Clear the firewall on Debian during systemd stop

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -365,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
-# Install the CLI
-#
-install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
-#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -386,31 +380,6 @@ for f in lib.* ; do
     echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 
-if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
-fi
-
-#
-# Install the Man Pages
-#
-if [ -n "$MANDIR" ]; then
-    cd manpages
-
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #

Shorewall-core/lib.base

@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #
 
-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} != /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi
 
-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
-	. ${g_basedir}/lib.core
+g_basedir=${SHAREDIR}/shorewall
+
+case $g_program in
+    shorewall)
+	g_product="Shorewall"
+	g_family=4
+	g_tool=iptables
+	g_lite=
+	;;
+    shorewall6)
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=
+	;;
+    shorewall-lite)
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=Yes
+	;;
+esac
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
     fi
 
-    set_default_product
+    l=$(( $last + 1 ))
 
-    setup_product_environment
-fi
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}

Shorewall-core/lib.cli

@@ -25,18 +25,22 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50004
 
-if [ -z "$g_basedir" ]; then
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} <> /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
 fi
 
-. ${g_basedir}/lib.core
+. ${SHAREDIR}/shorewall/lib.base
 
 #
 # Issue an error message and die
@@ -78,6 +82,29 @@ showchain() # $1 = name of chain
     fi
 }
 
+#
+# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
+#
+
+iptablesbug()
+{
+    if [ $g_family -eq 4 ]; then
+	if qt mywhich awk ; then
+	    awk 'BEGIN           { sline=""; };\
+             /^-[jg]/            { print sline $0; next };\
+             /-m policy.*-[jg] / { print $0; next };\
+             /-m policy/         { sline=$0; next };\
+             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
+                                 { print ; sline="" }'
+        else
+	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
+	    cat
+	fi
+    else
+	cat
+    fi
+}
+
 #
 # Validate the value of RESTOREFILE
 #
@@ -368,13 +395,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
 
-	    printf '\a'
+	    $g_ring_bell
 
 	    packet_log 40
 
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		printf 'Enter any character to continue: '
+		echo $g_echo_n 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -984,6 +1011,13 @@ show_raw() {
     $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 
+show_rawpost() {
+    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+}
+
 show_mangle() {
     echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
     echo
@@ -1127,47 +1161,10 @@ show_macros() {
     done
 }
 
-show_an_action() {
-    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
-    cat ${directory}/action.$1
-}
-
 show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
 }
-#
-# Don't dump empty SPD entries
-#
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
-}
-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
-show_ipsec() {
-    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
-    heading "PFKEY SAD"
-    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
-}
-
-show_ipsec_command() {
-    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
-    show_ipsec
-}
 
 #
 # Show Command Executor
@@ -1189,10 +1186,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 5 ]; then
-		printf "  $macro\t${foo#\#}\n"
+	    if [ ${#macro} -gt 10 ]; then
+		echo "   $macro  ${foo#\#}"
 	    else
-		printf "  $macro\t\t${foo#\#}\n"
+		$g_echo_e "   $macro  \t${foo#\#}"
 	    fi
 	fi
     }
@@ -1239,7 +1236,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t
 
 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1293,6 +1290,10 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_rawpost $g_pager
+	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1360,14 +1361,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$PRODUCT"
+		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1430,37 +1431,18 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
-	ipsec)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_ipsec_command $g_pager
-	    ;;
 	*)
-	    case "$PRODUCT" in
+	    case "$g_program" in
 		*-lite)
 		    ;;
 	    	*)
 		    case $1 in
-			action)
-			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
-			    [ $# -gt 2 ] && too_many_arguments $2
-
-			    for directory in $(split $CONFIG_PATH); do
-				if [ -f ${directory}/action.$2 ]; then
-				    eval show_an_action $2 $g_pager
-				    return
-				fi
-			    done
-
-			    echo "   WARNING: Action $2 not found" >&2
-			    return
-			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -1601,6 +1583,19 @@ show_status() {
 
 }
 
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+
 #
 # Dump Command Executor
 #
@@ -1696,6 +1691,11 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
     fi
 
+    if qt $g_tool -t rawpost -L -n; then
+	heading "Rawpost Table"
+	$g_tool -t rawpost -L $g_ipt_options
+    fi
+
     local count
     local max
 
@@ -1746,7 +1746,10 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    show_ipsec
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 
     heading "/proc"
     show_proc /proc/version
@@ -1946,6 +1949,15 @@ read_yesno_with_timeout() {
     fi
 }
 
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2746,6 +2758,7 @@ determine_capabilities() {
     CONNMARK_MATCH=
     XCONNMARK_MATCH=
     RAW_TABLE=
+    RAWPOST_TABLE=
     IPP2P_MATCH=
     OLD_IPP2P_MATCH=
     LENGTH_MATCH=
@@ -2801,8 +2814,6 @@ determine_capabilities() {
     IFACE_MATCH=
     TCPMSS_TARGET=
     WAIT_OPTION=
-    CPU_FANOUT=
-    NETMAP_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2837,10 +2848,8 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
-		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -3000,6 +3009,7 @@ determine_capabilities() {
     fi
 
     qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
+    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
 
     if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3101,12 +3111,7 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
     fi
-
-    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
-	NFQUEUE_TARGET=Yes
-	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
-    fi
-
+    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
 
     #
@@ -3225,6 +3230,7 @@ report_capabilities_unsorted() {
     report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
     [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
     report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
     report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
     [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
     report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3303,8 +3309,6 @@ report_capabilities_unsorted() {
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
     report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
-    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
-    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3354,6 +3358,7 @@ report_capabilities_unsorted1() {
     report_capability1 CONNMARK_MATCH
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
     report_capability1 IPP2P_MATCH
     report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
@@ -3409,8 +3414,6 @@ report_capabilities_unsorted1() {
     report_capability1 IFACE_MATCH
     report_capability1 TCPMSS_TARGET
     report_capability1 WAIT_OPTION
-    report_capability1 CPU_FANOUT
-    report_capability1 NETMAP_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3882,7 +3885,7 @@ get_config() {
 
     ensure_config_path
 
-    config=$(find_file ${PRODUCT}.conf)
+    config=$(find_file ${g_program}.conf)
 
     if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -4288,7 +4291,6 @@ usage() # $1 = exit status
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     ecko "   [ show | list | ls ] actions"
-    ecko "   [ show | list | ls ] action <action>"
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4304,9 +4306,8 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
     fi
 
-    echo "   [ show | list | ls ] ipsec"
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
     ecko "   [ show | list | ls ] macro <macro>"
     ecko "   [ show | list | ls ] macros"
     echo "   [ show | list | ls ] nfacct"
@@ -4335,7 +4336,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4383,18 +4384,13 @@ shorewall_cli() {
 
     VERBOSE=
     VERBOSITY=1
-    #
-    # Set the default product based on the Shorewall packages installed
-    #
-    set_default_product
+
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
 
     finished=0
 
     while [ $finished -eq 0 ]; do
-	if [ $# -eq 0 ]; then
-	    setup_product_environment 1
-	    usage 1
-	fi
+	[ $# -eq 0 ] && usage 1
 	option=$1
 	case $option in
 	    -)
@@ -4483,30 +4479,7 @@ shorewall_cli() {
 			    g_nopager=Yes
 			    option=${option#p}
 			    ;;
-			6*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall6
-			    elif [ "$PRODUCT" = shorewall-lite ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#6}
-			    ;;
-			4*)
-			    if [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall
-			    elif [ "$PRODUCT" = shorewall6-lite ]; then
-				PRODUCT=shorewall-lite
-			    fi
-			    option=${option#4}
-			    ;;
-			l*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall-lite
-			    elif [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#l}
-			    ;;
+
 			-)
 			    finished=1
 			    option=
@@ -4524,16 +4497,16 @@ shorewall_cli() {
 	esac
     done
 
-    setup_product_environment 1
-
-   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
+    if [ $# -eq 0 ]; then
+	usage 1
+    fi
 
     PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
     MUTEX_TIMEOUT=
 
     [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
 
-    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
+    [ -n "${VARDIR:=/var/lib/$g_program}" ]
 
     g_firewall=${VARDIR}/firewall
 
@@ -4548,6 +4521,26 @@ shorewall_cli() {
 
     banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
 
+    case $(echo -e) in
+	-e*)
+	    g_ring_bell="echo \a"
+	    g_echo_e="echo"
+	    ;;
+	*)
+	    g_ring_bell="echo -e \a"
+	    g_echo_e="echo -e"
+	    ;;
+    esac
+
+    case $(echo -n "Testing") in
+	-n*)
+	    g_echo_n=
+	    ;;
+	*)
+	    g_echo_n=-n
+	    ;;
+    esac
+
     COMMAND=$1
 
     case "$COMMAND" in

Shorewall-core/lib.core

@@ -1,440 +0,0 @@
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
-#
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
-#
-
-SHOREWALL_LIBVERSION=50100
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
-    g_basedir=${SHAREDIR}/shorewall
-
-    g_sharedir="$SHAREDIR"/$PRODUCT
-    g_confdir="$CONFDIR"/$PRODUCT
-
-    case $PRODUCT in
-	shorewall)
-	    g_product="Shorewall"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=
-	    ;;
-	shorewall6)
-	    g_product="Shorewall6"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=
-	    ;;
-	shorewall-lite)
-	    g_product="Shorewall Lite"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=Yes
-	    ;;
-	shorewall6-lite)
-	    g_product="Shorewall6 Lite"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=Yes
-	    ;;
-	*)
-	    fatal_error "Unknown PRODUCT ($PRODUCT)"
-	    ;;
-    esac
-
-    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
-    #
-    # We need to do this again, now that we have the correct product
-    #
-    [ -n "$1" ] && . ${g_basedir}/shorewallrc
-
-    if [ -z "${VARLIB}" ]; then
-	VARLIB=${VARDIR}
-	VARDIR=${VARLIB}/${PRODUCT}
-    elif [ -z "${VARDIR}" ]; then
-	VARDIR="${VARLIB}/${PRODUCT}"
-    fi
-}
-
-set_default_product() {
-    case $(basename $0) in
-	shorewall6)
-	    PRODUCT=shorewall6
-	    ;;
-	shorewall4)
-	    PRODUCT=shorewall
-	    ;;
-	shorewall-lite)
-	    PRODUCT=shorewall-lite
-	    ;;
-	shorewall6-lite)
-	    PRODUCT=shorewall6-lite
-	    ;;
-	*)
-	    if [ -f ${g_basedir}/version ]; then
-		PRODUCT=shorewall
-	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-		PRODUCT=shorewall-lite
-	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-		PRODUCT=shorewall6-lite
-	    else
-		fatal_error "No Shorewall firewall product is installed"
-	    fi
-	    ;;
-    esac
-}
-
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}

Shorewall-core/uninstall.sh

@@ -81,6 +81,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall-init/ifupdown.debian.sh

@@ -31,10 +31,8 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
     fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
     fi
 done
 

Shorewall-init/ifupdown.fedora.sh

@@ -33,11 +33,9 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
     fi
 }

Shorewall-init/ifupdown.suse.sh

@@ -31,10 +31,8 @@ setstatedir() {
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
     if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
     fi
 }

Shorewall-init/init.debian.sh

@@ -73,10 +73,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
     else
 	return 0
     fi
@@ -104,7 +102,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
@@ -125,7 +123,7 @@ shorewall_start () {
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 
-      printf "Restoring ipsets: "
+      echo -n "Restoring ipsets: "
 
       if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +140,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.fedora.sh

@@ -44,10 +44,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
     else
 	return 0
     fi
@@ -64,7 +62,7 @@ start () {
 	return 6 #Not configured
     fi
 
-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +97,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
 
     for PRODUCT in $PRODUCTS; do
 	setstatedir

Shorewall-init/init.openwrt.sh

@@ -75,10 +75,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
     else
 	return 0
     fi
@@ -89,7 +87,7 @@ start () {
     local PRODUCT
   local STATEDIR
 
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +112,7 @@ stop () {
     local PRODUCT
     local STATEDIR
 
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.sh

@@ -81,7 +81,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/init.suse.sh

@@ -79,10 +79,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
     else
 	return 0
     fi
@@ -93,7 +91,7 @@ shorewall_start () {
   local PRODUCT
   local STATEDIR
 
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +112,7 @@ shorewall_stop () {
   local PRODUCT
   local STATEDIR
 
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/install.sh

@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
     #
     if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=./shorewallrc
+	file=~/.shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./.shorewallrc
      else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
     fi

Shorewall-init/shorewall-init

@@ -33,10 +33,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
     else
 	return 0
     fi
@@ -64,7 +62,7 @@ shorewall_start () {
     local PRODUCT
     local STATEDIR
 
-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +90,7 @@ shorewall_stop () {
     local PRODUCT
     local STATEDIR
 
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then

Shorewall-init/uninstall.sh

@@ -126,6 +126,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall-lite/Makefile

@@ -0,0 +1,18 @@
+# Shorewall Lite Makefile to restart if firewall script is newer than last restart
+VARDIR=$(shell /sbin/shorewall-lite show vardir)
+SHAREDIR=/usr/share/shorewall-lite
+RESTOREFILE?=.restore
+
+all: $(VARDIR)/$(RESTOREFILE)
+
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+	@/sbin/shorewall-lite -q save >/dev/null; \
+	if \
+	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
+	then \
+	    /sbin/shorewall-lite -q save >/dev/null; \
+	else \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	fi
+
+# EOF

Shorewall-lite/init.debian.sh

@@ -13,7 +13,7 @@
 
 . /lib/lsb/init-functions
 
-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
@@ -85,7 +85,7 @@ fi
 
 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall Lite firewall\": "
+      echo -n "Stopping \"Shorewall Lite firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      printf "Clearing all \"Shorewall Lite firewall\" rules: "
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 
 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall-lite/init.fedora.sh

@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
 
-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then

Shorewall-lite/init.openwrt.sh

@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"
 
 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }
 
 boot() {
@@ -78,17 +78,17 @@ boot() {
 }
 
 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }
 
 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }
 
 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }
 
 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }

Shorewall-lite/install.sh

@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"
 
-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
     PRODUCT=shorewall-lite
     Product="Shorewall Lite"
 else
@@ -331,6 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
 
+    make_directory ${DESTDIR}${SBINDIR} 755
     make_directory ${DESTDIR}${INITDIR} 755
 
 else
@@ -361,9 +362,9 @@ else
 fi
 
 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
     first_install=""
 else
     first_install="Yes"
@@ -371,15 +372,17 @@ fi
 
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 
+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -430,6 +433,15 @@ elif [ $HOST = gentoo ]; then
     # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
     perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
+
+#
+# Install the  Makefile
+#
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
+
 #
 # Install the default config path file
 #
@@ -486,7 +498,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
     cd manpages
 
-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
@@ -494,8 +506,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
-    mkdir -p ${DESTDIR}${MANDIR}/man8/
-
     for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -530,11 +540,6 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 
-#
-#  Creatae the symbolic link for the CLI
-#
-ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
-
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -550,6 +555,7 @@ fi
 
 if [ ${SHAREDIR} != /usr/share ]; then
     eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

Shorewall-lite/shorecap

@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.
 
