Add another restriction for SAVE_IPSETS=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 

Shorewall-core/configure.pl

@@ -173,7 +173,12 @@ my $outfile;
 
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+if ( $ENV{SOURCE_DATE_EPOCH} ) {
+    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
+} else {
+    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+}
+
 print $outfile "# rc file: $rcfilename\n#\n";
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

Shorewall-core/lib.base

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50106
 
 if [ -z "$g_basedir" ]; then
     #
@@ -1137,16 +1137,31 @@ show_a_macro() {
     cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
+spd_filter() {
+    #
+    # af   = Address Family (4 or 6)
+    # afok = Address Family of entry matches af
+    # p    = print the contents of A (entry is not empty)
+    # i    = Number of lines stored in A
+    #
+    awk -v af=$g_family \
+	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
+\
+	 /^src / { if (p) prnt( A, i );\
+		   afok = 1;\
+		   p	= 0;\
+		   i	= 0;\
+		   if ( af == 4 )\
+		       { if ( /:/ )  afok = 0; }\
+		   else\
+		       { if ( /\./ ) afok = 0; }\
+		 };\
+		 { if ( afok ) A[i++] = $0; };\
+	 /tmpl/	 { p = afok; };\
+\
+	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1174,8 @@ heading() {
 
 show_ipsec() {
     heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
+
     heading "PFKEY SAD"
     $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -2770,7 +2786,7 @@ determine_capabilities() {
     GOTO_TARGET=
     LOGMARK_TARGET=
     IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
     ULOG_TARGET=
     NFLOG_TARGET=
     PERSISTENT_SNAT=
@@ -2803,6 +2819,8 @@ determine_capabilities() {
     WAIT_OPTION=
     CPU_FANOUT=
     NETMAP_TARGET=
+    NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2826,9 +2844,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
     if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
     fi
 
     chain=fooX$$
@@ -3134,12 +3154,15 @@ determine_capabilities() {
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
     qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
-    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
     qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
+    if qt $g_tool -A $chain -j NFLOG; then
+	NFLOG_TARGET=Yes
+	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
+    fi
 
     if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3295,9 +3318,11 @@ report_capabilities_unsorted() {
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3305,6 +3330,7 @@ report_capabilities_unsorted() {
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
+    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3411,6 +3437,8 @@ report_capabilities_unsorted1() {
     report_capability1 WAIT_OPTION
     report_capability1 CPU_FANOUT
     report_capability1 NETMAP_TARGET
+    report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3715,7 +3743,7 @@ ipcalc_command() {
 
     valid_address $address || fatal_error "Invalid IP address: $address"
     [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm
@@ -4264,12 +4292,17 @@ usage() # $1 = exit status
     echo "   reenable <interface>"
     ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+
+    if [ -n "$g_lite" ]; then
+	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    else
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
     fi
 
     echo "   reset [ <chain> ... ]"

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
     local modulename
     modulename=$1
+    shift
+    local moduleoptions
+    moduleoptions=$*
     local modulefile
     local suffix
 
     if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		shift
-
-		for suffix in $MODULE_SUFFIX ; do
-		    for directory in $moduledirectories; do
-			modulefile=$directory/${modulename}.${suffix}
-
-			if [ -f $modulefile ]; then
-			    case $moduleloader in
-				insmod)
-				    insmod $modulefile $*
-				    ;;
-				*)
-				    modprobe $modulename $*
-				    ;;
-			    esac
-			    break 2
-			fi
-		    done
-		done
+		case $moduleloader in
+		    insmod)
+			for directory in $moduledirectories; do
+			    for modulefile in $directory/${modulename}.*; do
+				if [ -f $modulefile ]; then
+				    insmod $modulefile $moduleoptions
+				    return
+				fi
+			    done
+			done
+			;;
+		    *)
+			modprobe -q $modulename $moduleoptions
+			;;
+		esac
 	    fi
 	fi
     elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
+	case $moduleloader in
+	    insmod)
+		for directory in $moduledirectories; do
+		    for modulefile in $directory/${modulename}.*; do
+			if [ -f $modulefile ]; then
+			    insmod $modulefile $moduleoptions
+			    return
+			fi
+		    done
+		done
+		;;
+	    *)
+		modprobe -q $modulename $moduleoptions
+		;;
+	esac
     fi
 }
 
@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)

Shorewall-core/lib.core

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
 
-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108
 
 #
 # Fatal Error

Shorewall-core/lib.installer

@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/manpages/shorewall.xml

@@ -432,6 +432,33 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6][-lite]</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>reload</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option><arg><option>-d</option></arg></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><option>-C</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -1916,10 +1943,11 @@
 
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
-        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
-        [ <replaceable>system</replaceable> ]</term>
+        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
+        [-<option>r</option> <replaceable>root-user-name</replaceable>]
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
@@ -1955,6 +1983,9 @@
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
 
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">start</emphasis> command succeeds, then the
           remote Shorewall-lite configuration is saved by executing <emphasis
@@ -3142,6 +3173,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/</para>
+
+    <para>/etc/shorewall6/</para>
   </refsect1>
 
   <refsect1>
@@ -3151,13 +3184,17 @@
     url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
+    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
+    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
+    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
+    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall-core/shorewall

@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
+#
+# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
+# options
+#
 PRODUCT=shorewall
 
 #

Shorewall-init/init.debian.sh

@@ -159,8 +159,9 @@ shorewall_stop () {
 
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
       else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
       fi
 

Shorewall-init/init.fedora.sh

@@ -66,6 +66,10 @@ start () {
 
     printf "Initializing \"Shorewall-based firewalls\": "
 
