 $FW	net	ACCEPT
-net	all	DROP		$LOG
+net	all	DROP		$LOG_LEVEL

Shorewall/Samples/Universal/shorewall.conf

@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall.conf"
+#  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
@@ -33,6 +33,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -107,12 +109,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall/Samples/one-interface/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall/Samples/one-interface/policy

@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-$FW		net		ACCEPT
-net		all		DROP		$LOG
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+$FW	net		ACCEPT
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL

Shorewall/Samples/one-interface/shorewall.conf

@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL="$LOG"
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG"
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL="$LOG"
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL="$LOG"
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG"
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -118,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall/Samples/three-interfaces/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall/Samples/three-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
-loc		net		ACCEPT
-net		all		DROP		$LOG
+loc	net		ACCEPT
+net	all		DROP		$LOG_LEVEL
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -11,7 +11,7 @@
 #
 # See the file README.txt for further details.
 #
-# For $LOGrmation about the settings in this file, type "man shorewall.conf"
+# For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
@@ -41,6 +41,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -61,19 +63,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -115,12 +117,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall/Samples/two-interfaces/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall/Samples/two-interfaces/policy

@@ -11,10 +11,10 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
-loc		net		ACCEPT
-net		all		DROP		$LOG
-# THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+loc	net		ACCEPT
+net	all		DROP		$LOG_LEVEL
+# THE FOLOWING POLICY MUST BE LAST
+all	all		REJECT		$LOG_LEVEL
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -118,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall/actions.std

@@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcast			# Silently Allow Broadcast/multicast
-dropBcast			# Silently Drop Broadcast/multicast
+allowBcast			# Silently Allow Broadcast
+allowMcast			# Silently Allow Multicast
+dropBcast			# Silently Drop Broadcast
+dropMcast			# Silently Drop Multicast
 dropNotSyn			# Silently Drop Non-syn TCP packets
 rejNotSyn			# Silently Reject Non-syn TCP packets
 allowinUPnP			# Allow UPnP inbound (to firewall) traffic
@@ -23,13 +25,14 @@ A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
+AllowICMPs   inline             # Allow Required ICMP packets
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
-Drop				# Default Action for DROP policy
+Drop				# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
@@ -39,9 +42,10 @@ GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
+Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-Reject				# Default Action for REJECT policy
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event

Shorewall/configfiles/params

@@ -22,4 +22,3 @@
 #	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 ###############################################################################
-LOG=info # Default Log Level

Shorewall/configfiles/policy

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT

Shorewall/configfiles/shorewall.conf

@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall.conf"
+#  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
@@ -33,6 +33,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -108,11 +110,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
-DROP_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=dropBcasts,dropInvalid:$LOG
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S

Shorewall/install.sh

@@ -481,6 +481,16 @@ if [ -z "$first_install" ]; then
     delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
     delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
     delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
+
+    if [ $PRODUCT = shorewall ]; then
+	#
+	# Delete deprecated macros and actions
+	#
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/macro.SNMPTrap
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
+    fi
 fi
 
 #

Shorewall/manpages/shorewall-policy.xml

@@ -259,7 +259,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
+        <term><emphasis role="bold">LOGLEVEL</emphasis> (loglevel) -
         [<emphasis>log-level</emphasis>|<emphasis
         role="bold">ULOG|NFLOG</emphasis>]</term>
 
@@ -283,7 +283,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
         [-|<replaceable>limit</replaceable>]</term>
 
         <listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -1356,6 +1356,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.2. Beginning with that release, the
+          sample configurations use this as the default log level and changing
+          it will change all packet logging done by the configuration. In any
+          configuration file (except <ulink
+          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          will expand to this value.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis

Shorewall/shorewall.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
+ExecStop=/sbin/shorewall $OPTIONS clear
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall6-lite/shorewall6-lite.service.debian

@@ -15,7 +15,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall6-lite $OPTIONS clear
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload
 
 [Install]