 
-PRODUCT=shorewall-lite
+g_program=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
 
 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 

Shorewall-lite/shorewall-lite

@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@

Shorewall-lite/shorewall-lite.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall-lite/uninstall.sh

@@ -125,6 +125,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
     else

Shorewall/Actions/action.BLACKLIST

@@ -1,50 +0,0 @@
-#
-# Shorewall - /usr/share/shorewall/action.BLACKLIST
-#
-# This action:
-#
-#   - Adds the sender to the dynamic blacklist ipset
-#   - Optionally acts on the packet (default is DROP)
-#
-# Parameters:
-#
-# 1 - Action to take after adding the packet. Default is DROP.
-#     Pass -- if you don't want to take any action.
-# 2 - Timeout for ipset entry. Default is the timeout specified in
-#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
-#
-###############################################################################
-# Note -- This action is defined with the 'section' option, so the first
-#         parameter is always the section name. That means that in the
-#         following text, the first parameter passed in the rule is actually
-#         @2.
-###############################################################################
-?if $1 eq 'BLACKLIST'
-   ?if $BLACKLIST_LOGLEVEL
-       blacklog
-   ?else
-       $BLACKLIST_DISPOSITION
-   ?endif
-?else
-   ?if ! "$SW_DBL_IPSET"
-   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
-   ?endif
-
-   DEFAULTS -,DROP,-
-   #
-   # Add to the blacklist
-   #
-   ?if passed(@3)
-       ADD($SW_DBL_IPSET:src:@3)
-   ?elsif $SW_DBL_TIMEOUT
-       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
-   ?else
-       ADD($SW_DBL_IPSET:src)
-   ?endif
-   #
-   # Dispose of the packet if asked
-   #
-   ?if passed(@2)
-      @2
-   ?endif
-?endif

Shorewall/Actions/action.DropDNSrep

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.DropDNSrep
-#
-# This macro silently drops DNS UDP replies that are in the New state
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DEFAULTS DROP
-@1	-	-	udp	-	53 { comment="Late DNS Replies" }

Shorewall/Actions/action.Limit

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Limit
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Limit(<recent-set>,<num-connections>,<timeout>)
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.Multicast

@@ -1,50 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Multicast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Multicast[([<action>|-[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
-?else
-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
-
-log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
-
-1;
-
-?end perl;
-?endif

Shorewall/Actions/action.allowBcast

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowBcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowBcast[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.allowMcast

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowMcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowMcast[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.allowUPnP

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowUPnP
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowUPnP[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.dropBcast

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcast[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.dropMcast

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropMcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropMcast[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.dropNotSyn

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropNotSyn
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropNotSyn[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.forwardUPnP

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.forwardUPnP
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# forwardUPnP
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Actions/action.rejNotSyn

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.rejNotSyn
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# rejNotSyn[([audit])]
-#
-# This is a built-in action.
-#
-###############################################################################

Shorewall/Macros/macro.BLACKLIST

@@ -0,0 +1,13 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.blacklist
+#
+# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?if $BLACKLIST_LOGLEVEL
+blacklog
+?else
+$BLACKLIST_DISPOSITION
+?endif

Shorewall/Macros/macro.Drop

@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Drop
+#
+# This macro generates the same rules as the Drop default action
+# It is used in place of action.Drop when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Drop	net	all
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' DROP
+#
+DROP	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+DROP	-	-	udp	135,445
+DROP	-	-	udp	137:139
+DROP	-	-	udp	1024:	137
+DROP	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53

Shorewall/Macros/macro.DropDNSrep

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
+#
+# This macro silently drops DNS UDP replies
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?COMMENT Late DNS Replies
+
+DEFAULT DROP
+PARAM	-	-	udp	-	53

Shorewall/Macros/macro.Reject

@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Reject
+#
+# This macro generates the same rules as the Reject default action
+# It is used in place of action.Reject when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Reject	loc	fw
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' REJECT
+#
+REJECT	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+REJECT	-	-	udp	135,445
+REJECT	-	-	udp	137:139
+REJECT	-	-	udp	1024:	137
+REJECT	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53

Shorewall/Makefile

@@ -0,0 +1,23 @@
+#
+# Shorewall -- /etc/shorewall/Makefile
+#
+# Reload Shorewall if config files are updated.
+
+SWBIN	?= /sbin/shorewall -q
+CONFDIR	?= /etc/shorewall
+SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
+
+.PHONY: clean
+
+$(SWSTATE): $(CONFDIR)/*
+	@$(SWBIN) save >/dev/null; \
+	RESULT=$$($(SWBIN) reload 2>&1); \
+	if [ $$? -eq 0 ]; then \
+	    $(SWBIN) save >/dev/null; \
+	else \
+	    echo "$${RESULT}" >&2; \
+	    false; \
+	fi
+
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~

Shorewall/Perl/Shorewall/Chains.pm

@@ -120,6 +120,7 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
+		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -196,6 +197,7 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
+				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -416,6 +418,7 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
+our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -756,11 +759,13 @@ sub initialize( $$$ ) {
     ( $family, my $hard, $export ) = @_;
 
     %chain_table = ( raw    =>  {},
+		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
 
     $raw_table     = $chain_table{raw};
+    $rawpost_table = $chain_table{rawpost};
     $nat_table     = $chain_table{nat};
     $mangle_table  = $chain_table{mangle};
     $filter_table  = $chain_table{filter};
@@ -2721,6 +2726,24 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
+
+	if ( $config{CHAIN_SCRIPTS} ) {
+	    unless ( $chain eq 'accounting' ) {
+		my $file = find_file $chain;
+
+		if ( -f $file ) {
+		    progress_message "Running $file...";
+
+		    my ( $level, $tag ) = ( '', '' );
+
+		    unless ( my $return = eval `cat $file` ) {
+			fatal_error "Couldn't parse $file: $@" if $@;
+			fatal_error "Couldn't do $file: $!"    unless defined $return;
+			fatal_error "Couldn't run $file"       unless $return;
+		    }
+		}
+	    }
+	}
     }
 
     $chainref;
@@ -2759,6 +2782,14 @@ sub ensure_raw_chain($) {
     $chainref;
 }
 
+sub ensure_rawpost_chain($) {
+    my $chain = $_[0];
+
+    my $chainref = ensure_chain 'rawpost', $chain;
+    $chainref->{referenced} = 1;
+    $chainref;
+}
+
 #
 # Add a builtin chain
 #
@@ -2957,6 +2988,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
+	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
+
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3019,6 +3052,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
+	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
+
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3322,7 +3357,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw mangle nat filter/ ) {
+    for my $table ( qw/raw rawpost mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
 
@@ -3572,7 +3607,7 @@ sub optimize_level4( $$ ) {
     if ( my $chains  = @chains ) {
 	$passes++;
 
-	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -4241,6 +4276,7 @@ sub valid_tables() {
     my @table_list;
 
     push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
+    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
     push @table_list, 'filter'; #MUST BE LAST!!!
@@ -7590,7 +7626,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule1( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
     my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7607,6 +7643,8 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
        ) = @_;
 
+    return if $chainref->{complete};
+
     my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
        ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
     my  $chain = $actparams{chain} || $chainref->{name};
@@ -7841,78 +7879,6 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
     $diface;
 }
 
-sub expand_rule( $$$$$$$$$$$$;$$$ )
-{
-    my ($chainref ,    # Chain
-	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
-	$prerule,      # Matches that go at the front of the rule
-	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
-	$source,       # SOURCE
-	$dest,         # DEST
-	$origdest,     # ORIGINAL DEST
-	$target,       # Target ('-j' part of the rule - may be empty)
-	$loglevel ,    # Log level (and tag)
-	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
-	$exceptionrule,# Caller's matches used in exclusion case
-	$usergenerated,# Rule came from the IP[6]TABLES target
-	$logname,      # Name of chain to name in log messages
-	$device,       # TC Device Name
-	$classid,      # TC Class Id
-       ) = @_;
-
-    return if $chainref->{complete};
-
-    my ( @source, @dest );
-
-    $source = '' unless defined $source;
-    $dest   = '' unless defined $dest;
-
-    if ( $source =~ /\(.+\)/ ) {
-	@source = split_list3( $source, 'SOURCE' );
-    } else {
-	@source = ( $source );
-    }
-
-    if ( $dest =~ /\(.+\)/ ) {
-	@dest = split_list3( $dest, 'DEST' );
-    } else {
-	@dest = ( $dest );
-    }
-
-    for $source ( @source ) {
-	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
-	    $source = join( ':', $1, $2 );
-	} elsif ( $source =~ /^\((.+)\)$/ ) {
-	    $source = $1;
-	}
-
-	for $dest ( @dest ) {
-	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
-		$dest = join( ':', $1, $2 );
-	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
-		$dest = $1;
-	    }
-
-	    if ( ( my $result = expand_rule1( $chainref ,
-					      $restriction ,
-					      $prerule ,
-					      $rule ,
-					      $source ,
-					      $dest ,
-					      $origdest ,
-					      $target ,
-					      $loglevel ,
-					      $disposition ,
-					      $exceptionrule ,
-					      $usergenerated ,
-					      $logname ,
-		   ) ) && $device ) {
-		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
-	    }
-	}
-    }
-}
-
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -8921,7 +8887,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
 
 	    $chains{$table} = {} unless $chains{$table};
 