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
     for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
@@ -120,6 +124,15 @@ stop () {
     done
 
     if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
     else

Shorewall-init/init.openwrt.sh

@@ -126,7 +126,9 @@ stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 }

Shorewall-init/init.sh

@@ -116,7 +116,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 

Shorewall-init/init.suse.sh

@@ -126,7 +126,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 }

Shorewall-init/shorewall-init

@@ -104,7 +104,9 @@ shorewall_stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 

Shorewall-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall-lite/shorewall-lite.service.debian

@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -13,6 +13,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -31,9 +32,10 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts and multicasts
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/Actions/action.A_Reject.deprecated

@@ -11,6 +11,8 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
@@ -25,10 +27,11 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/Actions/action.AllowICMPs

@@ -0,0 +1,45 @@
+#
+# Shorewall -- /usr/share/shorewall/action.AllowICMPs
+#
+# This action ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS ACCEPT
+
+?if __IPV4
+    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?else
+?COMMENT Needed ICMP types (RFC4890)
+
+    @1	-		-	ipv6-icmp	destination-unreachable
+    @1	-		-	ipv6-icmp	packet-too-big
+    @1	-		-	ipv6-icmp	time-exceeded
+    @1	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	router-solicitation
+    @1	-		-	ipv6-icmp	router-advertisement
+    @1	-		-	ipv6-icmp	neighbour-solicitation
+    @1	-		-	ipv6-icmp	neighbour-advertisement
+    @1	-		-	ipv6-icmp	137	# Redirect
+    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
+    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
+    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+?endif

Shorewall/Actions/action.Broadcast

@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+# Broadcast[([<action>|[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,27 +29,37 @@
 DEFAULTS DROP,-
 
 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
+    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
-?begin perl;
+    ?begin perl;
 
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;
 
-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;
 
-add_commands $chainref, 'for address in $ALL_BCASTS; do';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
+    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
 
-1;
+    my $target             = require_audit ( $action , $audit );
 
-?end perl;
+    if ( $family == F_IPV4 ) {
+        add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } elsif ($family == F_IPV6 ) {
+        add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    1;
+
+    ?end perl;
 ?endif

Shorewall/Actions/action.FIN

@@ -0,0 +1,33 @@
+#
+# Shorewall -- /usr/share/shorewall/action.FIN
+#
+# FIN Action
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# FIN[([<action>])]
+#
+# Default action is ACCEPT
+#
+###############################################################################
+
+DEFAULTS ACCEPT,-
+
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH

Shorewall/Actions/action.GlusterFS

@@ -13,9 +13,9 @@
 DEFAULTS 2,0
 
 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
+    ?error Invalid value (@1) for the GlusterFS Bricks argument
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
+    ?error Invalid value (@2) for the GlusterFS IB argument
 ?endif
 
 #ACTION		SOURCE		DEST		PROTO	DPORT

Shorewall/Actions/action.IfEvent

@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {
 
 $duration .= '--rttl ' if $command & $TTL_OPT;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
+    $action = 'ACCEPT';
+}
+
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
 

Shorewall/Actions/action.Multicast

@@ -29,22 +29,28 @@
 DEFAULTS DROP,-
 
 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
-?begin perl;
+    ?begin perl;
 
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;
 
-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;
 
-log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';
 
-1;
+    my $target = require_audit ( $action , $audit );
+    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
 
-?end perl;
+    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+    add_jump $chainref, $target, 0, $dest;
+
+    1;
+
+    ?end perl;
 ?endif

Shorewall/Actions/action.ResetEvent

@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {

Shorewall/Actions/action.SetEvent

@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {

Shorewall/Actions/action.allowBcast

@@ -28,10 +28,10 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
+	?require AUDIT_TARGET
 	Broadcast(A_ACCEPT)
     ?else
-        ?error "Invalid argument (@1) to allowBcast"
+	?error "Invalid argument (@1) to allowBcast"
     ?endif
 ?else
     Broadcast(ACCEPT)

Shorewall/Actions/action.allowMcast

@@ -28,10 +28,10 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
+	?require AUDIT_TARGET
 	Multicast(A_ACCEPT)
     ?else
-        ?error "Invalid argument (@1) to allowMcast"
+	?error "Invalid argument (@1) to allowMcast"
     ?endif
 ?else
     Multicast(ACCEPT)

Shorewall/Actions/action.allowinUPnP

@@ -28,13 +28,13 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
+	?require AUDIT_TARGET
 	A_ACCEPT - - 17 1900
 	A_ACCEPT - -  6 49152
     ?else
-        ?error "Invalid argument (@1) to allowinUPnP"
+	?error "Invalid argument (@1) to allowinUPnP"
     ?endif
 ?else
     ACCEPT - - 17 1900
-    ACCEPT - -  6 49152
+    ACCEPT - -	6 49152
 ?endif

Shorewall/Actions/action.dropBcast

@@ -28,10 +28,10 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
+	?require AUDIT_TARGET
 	Broadcast(A_DROP)
     ?else
-        ?error "Invalid argument (@1) to dropBcast"
+	?error "Invalid argument (@1) to dropBcast"
     ?endif
 ?else
     Broadcast(DROP)

Shorewall/Actions/action.dropBcasts

@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcasts
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcasts[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcasts"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+

Shorewall/Actions/action.dropMcast

@@ -28,10 +28,10 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
+	?require AUDIT_TARGET
 	Multicast(A_DROP)
     ?else
-        ?error "Invalid argument (@1) to dropMcast"
+	?error "Invalid argument (@1) to dropMcast"
     ?endif
 ?else
     Multicast(DROP)

Shorewall/Actions/action.dropNotSyn

@@ -28,11 +28,11 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	A_DROP ;; -p 6 ! --syn
+	?require AUDIT_TARGET
+	A_DROP {proto=6:!syn}
     ?else
-        ?error "Invalid argument (@1) to dropNotSyn"
+	?error "Invalid argument (@1) to dropNotSyn"
     ?endif
 ?else
-    DROP ;; -p 6 ! --syn
+    DROP {proto=6:!syn}
 ?endif