Shorewall6/Actions/action.Broadcast

@@ -45,12 +45,11 @@ fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $aud
 
 if ( have_capability( 'ADDRTYPE' ) ) {
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
     }
 
     add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
     add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
     add_commands $chainref, 'for address in $ALL_ACASTS; do';
@@ -59,9 +58,6 @@ if ( have_capability( 'ADDRTYPE' ) ) {
     add_jump $chainref, $target, 0, "-d \$address ";
     decr_cmd_level $chainref;
     add_commands $chainref, 'done';
-
-    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
-    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 
 1;

Shorewall6/Actions/action.Multicast

@@ -0,0 +1,59 @@
+#
+# Shorewall6 -- /usr/share/shorewall6/action.Multicast
+#
+# Multicast/Anycast IPv6 Action
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Multicast[([<action>|-[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref           = get_action_chain;
+my ( $action, $audit ) = get_action_params( 2 );
+my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
+
+fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
+
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+    }
+
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+} else {
+    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
+    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
+}
+
+1;
+
+?end perl;

Shorewall6/Samples6/Universal/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall6/Samples6/Universal/policy

@@ -7,8 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 fw	net	ACCEPT
-net	all	DROP		$LOG
+net	all	DROP		$LOG_LEVEL
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -72,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall6/Samples6/one-interface/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall6/Samples6/one-interface/policy

@@ -11,9 +11,9 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 #
-###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-$FW		net		ACCEPT
-net		all		DROP		$LOG
+##############################################################################
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+$FW	net		ACCEPT
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all	all		REJECT		$LOG_LEVEL

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -35,6 +35,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -106,11 +108,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall6/Samples6/three-interfaces/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall6/Samples6/three-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
-loc		net		ACCEPT
-net		all		DROP		$LOG
-all		all		REJECT		$LOG
+loc	net		ACCEPT
+net	all		DROP		$LOG_LEVEL
+all	all		REJECT		$LOG_LEVEL
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall6/Samples6/two-interfaces/params

@@ -11,5 +11,3 @@
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
-
-LOG=info # Change this to change the way in which packets are logged.

Shorewall6/Samples6/two-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
 
-loc		net		ACCEPT
-net		all		DROP		$LOG
-all		all		REJECT		$LOG
+loc	net		ACCEPT
+net	all		DROP		$LOG_LEVEL
+all	all		REJECT		$LOG_LEVEL
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall6/actions.std

@@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcasts                     # Accept multicast and anycast packets
-dropBcasts                      # Silently Drop multicast and anycast packets
+allowBcasts                     # Accept anycast packets
+allowMcasts                     # Accept multicast packets
+dropBcasts                      # Silently Drop anycast packets
+dropMcasts                      # Silently Drop multicast packets
 dropNotSyn		        # Silently Drop Non-syn TCP packets
 rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
@@ -23,18 +25,20 @@ AllowICMPs   	                # Accept needed ICMP6 types
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
-Drop		        	# Default Action for DROP policy
+Broadcast    noinline      	# Handles Broadcast/Anycast
+Drop		        	# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
              state=INVALID
+Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		        	# Default Action for REJECT policy
+Reject		        	# Default Action for REJECT policy (deprecated)
 Related      inline,\		# Handles packets in the RELATED conntrack state
              state=RELATED
 ResetEvent   inline		# Reset an Event

Shorewall6/configfiles/params

@@ -21,4 +21,3 @@
 #	net	eth0		-	dhcp,nosmurfs
 #
 ###############################################################################
-LOG=info # Default Log Level

Shorewall6/configfiles/policy

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT

Shorewall6/configfiles/shorewall6.conf

@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall6.conf"
+#  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
 #  http://www.shorewall.net/manpages6/shorewall6.conf.html
@@ -34,6 +34,8 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL=info
+
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -52,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -105,11 +107,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
-DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=AllowICMPs,dropBcasts
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S

Shorewall6/manpages/shorewall6-policy.xml

@@ -257,7 +257,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
+        <term><emphasis role="bold">LOGLEVEL</emphasis> (loglevel) -
         [<emphasis>log-level</emphasis>|<emphasis
         role="bold">NFLOG</emphasis>]</term>
 
@@ -281,7 +281,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
         [-|<replaceable>limit</replaceable>]</term>
 