@@ -8950,7 +8916,7 @@ sub create_chainlist_reload($) {
 
 	enter_cat_mode;
 
-	for $table ( qw(raw nat mangle filter) ) {
+	for $table ( qw(raw rawpost nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 
 	    next unless $tableref;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -701,7 +701,7 @@ sub compiler {
     #
     # Allow user to load Perl modules
     #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
     #
     # Create a temp file to hold the script
     #

Shorewall/Perl/Shorewall/Config.pm

@@ -130,7 +130,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
-				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
@@ -155,6 +154,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
+				       run_user_exit1
+				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -389,6 +390,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
+		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -411,8 +413,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                  TCPMSS_TARGET   => 'TCPMSS Target',
                  WAIT_OPTION     => 'iptables --wait option',
-                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
-                 NETMAP_TARGET   => 'NETMAP Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -643,7 +643,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -748,8 +747,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.1-RC1",
-		    CAPVERSION              => 50100 ,
+		    VERSION                 => "5.0.9-Beta2",
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -792,7 +791,6 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
-	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -817,7 +815,6 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
-	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -893,6 +890,7 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
+	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -906,7 +904,6 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
-	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -983,6 +980,7 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
+	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1038,8 +1036,6 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
-	       CPU_FANOUT => undef,
-	       NETMAP_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2713,13 +2709,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$$ ) {
-    my ( $first, $val, $rest, $just_expand ) = @_;
+sub join_parts( $$$ ) {
+    my ( $first, $val, $rest ) = @_;
 
     $val = '' unless defined $val;
-    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
-					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
+			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
     join( '', $first, $val, $rest );
 }
 
@@ -2772,7 +2768,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
 
-	$expression = join_parts( $first, $val, $rest, $just_expand );
+	$expression = join_parts( $first, $val, $rest );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
     }
 
@@ -2783,7 +2779,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest , $just_expand );
+	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
     }
@@ -2855,7 +2851,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -3043,12 +3039,6 @@ sub process_compiler_directive( $$$$ ) {
 			      $linenumber ) unless $omitting;
 	  } ,
 
-	  REQUIRE => sub() {
-	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
-	      require_capability( $expression, "The $actparams{action} action", 's' );
-	  } ,
-
 	);
 
     if ( my $function = $directives{$keyword} ) {
@@ -3677,6 +3667,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
+	    $val = $config{$var};
 	}
 
 	$val = '' unless defined $val;
@@ -3762,7 +3753,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -4328,22 +4319,6 @@ sub Masquerade_Tgt() {
     $result;
 }
 
-sub Netmap_Target() {
-    have_capability( 'NAT_ENABLED' ) || return '';
-
-    my $result = '';
-    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
-
-    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
-	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
-	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
-	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
-
-    }
-
-    $result;
-}
-
 sub Udpliteredirect() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4542,6 +4517,10 @@ sub Raw_Table() {
     qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 
+sub Rawpost_Table() {
+    qt1( "$iptables $iptablesw -t rawpost -L -n" );
+}
+
 sub Old_IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
@@ -4869,10 +4848,6 @@ sub Tcpmss_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 
-sub Cpu_Fanout() {
-    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
-}
-
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -4889,7 +4864,6 @@ our %detect_capability =
       CONNMARK => \&Connmark,
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
-      CPU_FANOUT => \&Cpu_Fanout,
       CT_TARGET => \&Ct_Target,
       DSCP_MATCH => \&Dscp_Match,
       DSCP_TARGET => \&Dscp_Target,
@@ -4933,7 +4907,6 @@ our %detect_capability =
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
-      NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
       NFACCT_MATCH => \&NFAcct_Match,
       NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4949,6 +4922,7 @@ our %detect_capability =
       POLICY_MATCH => \&Policy_Match,
       PPTP_HELPER => \&PPTP_Helper,
       RAW_TABLE => \&Raw_Table,
+      RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
@@ -5076,6 +5050,7 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
+	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5116,8 +5091,6 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5288,24 +5261,9 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
-
-    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
-	update_default( 'BALANCE_PROVIDERS', 'No' );
-    } else {
-	update_default( 'BALANCE_PROVIDERS', 'Yes' );
-    }
-
-    update_default( 'EXPORTMODULES',     'No' );
-    update_default( 'RESTART',           'reload' );
-    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',          '' );
-
-    if ( $family == F_IPV4 ) {
-	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
-    } else {
-	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
-    }	
+    update_default( 'EXPORTMODULES',  'No' );
+    update_default( 'RESTART',        'reload' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
 
     my $fn;
 
@@ -6254,6 +6212,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
 
     if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6308,7 +6267,6 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
-    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6325,8 +6283,6 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
-    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
-
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6367,9 +6323,6 @@ sub get_configuration( $$$$ ) {
 
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
-	    $variables{SW_DBL_IPSET}   = $set;
-	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
-
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6377,8 +6330,6 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
-    add_variables( %variables );
-
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6476,12 +6427,6 @@ sub get_configuration( $$$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
-    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
-	validate_level( $val );
-    } else {
-	$config{LOG_LEVEL} = 'info';
-    }
-
     if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -6650,16 +6595,13 @@ sub get_configuration( $$$$ ) {
     }
 
     default 'RESTOREFILE'           , 'restore';
-
-    default 'DROP_DEFAULT'          , 'none';
-
-    default 'REJECT_DEFAULT'        , 'none';
-    default 'BLACKLIST_DEFAULT'     , 'none';
+    default 'DROP_DEFAULT'          , 'Drop';
+    default 'REJECT_DEFAULT'        , 'Reject';
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
 
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
@@ -6787,7 +6729,32 @@ sub append_file( $;$$ ) {
     $result;
 }
 
+#
+# Run a Perl extension script
+#
 sub run_user_exit( $ ) {
+    my $chainref = $_[0];
+    my $file = find_file $chainref->{name};
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+
+	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
+
+	unless (my $return = eval $command ) {
+	    fatal_error "Couldn't parse $file: $@" if $@;
+
+	    unless ( defined $return ) {
+		fatal_error "Couldn't do $file: $!" if $!;
+		fatal_error "Couldn't do $file";
+	    }
+
+	    fatal_error "$file returned a false value";
+	}
+    }
+}
+
+sub run_user_exit1( $ ) {
     my $file = find_file $_[0];
 
     if ( -f $file ) {
@@ -6819,6 +6786,37 @@ sub run_user_exit( $ ) {
     }
 }
 
+sub run_user_exit2( $$ ) {
+    my ($file, $chainref) = ( find_file $_[0], $_[1] );
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+	#
+	# File may be empty -- in which case eval would fail
+	#
+	push_open $file;
+
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
+	    close_file;
+	    pop_open;
+
+	    unless (my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
+	    }
+	}
+
+	pop_open;
+
+    }
+}
+
 #
 # Generate the aux config file for Shorewall Lite
 #
@@ -6845,7 +6843,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1028,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
     }
 	    
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';
 
     if ( $upgrade ) {
 	convert_blacklist;
@@ -1454,6 +1454,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }
 
+	    run_user_exit2( 'maclog', $chainref );
+
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1679,6 +1681,12 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 
+	if ( have_capability 'RAWPOST_TABLE' ) {
+	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
+	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
+	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
+	}
+
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
     }
     #

Shorewall/Perl/Shorewall/Nat.pm

@@ -790,39 +790,88 @@ sub setup_netmap() {
 
 		my @rule = do_iproto( $proto, $dport, $sport );
 
-		my @rulein;
-		my @ruleout;
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;
 
-		$net1 = validate_net $net1, 0;
-		$net2 = validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;
 
-		if ( $interfaceref->{root} ) {
-		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		} else {
-		    @rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }
 
-		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
 
-		if ( $type eq 'DNAT' ) {
-		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-				      j => 'NETMAP' ,
-				      "--to $net2",
-				      $net1 ,
-				      @rulein  ,
-				      imatch_source_net( $net3 ) );
-		} elsif ( $type eq 'SNAT' ) {
-		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-				       j => 'NETMAP' ,
-				       "--to $net2" ,
-				       $net1 ,
-				       @ruleout ,
-				       imatch_dest_net( $net3 ) );
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    $net2 = validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid type ($type)";
+		    fatal_error "Invalid TYPE ($type)";
 		}
 
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";