Shorewall/Actions/action.rejNotSyn

@@ -28,12 +28,12 @@ DEFAULTS -
 
 ?if passed(@1)
     ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	A_REJECT ;; -p 6 ! --syn
+	?require AUDIT_TARGET
+	A_REJECT {proto=6:!syn}
     ?else
-        ?error "Invalid argument (@1) to rejNotSyn"
+	?error "Invalid argument (@1) to rejNotSyn"
     ?endif
 ?else
-    REJECT(--reject-with tcp-reset) ;; -p 6 ! --syn
+    REJECT(tcp-reset) {proto=6:!syn}
 ?endif
 

Shorewall/Macros/macro.AllowICMPs

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
-#
-# This macro ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Needed ICMP types
-
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded

Shorewall/Macros/macro.RDP

@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
+PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389

Shorewall/Makefile-lite

@@ -1,82 +0,0 @@
-#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Accounting.pm

@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
     my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     if ( $source eq 'any' || $source eq 'all' ) {
         $source = ALLIP;
     } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
     }
 
     if ( have_bridges && ! $asection ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -32,6 +32,7 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
+use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -137,6 +138,12 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
+				       validate_port
+				       validate_portpair
+				       validate_portpair1
+				       validate_port_list
+				       expand_port_range
+
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -405,14 +412,14 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z12z2>
+#   Zone-pair chains for rules chain <z1-z2>
 #
-#      Syn Flood       - @<z12z2>
-#      Blacklist       - <z12z2>~
-#      Established     - ^<z12z2>
-#      Related         - +<z12z2>
-#      Invalid         - _<z12z2>
-#      Untracked       - &<z12z2>
+#      Syn Flood       - @<z1-z2>
+#      Blacklist       - <z1-z2>~
+#      Established     - ^<z1-z2>
+#      Related         - +<z1-z2>
+#      Invalid         - _<z1-z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -434,7 +441,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -509,6 +516,7 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
+our %port_variables;
 our $ipset_rules;
 
 #
@@ -784,6 +792,7 @@ sub initialize( $$$ ) {
     %interfaceacasts    = ();
     %interfacegateways  = ();
     %address_variables  = ();
+    %port_variables     = ();
 
     $global_variables   = 0;
     $idiotcount         = 0;
@@ -819,6 +828,211 @@ sub initialize( $$$ ) {
     #
 }
 
+sub record_runtime_port( $ ) {
+    my ( $variable ) = @_;
+
+    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
+	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
+	$port_variables{$1} = 1;
+    } else {
+	fatal_error( "Invalid port variable (%$variable)" );
+    }
+
+    "\$$variable";
+}
+
+################################################################################
+# Functions moved from IPAddrs.pm in 5.1.5				       #
+################################################################################
+
+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$value = numeric_value $port;
+
+	if ( defined $value ) {
+	    if ( $value && $value <= 65535 ) {
+		return $value;
+	    } else {
+		$value = undef;
+	    }
+	}
+    } elsif ( $port =~ /^%(.*)/ ) {
+	$value = record_runtime_port( $1 );
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
+	}
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	}
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
+################################################################################
+# End functions moved from IPAddrs.pm in 5.1.5				       #
+################################################################################
+
 #
 # Functions to manipulate cmdlevel
 #
@@ -1081,11 +1295,11 @@ sub format_option( $$ ) {
 
     assert( ! reftype $value );
 
-    my $rule = '';
+    my $rule;
 
     $value =~ s/\s*$//;
 
-    $rule .= join( ' ' , ' -m', $option, $value );
+    $rule = join( ' ' , ' -m', $option, $value );
 
     $rule;
 }
@@ -1131,8 +1345,6 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
-
-	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1191,13 +1403,15 @@ sub compatible( $$ ) {
     }
     #
     # Don't combine chains where each specifies
-    #    -m policy
+    #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
     # and the other specifies
     #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    my ( $p1, $p2 );
+
+    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1715,7 +1929,7 @@ sub delete_reference( $$ ) {
 
     assert( $toref );
 
-    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
 }
 
 #
@@ -1853,7 +2067,7 @@ sub adjust_reference_counts( $$$ ) {
     my ($toref, $name1, $name2) = @_;
 
     if ( $toref ) {
-	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
 	$toref->{references}{$name2}++;
     }
 }
@@ -3061,8 +3275,10 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
@@ -3459,7 +3675,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3686,6 +3902,15 @@ sub optimize_level8( $$$ ) {
 		    }
 
 		    $combined{ $chainref1->{name} } = $chainref->{name};
+		    #
+		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
+		    # the policy attributes in the combined chain
+		    #
+		    if ( $chainref->{policychain} ) {
+			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
+		    } elsif ( $chainref1->{policychain} ) {
+			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
+		    }
 		}
 	    }
 	}
@@ -4556,7 +4781,8 @@ sub do_proto( $$$;$ )
 
     if ( $proto ne '' ) {
 
-	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -4574,7 +4800,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = "-p $proto --syn ";
+		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
 	    }
 
 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -4611,7 +4837,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -4818,7 +5044,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5757,6 +5983,7 @@ sub record_runtime_address( $$;$$ ) {
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
+	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
     }
@@ -6102,7 +6329,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -6183,7 +6410,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -6842,6 +7069,8 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
     my ( $logical, $protect, $provider ) = @_;
 
+    $provider = '' unless defined $provider;
+
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
     my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -6855,9 +7084,9 @@ sub get_interface_gateway ( $;$$ ) {
     }
 
     if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
     } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
@@ -7044,6 +7273,19 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
     }
+
+    for my $variable( keys %port_variables ) {
+	my $port = "\$$variable";
+	my $type = $port_variables{$variable};
+
+	emit( qq(if [ -z "$port" ]; then) ,
+	      qq(    $variable=255) ,
+	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
+	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
+	      qq(else) ,
+	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
+	      qq(fi\n) );
+    }
 }
 