         <listitem>

Shorewall6/manpages/shorewall6.conf.xml

@@ -1185,6 +1185,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.2. Beginning with that release, the
+          sample configurations use this as the default log level and changing
+          it will change all packet logging done by the configuration. In any
+          configuration file (except <ulink
+          url="shorewall6-params.html">shorewall6-params(5)</ulink>),
+          $LOG_LEVEL will expand to this value.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>

Shorewall6/shorewall6.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
+ExecStop=/sbin/shorewall -6 $OPTIONS clear
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 
 [Install]

docs/Actions.xml

@@ -299,7 +299,17 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
         <term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
 
         <listitem>
-          <para>Handles broadcasts and multicasts based on the
+          <para>Handles broadcasts based on the
+          <replaceable>disposition</replaceable>. The default
+          <replaceable>disposition</replaceable> is DROP.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Multicast[(<replaceable>disposition</replaceable>)]</term>
+
+        <listitem>
+          <para>Handles multicasts based on the
           <replaceable>disposition</replaceable>. The default
           <replaceable>disposition</replaceable> is DROP.</para>
         </listitem>
@@ -340,6 +350,30 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>
+
+    <para>The recommended settings for the 6 policy actions for IPv4 are:
+    </para>
+
+    <programlisting>        ACCEPT_DEFAULT=none
+        BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+        DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+        NFQUEUE_DEFAULT=none
+        QUEUE_DEFAULT=none
+        REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+</programlisting>
+
+    <para>The recommended settings for IPv6 are:</para>
+
+    <programlisting>        ACCEPT_DEFAULT=none
+        BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+        DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+        NFQUEUE_DEFAULT=none
+        QUEUE_DEFAULT=none
+        REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+</programlisting>
+
+    <para>Note that in both cases, logging occurs based on the setting of
+    LOG_LEVEL in shorewall[6].conf.</para>
   </section>
 
   <section id="Defining">

docs/FAQ.xml

@@ -406,6 +406,14 @@ DNAT       net      loc:192.168.1.3:22  tcp      1022</programlisting>
         the net. Is it possible to only redirect 4104 to the localhost port 22
         and have connection attempts to port 22 from the net dropped?</title>
 
+        <important>
+          <para>On systems with the "Extended Conntrack Match"
+          (NEW_CONNTRACK_MATCH) capability (see the output of
+          <command>shorewall show capabilities</command>), port 22 is opened
+          only to connections whose original destination port is 4104 and this
+          FAQ does not apply.</para>
+        </important>
+
         <para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
         that the IP address of your local firewall interface is 192.168.1.1.
         If you configure SSHD to only listen on that address and add the

docs/shorewall_logging.xml

@@ -266,7 +266,16 @@
       <para>You will need to change all instances of log levels (usually
       <quote>info</quote>) in your Shorewall configuration files to
       <quote>NFLOG</quote> - this includes entries in the policy, rules and
-      shorewall.conf files. Here's what I had at one time:</para>
+      shorewall.conf files. If you initially installed using Shorewall 5.1.2
+      or later, you can simply change the setting of LOG_LEVEL in
+      shorewall.conf.</para>
+
+      <para>Otherwise, you must search for all instances of log levels in your
+      configuration and change them accordingly. If you currently run
+      Shorewall 5.1.2 or later, then change them to $LOG_LEVEL and set
+      LOG_LEVEL accordingly. If you are running an earlier release, using a
+      shell variable simplifies future changes. Here's what I had at one
+      time:</para>
 
       <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
 params:LOG=NFOG
@@ -571,9 +580,9 @@ if $msg contains 'Shorewall' then {
   if ($syslogfacility == 0 and $syslogseverity &gt;= 6) then stop  # info
 }</programlisting>
 
-    <para> I log at 'notice' log level if I want the message in
+    <para>I log at 'notice' log level if I want the message in
     <filename>/var/log/messages</filename> and everything goes to
     <filename>/var/log/shorewall.log</filename>. Don't forget to add
-    /var/log/shorewall.log to logrotate. </para>
+    /var/log/shorewall.log to logrotate.</para>
   </section>
 </article>