Shorewall/Perl/Shorewall/Providers.pm

@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -603,37 +603,19 @@ sub process_a_provider( $ ) {
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
 
-    unless ( $pseudo ) {
-	if ( $local ) {
-	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	    fatal_error "'track' not valid with 'local'"           if $track;
-	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	} elsif ( $tproxy ) {
-	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	    fatal_error "'track' not valid with 'tproxy'"          if $track;
-	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	    $mark = $globals{TPROXY_MARK};
-	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
-	    if ( $config{USE_DEFAULT_RT} ) {
-		if ( $rf ) {
-		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
-		} else {
-		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
-		}
-	    } else {
-		unless ( $balance ) {
-		    if ( $rf ) {
-			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
-		    } else {
-			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
-		    }
-		}
-	    }
-	}
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	fatal_error "'persistent' is not valid with 'local"    if $persistent;
+    } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'tproxy'"          if $track;
+	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	$mark = $globals{TPROXY_MARK};
     }
 
     my $val = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION ,        'ALL',
 
 our @policy_chains;
 
-our %policy_actions;
+our %default_actions;
 
 our %macros;
 
@@ -233,7 +233,6 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
-	       SECTION_OPT          => 2048 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -247,7 +246,6 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
-		 section     => SECTION_OPT ,
     );
 
 our %reject_options;
@@ -311,14 +309,11 @@ sub initialize( $ ) {
     # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
     # in the %config hash when shorewall[6].conf was processed.
     #
-    %policy_actions  = ( DROP	    => [] ,
-			 REJECT    => [] ,
-			 BLACKLIST => [] ,
-			 ACCEPT    => [] ,
-			 QUEUE	   => [] ,
-			 NFQUEUE   => [] ,
-			 CONTINUE  => [] ,
-			 NONE      => [] ,
+    %default_actions  = ( DROP     => 'none' ,
+		 	  REJECT   => 'none' ,
+			  ACCEPT   => 'none' ,
+			  QUEUE    => 'none' ,
+			  NFQUEUE  => 'none' ,
 			);
     #
     # These are set to 1 as sections are encountered.
@@ -363,7 +358,7 @@ sub initialize( $ ) {
     @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
 
     if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -375,7 +370,7 @@ sub initialize( $ ) {
 	                  );
 			    
     } else {
-	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -432,7 +427,6 @@ sub convert_to_policy_chain($$$$$$)
     $chainref->{audit}       = $audit;
     $chainref->{policychain} = $chainref->{name};
     $chainref->{policypair}  = [ $source, $dest ];
-    $chainref->{pactions}    = [];
 }
 
 #
@@ -482,7 +476,7 @@ sub set_policy_chain($$$$$$)
 		$chainref->{synchain}    = $polchainref->{synchain};
 	    }
 
-	    $chainref->{pactions}    = $polchainref->{pactions} || [];
+	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
 	    $chainref->{is_policy}   = 1;
 	    push @policy_chains, $chainref;
 	} else {
@@ -531,12 +525,12 @@ sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
 
-sub process_policy_action( $$$$ ) {
-    my ( $originalpolicy, $policy, $paction, $level ) = @_;
+sub process_default_action( $$$$ ) {
+    my ( $originalpolicy, $policy, $default, $level ) = @_;
 
-    if ( supplied $paction ) {
-	my $paction_option = ( $policy =~ /_DEFAULT$/ );
-	my ( $act, $param ) = get_target_param( $paction );
+    if ( supplied $default ) {
+	my $default_option = ( $policy =~ /_DEFAULT$/ );
+	my ( $def, $param ) = get_target_param( $default );
 
 	if ( supplied $level ) {
 	    validate_level( $level );
@@ -544,49 +538,35 @@ sub process_policy_action( $$$$ ) {
 	    $level = 'none';
 	}
 
-	if ( ( $targets{$act} || 0 ) & ACTION ) {
-	    $paction = supplied $param  ? normalize_action( $act, $level, $param  ) :
-		       $level eq 'none' ? normalize_action_name $act :
-		       normalize_action( $act, $level, '' );
-	} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
-	    $paction = $act;
-	    $paction = "$act($param)" if supplied $param;
-	    $paction = join( ':', $paction, $level ) if $level ne 'none';
-	} elsif ( $paction_option ) {
-	    fatal_error "Unknown Action ($paction) in $policy setting";
-	} else {
-	    fatal_error "Unknown Policy Action ($paction)";
-	}
-
-    } else {
-	$paction = $policy_actions{$policy};
-    }
-
-    $paction;
-}
-
-sub process_policy_actions( $$$ ) {
-    my ( $originalpolicy, $policy, $pactions ) = @_;
-
-    if ( supplied $pactions ) {
-	my @pactions;
-
-	if ( lc $pactions ne 'none' ) {
-	    @pactions = @{$policy_actions{$policy}} if $pactions =~ s/^\+//;
-
-	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
-		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
-
-		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
-
-		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
+	if ( "\L$default" eq 'none' ) {
+	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
+		if ( $default_option ) {
+		    fatal_error "Invalid setting ($originalpolicy) for $policy";
+		} else {
+		    fatal_error "Invalid policy ($originalpolicy)";
+		}
 	    }
+
+	    $default = 'none';
+	} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
+	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
+		       $level eq 'none' ? normalize_action_name $def :
+		       normalize_action( $def, $level, '' );
+	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
+	    $default = $def;
+	    $default = "$def($param)" if supplied $param;
+	    $default = join( ':', $default, $level ) if $level ne 'none';
+	} elsif ( $default_option ) {
+	    fatal_error "Unknown Action ($default) in $policy setting";
+	} else {
+	    fatal_error "Unknown Default Action ($default)";
 	}
 
-	\@pactions;
     } else {
-	$policy_actions{$policy};
+	$default = $default_actions{$policy} || 'none';
     }
+
+    $default;
 }
 
 #
@@ -594,7 +574,7 @@ sub process_policy_actions( $$$ ) {
 #
 sub handle_nfqueue( $$ ) {
     my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass, $fanout );
+    my ( $action, $bypass );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
     require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
@@ -620,7 +600,6 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 
 	    if ( supplied $queue2 ) {
-		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );
 
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -642,8 +621,7 @@ sub handle_nfqueue( $$ ) {
     }
 
     if ( supplied $queue2 ) {
-	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
     } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
     }
@@ -674,10 +652,12 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
+    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
+
     ( $policy , my $queue ) = get_target_param $policy;
 
     fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
@@ -686,7 +666,7 @@ sub process_a_policy1($$$$$$$) {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
     }
 
-    my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
+    $default = process_default_action( $originalpolicy, $policy, $default, $level );
 
     if ( defined $queue ) {
 	$policy = handle_nfqueue( $queue,
@@ -697,8 +677,6 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
-    } elsif ( $policy eq 'BLACKLIST' ) {
-	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
     }
 
     unless ( $clientwild || $serverwild ) {
@@ -743,29 +721,31 @@ sub process_a_policy1($$$$$$$) {
 	$chainref->{synchain}  = $chain
     }
 
-    $chainref->{pactions} = $pactionref;
-    $chainref->{origin}   = shortlineinfo('');
+    assert( $default );
+    my $chainref1 = $usedactions{$default};
+    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
+
+    $chainref->{origin} = shortlineinfo('');
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
-
     } else {
 	print_policy $client, $server, $originalpolicy, $chain;
     }
@@ -777,11 +757,7 @@ sub process_a_policy() {
     our @zonelist;
 
     my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
-	split_line2( 'policy file',
-		     { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, rate => 4, connlimit => 5 } ,
-		     {} , # nopad
-		     6  , # maxcolumns
-		    );
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
 
     $loglevel  = '' if $loglevel  eq '-';
     $synparams = '' if $synparams eq '-';
@@ -838,35 +814,33 @@ sub process_policies()
     our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP	 => undef,
+			  DROP   => undef,
 			  CONTINUE => undef,
-			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
 
-    our %map = ( DROP_DEFAULT      => 'DROP' ,
-		 REJECT_DEFAULT    => 'REJECT' ,
-		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
-		 ACCEPT_DEFAULT    => 'ACCEPT' ,
-		 QUEUE_DEFAULT     => 'QUEUE' ,
-		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
+    our %map = ( DROP_DEFAULT    => 'DROP' ,
+		 REJECT_DEFAULT  => 'REJECT' ,
+		 ACCEPT_DEFAULT  => 'ACCEPT' ,
+		 QUEUE_DEFAULT   => 'QUEUE' ,
+		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
-	my $actions = $config{$option};
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+	my $action = $config{$option};
 