 #
@@ -7293,6 +7535,11 @@ sub isolate_dest_interface( $$$$ ) {
 
 	    $rule .= "-d $variable ";
 	}
+    } elsif ( $dest =~ /^\$/ ) {
+	#
+	# Runtime address variable
+	#
+	$dnets  = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8216,6 +8463,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
 
@@ -8231,6 +8479,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8673,9 +8922,15 @@ sub create_netfilter_load( $ ) {
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
 
     emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-	  '    option="--counters"',
-	  '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
+
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
+    } else {
+	emit( '    option="--counters"' );
+    }
+
+    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8683,7 +8938,11 @@ sub create_netfilter_load( $ ) {
 
     push_indent;
 
-    emit 'option=';
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
+    } else {
+	emit 'option=';
+    }
 
     save_progress_message "Preparing $utility input...";
 
@@ -8732,6 +8991,10 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -8836,6 +9099,11 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9073,6 +9341,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9098,7 +9370,11 @@ sub create_stop_load( $ ) {
 
     enter_cmd_mode;
 
-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
+    } else {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    }
 
     emit( '',
 	  'progress_message2 "Running $command..."',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -209,6 +209,8 @@ sub generate_script_2() {
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
     emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
+    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -266,7 +268,8 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
     }
 
@@ -689,6 +692,7 @@ sub compiler {
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
     #
+    #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
     get_configuration( $export , $update , $annotate , $inline );
@@ -793,13 +797,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
     }
 
-    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_script;
-    #
     # Validate the TC files so that the providers will know what interfaces have TC
     #
     my $tcinterfaces = process_tc;

Shorewall/Perl/Shorewall/Config.pm

@@ -36,11 +36,13 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
+use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
+use Errno qw(:POSIX);
 
 our @ISA = qw(Exporter);
 #
@@ -86,6 +88,9 @@ our @EXPORT = qw(
 		 kernel_version
 
                  compiletime
+				       
+		 F_IPV4
+		 F_IPV6
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -196,9 +201,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
                                        PARMSMODIFIED
                                        USEDCALLER
-				       
-		                       F_IPV4
-		                       F_IPV6
 
 				       TCP
 				       UDP
@@ -315,7 +317,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -413,7 +415,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  WAIT_OPTION     => 'iptables --wait option',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                  NETMAP_TARGET   => 'NETMAP Target',
-
+                 NFLOG_SIZE      => '--nflog-size support',
+		 RESTORE_WAIT_OPTION
+				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -488,53 +492,55 @@ our %helpers_aliases;
 our %helpers_enabled;
 
 our %config_files = ( #accounting      => 1,
-		      actions          => 1,
-		      blacklist        => 1,
-		      clear            => 1,
-		      conntrack        => 1,
-		      ecn              => 1,
-		      findgw           => 1,
-		      hosts            => 1,
-		      init             => 1,
-		      initdone         => 1,
+		      actions	       => 1,
+		      blacklist	       => 1,
+		      clear	       => 1,
+		      conntrack	       => 1,
+		      ecn	       => 1,
+		      findgw	       => 1,
+		      hosts	       => 1,
+		      init	       => 1,
+		      initdone	       => 1,
 		      interfaces       => 1,
-		      isusable         => 1,
-		      maclist          => 1,
-		      masq             => 1,
-		      nat              => 1,
-		      netmap           => 1,
-		      params           => 1,
-		      policy           => 1,
-		      providers        => 1,
-		      proxyarp         => 1,
-		      refresh          => 1,
-		      refreshed        => 1,
-		      restored         => 1,
-		      rawnat           => 1,
+		      isusable	       => 1,
+		      maclist	       => 1,
+		      mangle	       => 1,
+		      masq	       => 1,
+		      nat	       => 1,
+		      netmap	       => 1,
+		      params	       => 1,
+		      policy	       => 1,
+		      providers	       => 1,
+		      proxyarp	       => 1,
+		      refresh	       => 1,
+		      refreshed	       => 1,
+		      restored	       => 1,
+		      rawnat	       => 1,
 		      route_rules      => 1,
-		      routes           => 1,
+		      routes	       => 1,
 		      routestopped     => 1,
-		      rtrules          => 1,
-		      rules            => 1,
-		      scfilter         => 1,
-		      secmarks         => 1,
-		      start            => 1,
-		      started          => 1,
-		      stop             => 1,
-		      stopped          => 1,
+		      rtrules	       => 1,
+		      rules	       => 1,
+		      scfilter	       => 1,
+		      secmarks	       => 1,
+		      snat	       => 1,
+		      start	       => 1,
+		      started	       => 1,
+		      stop	       => 1,
+		      stopped	       => 1,
 		      stoppedrules     => 1,
-		      tcclasses        => 1,
-		      tcclear          => 1,
-		      tcdevices        => 1,
-		      tcfilters        => 1,
+		      tcclasses	       => 1,
+		      tcclear	       => 1,
+		      tcdevices	       => 1,
+		      tcfilters	       => 1,
 		      tcinterfaces     => 1,
-		      tcpri            => 1,
-		      tcrules          => 1,
-		      tos              => 1,
-		      tunnels          => 1,
-		      zones            => 1 );
+		      tcpri	       => 1,
+		      tcrules	       => 1,
+		      tos	       => 1,
+		      tunnels	       => 1,
+		      zones	       => 1 );
 #
-# Options that involve the the AUDIT target
+# Options that involve the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -644,6 +650,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
+                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -748,8 +755,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.1-RC1",
-		    CAPVERSION              => 50100 ,
+		    VERSION                 => "5.1.8-Beta1",
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -844,7 +851,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
-	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -907,6 +913,8 @@ sub initialize( $;$$) {
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
+	  PERL_HASH_SEED => undef ,
+	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1002,7 +1010,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1040,6 +1048,8 @@ sub initialize( $;$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
+	       NFLOG_SIZE => undef,
+	       RESTORE_WAIT_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1092,7 +1102,7 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '', callfile => '', callline => ''  );
     $parmsmodified = 0;
     $usedcaller    = 0;
     %ipsets = ();
@@ -1165,7 +1175,7 @@ sub initialize( $;$$) {
     #
     # Process the global shorewallrc file
     #
-    #   Note: The build file executes this function passing only the protocol family
+    #   Note: The build script calls this function passing only the protocol family
     #
     process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1216,10 +1226,9 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
-    my $linenumber = $currentlinenumber || 1;
-
-    if ( $currentfile ) {
-	my $lineinfo = " $currentfilename ";
+    if ( $currentfilename ) {
+	my $linenumber = $currentlinenumber || 1;
+	my $lineinfo   = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
@@ -1985,6 +1994,7 @@ sub find_file($)
     for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
+	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
     }
 
     "$config_path[0]$filename";
@@ -2177,7 +2187,7 @@ sub split_list3( $$ ) {
 	    $element = join ',', $element , $_;
 	}
     }
-    
+
     unless ( $opencount == 0 ) {
 	fatal_error "Invalid $type ($list)";
     }
@@ -2232,7 +2242,7 @@ sub split_list4( $ ) {
 sub split_columns( $ ) {
     my ($list) = @_;
 
-    return split ' ', $list unless $list =~ /\(/;
+    return split ' ', $list unless $list =~ /[()]/;
 
     my @list1 = split ' ', $list;
     my @list2;
@@ -2273,9 +2283,7 @@ sub split_columns( $ ) {
 	}
     }
 
-    unless ( $opencount == 0 ) {
-	fatal_error "Mismatched parentheses ($list)";
-    }
+    fatal_error "Mismatched parentheses ($list)" unless $opencount == 0;
 
     @list2;
 }
@@ -2288,7 +2296,7 @@ sub clear_comment();
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
-#    Handles segragating raw iptables input in INLINE rules
+#    Handles segragating raw iptables input in rules
 #
 sub split_line2( $$;$$$ ) {
     my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
@@ -2341,7 +2349,7 @@ sub split_line2( $$;$$$ ) {
 
 	    $inline_matches = $pairs;
 
-	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2357,7 +2365,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 
-		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2371,7 +2379,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -2437,12 +2445,12 @@ sub split_line2( $$;$$$ ) {
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-		$column = $columnsref->{$column};
-		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
-		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-		$line[$column] = $value;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $value =~ /[^\s[:print:]]/;
+		my $colnum = $columnsref->{$column};
+		warning_message qq(Replacing "$line[$colnum]" with "$value" in the ) . uc( $column ) . ' column' if $line[$colnum] ne '-';
+		$line[$colnum] = $value;
 	    }
 	}
     }
@@ -2569,7 +2577,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
     } else {
 	$ifstack = @ifstack;
 	'';
@@ -2782,7 +2790,7 @@ sub evaluate_expression( $$$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var eq 'caller';
+	    $usedcaller = USEDCALLER if $var =~ /^(?:caller|callfile|callline)$/;
 	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2818,7 +2826,6 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-
 	declare_passed unless $evals++;
 
 	$val = eval qq(package Shorewall::User;
@@ -2835,6 +2842,7 @@ sub evaluate_expression( $$$$ ) {
     $val;
 }
 
+sub pop_open();
 #
 # Set callback
 #
@@ -2842,6 +2850,40 @@ sub directive_callback( $ ) {
     $directive_callback = shift;
 }
 
+sub directive_message( \&$$$$ ) {
+    my ( $functptr, $verbose, $expression, $filename, $linenumber ) = @_;
+
+    unless ( $omitting ) {
+	if ( $actparams{0} ) {
+	    #
+	    # When issuing a message from an action, report the action invocation
+	    # site rather than the action file and line number.
+	    #
+	    # Avoid double-reporting by temporarily removing the invocation site
+	    # from the open stack.
+	    #
+	    my $saveopens = pop @openstack;
+
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $actparams{callfile} ,
+			 $actparams{callline} );
+	    push @openstack, $saveopens;
+	} else {
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $filename ,
+			 $linenumber );
+	}
+    }
+}
+
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
@@ -2855,7 +2897,8 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber )
+	unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2957,15 +3000,16 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      if ( exists $actparams{$var} ) {
-			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
+			  if ( $var =~ /^(?:loglevel|logtag|chain|disposition|caller|callfile|callline)$/ ) {
 			      $actparams{$var} = '';
 			  } else {
 			      delete $actparams{$var}
 			  }
+
+			  $parmsmodified = PARMSMODIFIED if @ifstack > $ifstack;
 		      } else {
 			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
-
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
@@ -2996,68 +3040,85 @@ sub process_compiler_directive( $$$$ ) {
 
 	  ERROR => sub() {
 	      unless ( $omitting ) {
-		  directive_error( evaluate_expression( $expression ,
-							$filename ,
-							$linenumber ,
-							1 ) ,
-				   $actparams{callfile} ,
-				   $actparams{callline} ) unless $omitting;
+		  if ( $actparams{0} ) {
+		      close $currentfile;
+		      #
+		      # Avoid 'missing ?ENDIF' error in pop_open'
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action invocation site
+		      #
+		      pop_open;
+
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  } else {
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $filename ,
+				       $linenumber ) unless $omitting;
+		  }
 	      }
 	  } ,
 