-	if ( $actions eq 'none' ) {
-	    $actions = [];
-	} else {
-	    $actions = process_policy_actions( $actions, $option, $actions );
+	unless ( $action eq 'none' ) {
+	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
+	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
+	    $action = process_default_action( $action, $option, $default, $level );
 	}
 
-	$policy_actions{$map{$option}} = $actions;
+	$default_actions{$map{$option}} = $action;
     }
 
     for $zone ( all_zones ) {
@@ -926,23 +900,19 @@ sub process_policies()
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 
 sub add_policy_rules( $$$$$ ) {
-    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
+    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	my @pactions;
-
-	@pactions = @$pactions;
-
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 
-	for my $paction ( @pactions ) {
-	    my ( $action ) = split ':', $paction;
+	if ( $default && $default ne 'none' ) {
+	    my ( $action ) = split ':', $default;
 
-	    if ( ( $targets{$action} || 0 ) & ACTION ) {
+	    if ( ( $targets{$action} || 0 ) == ACTION ) {
 		#
 		# Default action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
 	    } else {
 		#
 		# Default action is an inline 
@@ -954,7 +924,7 @@ sub add_policy_rules( $$$$$ ) {
 				'',           #Matches
 				'',           #Matches1
 				$loglevel,    #Log Level and Tag
-				$paction,     #Target
+				$default,     #Target
 				$param || '', #Param
 				'-',          #Source
 				'-',          #Dest
@@ -978,20 +948,7 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
-	if ( $target eq 'BLACKLIST' ) {
-	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
-
-	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
-		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
-	    } else {
-		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
-	    }
-
-	    $target = 'DROP';
-	} else {
-	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
-	}
-
+	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
     }
 }
@@ -1007,26 +964,27 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
     my $chainref   = $_[0];
     my $policyref  = $filter_table->{$chainref->{policychain}};
     my $synparams  = $policyref->{synparams};
-    my $defaults   = $policyref->{pactions};
+    my $default    = $policyref->{default};
     my $policy     = $policyref->{policy};
     my $loglevel   = $policyref->{loglevel};
 
     assert( $policyref );
 
     if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
     } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
+		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -1049,7 +1007,7 @@ sub complete_policy_chains() {
 	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
-	    my $defaults    = $chainref->{pactions};
+	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
 
@@ -1061,7 +1019,7 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
+		    ensure_rules_chain $name if ( $default ne 'none' ||
 						  $loglevel          ||
 						  $synparms          ||
 						  $config{MULTICAST} ||
@@ -1072,7 +1030,8 @@ sub complete_policy_chains() {
 	    }
 
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
-		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
+		run_user_exit $chainref;
+		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
     }
@@ -1082,6 +1041,7 @@ sub complete_policy_chains() {
 	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 
 	    if ( $chainref->{referenced} ) {
+		run_user_exit $chainref;
 		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
@@ -1100,19 +1060,23 @@ sub complete_policy_chains() {
 sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
+    run_user_exit $stdchainref;
+
     my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
-    my ( $policy, $loglevel ) = ( $default , 6 );
-    my $policy_actions = $policy_actions{$policy};
+    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 
     $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
 
     if ( $policychainref ) {
-	( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
+	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
+    } elsif ( $defaultaction !~ /:/ ) {
+	$defaultaction = normalize_single_action( $defaultaction );
     }
 
-    add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
+
+    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 
 #
@@ -1355,18 +1319,8 @@ sub normalize_action( $$$ ) {
     # Note: SNAT actions store the current interface's name in the tag
     #
     $tag   = ''     unless defined $tag;
-
-    if ( defined( $param ) ) {
-	#
-	# Normalize the parameters by removing trailing omitted
-	# parameters
-	#
-	1 while $param =~ s/,-$//;
-
-	$param = '' if $param eq '-';
-    } else {
-	$param = '';
-    }
+    $param = ''     unless defined $param;
+    $param = ''     if $param eq '-';
 
     join( ':', $action, $level, $tag, $caller, $param );
 }
@@ -1468,6 +1422,27 @@ sub createlogactionchain( $$$$$$ ) {
 
     $chainref->{action} = $normalized;
 
+    if ( $config{CHAIN_SCRIPTS} ) {
+	unless ( $targets{$action} & BUILTIN ) {
+
+	    set_optflags( $chainref, DONT_OPTIMIZE );
+
+	    my $file = find_file $chain;
+
+	    if ( -f $file ) {
+		progress_message "Running $file...";
+
+		my @params = split /,/, $param;
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file";
+		}
+	    }
+	}
+    }
+
     $chainref;
 }
 
@@ -1483,6 +1458,27 @@ sub createsimpleactionchain( $$ ) {
 
     $chainref->{action} = $normalized;
 
+    if ( $config{CHAIN_SCRIPTS} ) {
+	unless ( $targets{$action} & BUILTIN ) {
+
+	    set_optflags( $chainref, DONT_OPTIMIZE );
+
+	    my $file = find_file $action;
+
+	    if ( -f $file ) {
+		progress_message "Running $file...";
+
+		my ( $level, $tag ) = ( '', '' );
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file";
+		}
+	    }
+	}
+    }
+
     $chainref;
 }
 
@@ -1740,22 +1736,16 @@ sub dropBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
     }
-}
-
-sub dropMcast( $$$$ ) {
-    my ($chainref, $level, $tag, $audit) = @_;
-
-    my $target = require_audit ( 'DROP', $audit );
 
     if ( $family == F_IPV4 ) {
-	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
-    
+
 sub allowBcast( $$$$ ) {
     my ($chainref, $level, $tag, $audit) = @_;
 
@@ -1781,18 +1771,12 @@ sub allowBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
     }
-}
-
-sub allowMcast( $$$$ ) {
-    my ($chainref, $level, $tag, $audit) = @_;
-
-    my $target = require_audit( 'ACCEPT', $audit );
 
     if ( $family == F_IPV4 ) {
-	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
@@ -1882,9 +1866,7 @@ sub Limit( $$$$ ) {
 }
 
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
-		   'dropMcast'      => \&dropMcast,
 		   'allowBcast'     => \&allowBcast,
-		   'allowMcast'     => \&allowMcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
@@ -1894,7 +1876,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 
@@ -2001,10 +1983,10 @@ sub process_action(\$\$$) {
 		}
 	    }
 	} elsif ( $type & MANGLE_TABLE ) {
-	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
 
 	    if ( $family == F_IPV4 ) {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 		    split_line2( 'mangle file',
 				 { mark => 0,
 				   action => 0,
@@ -2023,14 +2005,13 @@ sub process_action(\$\$$) {
 				   scp => 13,
 				   state => 14,
 				   time => 15,
-				   switch => 16,
 				 },
 				 {},
-				 17,
+				 16,
 				 1 );
 		$headers = '-';
 	    } else {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 		    split_line2( 'action file',
 				 { mark => 0,
 				   action => 0,
@@ -2050,10 +2031,9 @@ sub process_action(\$\$$) {
 				   dscp => 14,
 				   state => 15,
 				   time => 16,
-				   switch => 17,
 				 },
 				 {},
-				 18,
+				 17,
 				 1 );
 	    }
 
@@ -2082,8 +2062,7 @@ sub process_action(\$\$$) {
 				      $probability ,
 				      $dscp ,
 				      $state,
-				      $time,
-				      $conditional );
+				      $time );
 		set_inline_matches( $matches );
 	    }
 	} else {
@@ -2114,17 +2093,17 @@ sub process_action(\$\$$) {
 
 	    for my $proto (split_list( $protos, 'Protocol' ) ) {
 		process_snat1( $chainref,
-			       $action,
-			       $source,
-			       $dest,
-			       $proto,
-			       $port,
-			       $ipsec,
-			       $mark,
-			       $user,
-			       $condition,
-			       $origdest,
-			       $probability,
+				   $action,
+				   $source,
+				   $dest,
+				   $proto,
+				   $port,
+				   $ipsec,
+				   $mark,
+				   $user,
+				   $condition,
+				   $origdest,
+				   $probability,
 		    );
 	    }
 	}
@@ -2137,12 +2116,6 @@ sub process_action(\$\$$) {
 
     pop_open;
 