 	  WARNING => sub() {
-	      unless ( $omitting ) {
-		  directive_warning( $config{VERBOSE_MESSAGES} ,
-				     evaluate_expression( $expression ,
-							  $filename ,
-							  $linenumber ,
-							  1 ),
-				     $actparams{callfile} ,
-				     $actparams{callline} ) unless $omitting;
-	      }
+	      directive_message( &directive_warning ,
+				 $config{VERBOSE_MESSAGES},
+				 $expression ,
+				 $filename ,
+				 $linenumber );
 	  } ,
 
 	  INFO => sub() {
-	      unless ( $omitting ) {
-		  directive_info( $config{VERBOSE_MESSAGES} ,
-				  evaluate_expression( $expression ,
-						       $filename ,
-						       $linenumber ,
-						       1 ),
-				  $actparams{callfile} ,
-				  $actparams{callline} ) unless $omitting;
-	      }
+	      directive_message( &directive_info,
+				 $config{VERBOSE_MESSAGES} ,
+				 $expression ,
+				 $filename ,
+				 $linenumber );
 	  } ,
 
 	  'WARNING!' => sub() {
-	      unless ( $omitting ) {
-		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
-				     evaluate_expression( $expression ,
-							  $filename ,
-							  $linenumber ,
-							  1 ),
-				     $actparams{callfile} ,
-				     $actparams{callline} ) unless $omitting;
-	      }
+	      directive_message( &directive_warning ,
+				 ! $config{VERBOSE_MESSAGES} ,
+				 $expression ,
+				 $filename ,
+				 $linenumber );
 	  } ,
 
 	  'INFO!' => sub() {
-	      unless ( $omitting ) {
-		  directive_info( ! $config{VERBOSE_MESSAGES} ,
-				  evaluate_expression( $expression ,
-						       $filename ,
-						       $linenumber ,
-						       1 ),
-				  $actparams{callfile} ,
-				  $actparams{callline} ) unless $omitting;
-	      }
+	      directive_message( &directive_info ,
+				 ! $config{VERBOSE_MESSAGES} ,
+				 $expression ,
+				 $filename ,
+				 $linenumber );
 	  } ,
 
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-		  fatal_error "Unknown capability ($expression)" unless $capdesc{$expression};
-		  require_capability( $expression, "The $actparams{action} action", 's' );
+		  fatal_error "Unknown capability ($expression)" unless ( my $capdesc = $capdesc{$expression} );
+		  unless ( have_capability( $expression ) ) {
+		      close $currentfile;
+		      #
+		      # Avoid 'missing ?ENDIF' error in pop_open'
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action call site
+		      #
+		      pop_open;
+
+		      directive_error( "The $actparams{action} action requires the $capdesc capability",
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  }
 	      }
 	  } ,
 
@@ -3559,9 +3620,9 @@ sub push_action_params( $$$$$$ ) {
     $actparams{loglevel}    = $loglevel;
     $actparams{logtag}      = $logtag;
     $actparams{caller}      = $caller;
-    $actparams{disposition} = '' if $chainref->{action};
     $actparams{callfile}    = $currentfilename;
     $actparams{callline}    = $currentlinenumber;
+    $actparams{disposition} = '' if $chainref->{action};
     #
     # The Shorewall variable '@chain' has non-word characters other than hyphen removed
     #
@@ -3691,6 +3752,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
+	    $val = $config{$var};
 	}
 
 	$val = '' unless defined $val;
@@ -3992,7 +4054,7 @@ sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
 
-my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
+my @suffixes;
 
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4228,7 +4290,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
 
     my $modulesdir = $config{MODULESDIR};
 
@@ -4261,25 +4323,20 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
-
-	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
-
+      MODULE:
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
-		    for my $suffix ( @suffixes ) {
-			my $modulefile = "$directory/$module.$suffix";
-			if ( -f $modulefile ) {
-			    if ( $moduleloader eq 'insmod' ) {
-				system ("insmod $modulefile $arguments" );
-			    } else {
-				system( "modprobe $module $arguments" );
-			    }
-
+		if ( $moduleloader =~ /modprobe$/ ) {
+		    system( "modprobe -q $module $arguments" );
+		    $loadedmodules{ $module } = 1;
+		} else {
+		    for my $directory ( @moduledirectories ) {
+			for my $modulefile ( <$directory/$module.*> ) {
+			    system ("insmod $modulefile $arguments" );
 			    $loadedmodules{ $module } = 1;
+			    next MODULE;
 			}
 		    }
 		}
@@ -4764,6 +4821,10 @@ sub NFLog_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }
 
+sub NFLog_Size() {
+    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
+}
+
 sub Logmark_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -4887,6 +4948,10 @@ sub Cpu_Fanout() {
     have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 
+sub Restore_Wait_Option() {
+    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -4939,6 +5004,7 @@ our %detect_capability =
       LOG_TARGET => \&Log_Target,
       ULOG_TARGET => \&Ulog_Target,
       NFLOG_TARGET => \&NFLog_Target,
+      NFLOG_SIZE => \&NFLog_Size,
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
@@ -4966,6 +5032,7 @@ our %detect_capability =
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
+      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
       RPFILTER_MATCH => \&RPFilter_Match,
       SANE_HELPER => \&SANE_Helper,
       SANE0_HELPER => \&SANE0_Helper,
@@ -5132,6 +5199,9 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
+	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
+	$capabilities{RESTORE_WAIT_OPTION}
+				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5309,11 +5379,11 @@ sub update_config_file( $ ) {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
     }
 
-    update_default( 'EXPORTMODULES',     'No' );
-    update_default( 'RESTART',           'reload' );
-    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',          '' );
+    update_default( 'EXPORTMODULES',         'No' );
+    update_default( 'RESTART',               'reload' );
+    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',              '' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5370,8 +5440,12 @@ sub update_config_file( $ ) {
 		    }
 
 		}
-
-		$val = conditional_quote $val;
+		if ( supplied $val ) {
+		    #
+		    # Log LEVEL and DEFAULT settings often contain parens
+		    #
+		    $val = ($var =~ /(?:LEVEL|DEFAULT)$/) ? qq("$val") : conditional_quote $val;
+		}
 
 		$_ = "$var=$val\n";
 	    }
@@ -5434,6 +5508,7 @@ EOF
 sub process_shorewall_conf( $$ ) {
     my ( $update, $annotate ) = @_;
     my $file   = find_file "$product.conf";
+    my @vars;
 
     if ( -f $file ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
@@ -5447,7 +5522,7 @@ sub process_shorewall_conf( $$ ) {
 	    # Don't expand shell variables or allow embedded scripting
 	    #
 	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
+		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*)$/ ) {
 		    my ($var, $val) = ($1, $2);
 
 		    if ( exists $config{$var} ) {
@@ -5466,6 +5541,12 @@ sub process_shorewall_conf( $$ ) {
 			next;
 		    }
 
+		    if ( $update ) {
+			push @vars, $var;
+		    } else {
+			expand_variables( $val ) unless $val =~ /^'.*'$/;
+		    }
+
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
 
 		    warning_message "Option $var=$val is deprecated"
@@ -5486,14 +5567,19 @@ sub process_shorewall_conf( $$ ) {
     #
     # Now update the config file if asked
     #
-    update_config_file( $annotate ) if $update;
-    #
-    # Config file update requires that the option values not have
-    # Shell variables expanded. We do that now.
-    #
-    for ( values  %config ) {
-	if ( supplied $_ ) {
-	    expand_variables( $_ ) unless /^'(.+)'$/;
+    if ( $update ) {
+	update_config_file( $annotate ); 
+	#
+	# Config file update requires that the option values not have
+	# Shell variables expanded. We do that now.
+	#
+	# To handle options like LOG_LEVEL, we process the options
+	# in the order in which they appear in the .conf file.
+	#
+	for ( @vars ) {
+	    if ( supplied( my $val = $config{$_} ) ) {
+		expand_variables( $config{$_} ) unless $val =~ /^'.*'$/;
+	    }
 	}
     }
 }
@@ -5982,7 +6068,6 @@ sub get_configuration( $$$$ ) {
     #
     # get_capabilities requires that the true settings of these options be established
     #
-    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
     if ( ! $export && $> == 0 ) {
@@ -6168,7 +6253,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
     }
 
-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
     default_yes_no 'ADD_SNAT_ALIASES'           , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6323,6 +6408,17 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
+    default_yes_no 'USE_NFLOG_SIZE'             , '';
+
+    if ( $config{USE_NFLOG_SIZE} ) {
+	if ( have_capability( 'NFLOG_SIZE' ) ) {
+	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
+	} else {
+	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
+	}
+    } else {
+	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
+    }
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6743,6 +6839,12 @@ sub get_configuration( $$$$ ) {
 	}
     }
 
+    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
+	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
+    } else {
+	$config{MUTEX_TIMEOUT} = 60;
+    }
+
     add_variables %config;
 
     while ( my ($var, $val ) = each %renamed ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -63,7 +63,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
-		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -74,10 +73,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
-		  validate_port
-		  validate_portpair
-		  validate_portpair1
-		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -389,6 +384,8 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
+    $proto =~ s/:.*//;
+
     if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
@@ -409,114 +406,6 @@ sub proto_name( $ ) {
     $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 
-sub validate_port( $$ ) {
-    my ($proto, $port) = @_;
-
-    my $value;
-
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$port = numeric_value $port;
-	return $port if defined $port && $port && $port <= 65535;
-    } else {
-	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
-	$value = getservbyname( $port, $proto );
-    }
-
-    return $value if defined $value;
-
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
-}
-
-sub validate_portpair( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-
-    my @ports = split /:/, $pair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
-    join ':', @ports;
-
-}
-
-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
-    } else {
-	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
-sub validate_port_list( $$ ) {
-    my $result = '';
-    my ( $proto, $list ) = @_;
-    my @list   = split_list( $list, 'port' );
-
-    if ( @list > 1 && $list =~ /[:-]/ ) {
-	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
-    }
-
-    $proto = proto_name $proto;
-
-    for ( @list ) {
-	my $value = validate_portpair( $proto , $_ );
-	$result = $result ? join ',', $result, $value : $value;
-    }
-
-    $result;
-}
-
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -570,67 +459,6 @@ sub validate_icmp( $ ) {
     fatal_error "Invalid ICMP Type ($type)"
 }
 
-#
-# Expands a port range into a minimal list of ( port, mask ) pairs.
-# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
-#
-# Example:
-#
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
-#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
-#
-sub expand_port_range( $$ ) {
-    my ( $proto, $range ) = @_;
-
-    if ( $range =~ /^(.*):(.*)$/ ) {
-	my ( $first, $last ) = ( $1, $2);
-	my @result;
-
-	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
-	#
-	# Supply missing first/last port number
-	#
-	$first = 0     if $first eq '';
-	$last  = 65535 if $last eq '';
-	#
-	# Validate the ports
-	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
-
-	$last++; #Increment last address for limit testing.
-	#
-	# Break the range into groups:
-	#
-	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
-	#        the remaining range has less than or equal to P ports. The next group is
-	#        ( <first> , ~( P-1 ) ).
-	#
-	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
-	    my $mask = 0xffff;         #Mask for current ports in group.
-	    my $y    = 2;              #Next power of two to test
-	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
-
-	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
-		$mask <<= 1;
-		$z  = $y;
-		$y <<= 1;
-	    }
-	    #
-	    #
-	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
-	    $first += $z;
-	}
-
-	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
-
-	@result;
-
-    } else {
-	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
-
 sub valid_6address( $ ) {
     my $address = $_[0];
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -667,6 +667,7 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
     add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {
@@ -1213,55 +1214,53 @@ sub add_common_rules ( $ ) {
 	}
     }
 