-    unless ( @{$chainref->{rules}} ) {
-	my $file = find_file( $action );
-
-	fatal_error "File action.${action} is empty and file $action exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes" if -f $file;
-    }
-
     #
     # Pop the action parameters
     #
@@ -2769,7 +2742,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Determine the validity of the action
     #
-    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
+    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
 
     if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -2778,9 +2751,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
     $usergenerated = $actiontype & IPTABLES;
-    #
-    # For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
-    #
 
     if ( $actiontype == MACRO ) {
 	#
@@ -3177,10 +3147,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
-	#
-	# Handle 'section' option
-	#
-	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#
@@ -3814,8 +3780,22 @@ sub build_zone_list( $$$\$\$ ) {
 #
 # Process a Record in the rules file
 #
-sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
+sub process_raw_rule ( ) {
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
+	= split_line2( 'rules file',
+		       \%rulecolumns,
+		       $rule_commands,
+		       undef, #Columns
+		       1 );   #Allow inline matches
+
+
+    fatal_error 'ACTION must be specified' if $target eq '-';
+    #
+    # Section Names are optional so once we get to an actual rule, we need to be sure that
+    # we close off any missing sections.
+    #
+    next_section if $section != $next_section;
+
     if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
@@ -3881,48 +3861,6 @@ sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
     progress_message qq(   Rule "$thisline" $done);
 }
 
-sub process_raw_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
-	= split_line2( 'rules file',
-		       \%rulecolumns,
-		       $rule_commands,
-		       undef, #Columns
-		       1 );   #Allow inline matches
-
-
-    fatal_error 'ACTION must be specified' if $target eq '-';
-    #
-    # Section Names are optional so once we get to an actual rule, we need to be sure that
-    # we close off any missing sections.
-    #
-    next_section if $section != $next_section;
-
-    my ( @source, @dest );
-
-    if ( $source =~ /:\(.+\)/ ) {
-	@source = split_list3( $source, 'SOURCE' );
-    } else {
-	@source = ( $source );
-    }
-
-    if ( $dest =~ /:\(.+\)/ ) {
-	@dest = split_list3( $dest, 'DEST' );
-    } else {
-	@dest = ( $dest );
-    }
-
-    for $source ( @source ) {
-	$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
-
-	for $dest ( @dest ) {
-	    $dest = join( ':', $1, $2 ) if $dest =~  /^(.+?):\((.+)\)$/;
-
-	    process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
-	}
-    }
-}
-
-
 sub intrazone_allowed( $$ ) {
     my ( $zone, $zoneref ) = @_;
 
@@ -4027,8 +3965,8 @@ sub process_rules() {
     $section = $next_section = DEFAULTACTION_SECTION;
 }
 
-sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
+sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
 
     my $oldparms   = push_action_params( $inline,
 					 $chainref,
@@ -4047,9 +3985,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
     my $save_comment = push_comment;
 
     while ( read_a_line( NORMAL_READ ) ) {
-	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
+	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime );
 	if ( $family == F_IPV4 ) {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4068,14 +4006,13 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 			       scp => 13,
 			       state => 14,
 			       time => 15,
-			       switch => 16,
 			     },
 			     {},
-			     17,
+			     16,
 			     1 );
 	    $headers = $mheaders = '-';
 	} else {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4095,10 +4032,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 			       dscp => 14,
 			       state => 15,
 			       time => 16,
-			       switch => 17,
 			     },
 			     {},
-			     18,
+			     17,
 			     1 );
 	}
 
@@ -4131,9 +4067,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 				  merge_macro_column( $mprobability ,   $probability ),
 				  merge_macro_column( $mdscp ,          $dscp ),
 				  merge_macro_column( $mstate,          $state ),
-				  merge_macro_column( $mtime,           $time ),
-				  merge_macro_column( $mconditional,    $conditional ),
-		);
+				  merge_macro_column( $mtime,           $time ) );
 	}
 
 	progress_message "   Rule \"$currentline\" $done";
@@ -4160,8 +4094,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 # appended to that chain. The chain with be the action's chain unless the action
 # is inlined, in which case it will be the chain which invoked the action.
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_;
 
     my %designators = (
 	P => PREROUTING,
@@ -4271,7 +4205,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
-			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
 			     $source ,
@@ -4867,8 +4800,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 				   $probability ,
 				   $dscp ,
 				   $state,
-				   $time,
-				   $condition );
+				   $time );
 	    $done = 1;
 	}
     };
@@ -5005,36 +4937,37 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 
 	$restriction |= $chainref->{restriction};
 
-	expand_rule( $chainref ,
-		     $restriction,
-		     $prerule,
-		     do_proto( $proto, $ports, $sports) . $matches .
-		     do_user( $user ) .
-		     do_test( $testval, $globals{TC_MASK} ) .
-		     do_length( $length ) .
-		     do_tos( $tos ) .
-		     do_connbytes( $connbytes ) .
-		     do_helper( $helper ) .
-		     do_headers( $headers ) .
-		     do_probability( $probability ) .
-		     do_dscp( $dscp ) .
-		     state_match( $state ) .
-		     do_time( $time ) .
-		     do_condition( $condition, $chainref->{name} ) .
-		     ( $ttl ? "-t $ttl " : '' ) .
-		     $raw_matches ,
-		     $source ,
-		     $dest ,
-		     '' ,
-		     $target,
-		     '' ,
-		     $target ,
-		     $exceptionrule ,
-		     $usergenerated ,
-		     '' , # Log Name
-		     $device ,
-		     $params
-	    );
+	if ( ( my $result = expand_rule( $chainref ,
+					 $restriction,
+					 $prerule,
+					 do_proto( $proto, $ports, $sports) . $matches .
+					 do_user( $user ) .
+					 do_test( $testval, $globals{TC_MASK} ) .
+					 do_length( $length ) .
+					 do_tos( $tos ) .
+					 do_connbytes( $connbytes ) .
+					 do_helper( $helper ) .
+					 do_headers( $headers ) .
+					 do_probability( $probability ) .
+					 do_dscp( $dscp ) .
+					 state_match( $state ) .
+					 do_time( $time ) .
+					 ( $ttl ? "-t $ttl " : '' ) .
+					 $raw_matches ,
+					 $source ,
+					 $dest ,
+					 '' ,
+					 $target,
+					 '' ,
+					 $target ,
+					 $exceptionrule ,
+					 $usergenerated ) )
+	     && $device ) {
+	    #
+	    # expand_rule() returns destination device if any
+	    #
+	    fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
+	}
     }
 
     progress_message "  Mangle Rule \"$currentline\" $done";
@@ -5262,9 +5195,9 @@ sub process_tc_rule( ) {
 
 sub process_mangle_rule( $ ) {
     my ( $chainref ) = @_;
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5283,14 +5216,13 @@ sub process_mangle_rule( $ ) {
 			   scp => 13,
 			   state => 14,
 			   time => 15,
-			   switch => 16,
 			 },
 			 {},
-			 17,
+			 16,
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5310,15 +5242,14 @@ sub process_mangle_rule( $ ) {
 			   dscp => 14,
 			   state => 15,
 			   time => 16,
-			   switch => 17,
 			 },
 			 {},
-			 18,
+			 17,
 	                 1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
     }
 }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -42,7 +42,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';
 
 our %flow_keys = ( 'src'            => 1,
@@ -2277,10 +2277,9 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );
 
-	if ( $family == F_IPV4 ) {
-	    print $mangle <<'EOF';
+	print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,31 +2289,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
 EOF
-	} else {
-	    print $mangle <<'EOF';
-#
-# Shorewall6 -- /etc/shorewall6/mangle
-#
-# For information about entries in this file, type "man shorewall6-mangle"
-#
-# See http://shorewall.net/traffic_shaping.htm for additional information.
-# For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
-#
-# See http://shorewall.net/PacketMarking.html for a detailed description of
-# the Netfilter/Shorewall packet marking mechanism.
-#
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
-EOF
-
-	}
-
-	return ( $mangle, $fn1 );
     }
+
+    return ( $mangle, $fn1 );
 }
 
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -1275,7 +1275,6 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
-		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {

Shorewall/Perl/getparams

@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
+g_readrc=1
 
-. $g_basedir/lib.cli
-
-setup_product_environment
+. $g_sharedir/lib.cli
 
 CONFIG_PATH="$2"
 

Shorewall/Perl/lib.runtime

@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -526,6 +526,13 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
     done
 
+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
     qt1 $g_tool -t nat    -F
     qt1 $g_tool -t nat    -X
 
@@ -575,6 +582,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;

Shorewall/Perl/prog.footer

@@ -130,8 +130,6 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 
-[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
-
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/Samples/Universal/params

@@ -1,13 +0,0 @@
-#
-# Shorewall - Sample Params File for universal configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------------------------------------
-# For information on entries in this file, type "man shorewall-params"
-######################################################################################################################################################################################################

Shorewall/Samples/Universal/policy

@@ -7,6 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
 $FW	net	ACCEPT
-net	all	DROP		$LOG_LEVEL
+net	all	DROP

Shorewall/Samples/Universal/shorewall.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -33,8 +33,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
-
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -49,25 +47,25 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -77,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -109,12 +107,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+ACCEPT_DEFAULT="none"
+DROP_DEFAULT="Drop"
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -143,12 +140,12 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No
 
 CLEAR_TC=Yes
@@ -296,3 +293,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/one-interface/params

@@ -1,13 +0,0 @@
-#
-# Shorewall - Sample Params File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------------------------------------
-# For information on entries in this file, type "man shorewall-params"
-######################################################################################################################################################################################################

Shorewall/Samples/one-interface/policy

@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
-$FW	net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+$FW		net		ACCEPT
+net		all		DROP		info
 # The FOLLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info

Shorewall/Samples/one-interface/shorewall.conf

@@ -44,8 +44,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
-
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -60,25 +58,25 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -88,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -120,12 +118,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+ACCEPT_DEFAULT="none"
+DROP_DEFAULT="Drop"
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -154,12 +151,12 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No
 
 CLEAR_TC=Yes
@@ -307,3 +304,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/three-interfaces/params

@@ -1,13 +0,0 @@
-#
-# Shorewall - Sample Params File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------------------------------------
-# For information on entries in this file, type "man shorewall-params"
-######################################################################################################################################################################################################

Shorewall/Samples/three-interfaces/policy

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 
-loc	net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+loc		net		ACCEPT
+net		all		DROP		info
 # THE FOLLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -41,8 +41,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
-
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -57,25 +55,25 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -85,7 +83,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -117,12 +115,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+ACCEPT_DEFAULT="none"
+DROP_DEFAULT="Drop"
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,12 +148,12 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes
 
 CLEAR_TC=Yes
@@ -304,3 +301,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE

Shorewall/Samples/two-interfaces/params

@@ -1,13 +0,0 @@
-#
-# Shorewall - Sample Params File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------------------------------------
-# For information on entries in this file, type "man shorewall-params"
-######################################################################################################################################################################################################

Shorewall/Samples/two-interfaces/policy

@@ -11,10 +11,10 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 
-loc	net		ACCEPT
-net	all		DROP		$LOG_LEVEL
-# THE FOLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -44,8 +44,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
-
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -60,25 +58,25 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -88,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -120,12 +118,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+ACCEPT_DEFAULT="none"
+DROP_DEFAULT="Drop"
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -154,12 +151,12 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes
 
 CLEAR_TC=Yes
@@ -307,3 +304,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE

Shorewall/action.A_Drop

@@ -12,7 +12,6 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
-?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #

Shorewall/action.A_REJECT

@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
-?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/action.A_REJECT!

@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
-?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/action.Broadcast

@@ -30,6 +30,7 @@ DEFAULTS DROP,-
 
 ?if __ADDRTYPE
 @1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 @1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@@ -49,6 +50,9 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+
 1;
 
 ?end perl;

Shorewall/action.Drop

@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The former default DROP common rules. Use of this action is now deprecated
+# The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,7 +28,6 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 
 ?if passed(@1)
     ?if @1 eq 'audit'
@@ -59,10 +58,9 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts or multicasts
+# Don't log broadcasts
 #
 Broadcast(DROP,@1)
-Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/action.Reject

@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The former default REJECT action common rules. Use of this action is deprecated.
+# The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,14 +20,13 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 
 ?if passed(@1)
     ?if @1 eq 'audit'
@@ -62,7 +61,6 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
-Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/actions.std

@@ -9,47 +9,44 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcast			# Silently Allow Broadcast
-allowMcast			# Silently Allow Multicast
-dropBcast			# Silently Drop Broadcast
-dropMcast			# Silently Drop Multicast
-dropNotSyn			# Silently Drop Non-syn TCP packets
-rejNotSyn			# Silently Reject Non-syn TCP packets
-allowinUPnP			# Allow UPnP inbound (to firewall) traffic
-forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
-Limit				# Limit the rate of connections from each individual IP address
+A_ACCEPT                        # Audits then accepts a connection request
+A_DROP                          # Audits then drops a connection request
+allowBcast		        # Silently Allow Broadcast/multicast
+dropBcast		        # Silently Drop Broadcast/multicast
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit                           # Limit the rate of connections from each individual IP address
 ?endif
 ###############################################################################
 #ACTION
-A_Drop				# Audited Default Action for DROP policy
-A_REJECT     noinline,logjump	# Audits then rejects a connection request
-A_REJECT!    inline		# Audits then rejects a connection request
-A_Reject			# Audited Default action for REJECT policy
+A_Drop 		                # Audited Default Action for DROP policy
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
+A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
-AutoBLL	     noinline		# Helper for AutoBL
-BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-Broadcast    noinline,audit	# Handles Broadcast/Anycast
-DNSAmp				# Matches one-question recursive DNS queries
-Drop				# Default Action for DROP policy (deprecated)
+AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
+AutoBLL      noinline           # Helper for AutoBL
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
+Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-DropDNSrep   inline		# Drops DNS replies
-DropSmurfs   noinline		# Drop smurf packets
+DropSmurfs   noinline           # Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED	#
+	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
-IfEvent	     noinline		# Perform an action based on an event
-Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
-	     state=INVALID	#
-Multicast    noinline,audit	# Handles Multicast
+IfEvent      noinline           # Perform an action based on an event
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID      #
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-Reject				# Default Action for REJECT policy (deprecated)
-Related	     inline,\		# Handles packets in the RELATED conntrack state
-	     state=RELATED	#
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
+Reject                          # Default Action for REJECT policy
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit	# Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags			# Handle bad flag combinations.
-Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED	#
+TCPFlags    			# Handle bad flag combinations.
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED    #

Shorewall/configfiles/mangle

@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP

Shorewall/configfiles/policy

@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT

Shorewall/configfiles/shorewall.conf

@@ -33,8 +33,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
-
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
@@ -49,25 +47,25 @@ LOGALLNEW=
 
 LOGFILE=/var/log/messages
 
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -110,11 +108,10 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+REJECT_DEFAULT=Reject
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -141,14 +138,14 @@ AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
-AUTOMAKE=Yes
-
-BALANCE_PROVIDERS=No
+AUTOMAKE=No
 
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No
 
 CLEAR_TC=Yes
@@ -187,7 +184,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Keep
+IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
@@ -213,7 +210,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=All
+OPTIMIZE=0
 
 OPTIMIZE_ACCOUNTING=No
 

Shorewall/init.debian.sh

@@ -89,7 +89,7 @@ wait_for_pppd () {
 
 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
   wait_for_pppd
   $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall firewall\": "
+      echo -n "Stopping \"Shorewall firewall\": "
       $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
   else
-      printf "Clearing all \"Shorewall firewall\" rules: "
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   fi
   return 0
@@ -109,21 +109,21 @@ shorewall_stop () {
 
 # reload the firewall
 shorewall_reload () {
-  printf "Reloading \"Shorewall firewall\": "
+  echo -n "Reloading \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
   $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }

Shorewall/init.fedora.sh

@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 
 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
     $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 
 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 
 reload() {
-    printf $"Reloading Shorewall: "
+    echo -n $"Reloading Shorewall: "
     $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
     $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
     retval=${PIPESTATUS[0]}
     if [[ $retval == 0 ]]; then