-    if ( $family == F_IPV4 ) {
-	my $announced = 0;
+    my $announced = 0;
 
-	$list = find_interfaces_by_option 'upnp';
+    $list = find_interfaces_by_option 'upnp';
 
-	if ( @$list ) {
-	    progress_message2 "$doing UPnP";
+    if ( @$list ) {
+	progress_message2 "$doing UPnP";
 
-	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
 
-	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
-	    my $chainref1;
+	my $chainref1;
 
-	    if ( $config{MINIUPNPD} ) {
-		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
-	    }
-
-	    $announced = 1;
-
-	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
-	    }
+	if ( $config{MINIUPNPD} ) {
+	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
 	}
 
-	$list = find_interfaces_by_option 'upnpclient';
+	$announced = 1;
 
-	if ( @$list ) {
-	    progress_message2 "$doing UPnP" unless $announced;
+	for $interface ( @$list ) {
+	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+	}
+    }
 
-	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc var_base get_physical $interface;
-		my $optional = interface_is_optional( $interface );
-		my $variable = get_interface_gateway( $interface, ! $optional );
-		my $origin   = get_interface_origin( $interface );
+    $list = find_interfaces_by_option 'upnpclient';
 
-		if ( $optional ) {
-		    add_commands( $chainref,
-				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
-		    incr_cmd_level( $chainref );
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-		    decr_cmd_level( $chainref );
-		    add_commands( $chainref, 'fi' );
-		} else {
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-		}
+    if ( @$list ) {
+	progress_message2 "$doing UPnP" unless $announced;
+
+	for $interface ( @$list ) {
+	    my $chainref = $filter_table->{input_option_chain $interface};
+	    my $base     = uc var_base get_physical $interface;
+	    my $optional = interface_is_optional( $interface );
+	    my $variable = get_interface_gateway( $interface, ! $optional );
+	    my $origin   = get_interface_origin( $interface );
+
+	    if ( $optional ) {
+		add_commands( $chainref,
+			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+		incr_cmd_level( $chainref );
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		decr_cmd_level( $chainref );
+		add_commands( $chainref, 'fi' );
+	    } else {
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Nat.pm

@@ -941,7 +941,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
+	    my @servers;
+
+	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
+		$server = record_runtime_address( $1, $2 );
+		$server =~ s/ $//;
+		@servers = ( $server );
+	    } else {
+		@servers = validate_address $server, 1;
+	    }
+
 	    $server = join ',', @servers;
 	}
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -64,6 +64,8 @@ our @load_interfaces;
 
 our $balancing;
 our $fallback;
+our $balanced_providers;
+our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -99,6 +101,8 @@ sub initialize( $ ) {
     %provider_interfaces    = ();
     @load_interfaces        = ();
     $balancing              = 0;
+    $balanced_providers     = 0;
+    $fallback_providers     = 0;
     $fallback               = 0;
     $metrics                = 0;
     $first_default_route    = 1;
@@ -323,7 +327,13 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $gateway ) {
+	if ( $balanced_providers == 1 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
+	} elsif ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -347,7 +357,13 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $gateway ) {
+	if ( $fallback_providers == 1 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
+	} elsif ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -486,7 +502,7 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
@@ -586,6 +602,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
+		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -593,7 +610,12 @@ sub process_a_provider( $ ) {
 	}
     }
 
-    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
+    if ( $balance ) {
+	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
+	$balanced_providers++;
+    } elsif ( $default ) {
+	$fallback_providers++;
+    }
 
     if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -826,7 +848,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
 
@@ -842,7 +864,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
@@ -852,24 +874,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" );
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( "find_interface_addresses $physical | while read address; do",
+			"    qt \$IP -$family rule del from \$address",
+			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
+	}
 
-	    if ( @{$providerref->{persistent_routes}} ) {
-		emit '';
-		emit $_ for @{$providers{$table}->{persistent_routes}};
-	    }
+	if ( @{$providerref->{persistent_routes}} ) {
+	    emit '';
+	    emit $_ for @{$providers{$table}->{persistent_routes}};
+	}
 
-	    if ( @{$providerref->{persistent_rules}} ) {
-		emit '';
-		emit $_ for @{$providers{$table}->{persistent_rules}};
-	    }
+	if ( @{$providerref->{persistent_rules}} ) {
+	    emit '';
+	    emit $_ for @{$providers{$table}->{persistent_rules}};
 	}
 
 	pop_indent;
@@ -877,7 +899,6 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
-
 	pop_indent;
 
 	emit( "}\n" );
@@ -903,7 +924,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
     }
@@ -935,7 +956,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
 
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -964,7 +985,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
     }
 
     if ( $balance ) {
@@ -976,14 +997,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 
+	emit( 'g_fallback=Yes' ) if $persistent;
+
 	$metrics = 1;
     }
 
@@ -1005,12 +1028,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1067,7 +1091,21 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
+	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
+	    );
+
+	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
+	    emit  ( '#',
+		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
+		    '#',
+		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
+		    '    true',
+		    'done',
+		    ''
+		);
+	}
+
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1212,12 +1250,14 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
+	    );
 
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
 	}
 
 	pop_indent;
@@ -1318,7 +1358,7 @@ sub add_an_rtrule1( $$$$$ ) {
 
     $priority = "pref $priority";
 
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
     push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
 
     if ( $persistent ) {
@@ -1416,22 +1456,22 @@ sub add_a_route( ) {
 
     if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
     } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
     }
 
@@ -1534,9 +1574,9 @@ sub finish_providers() {
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
 		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
@@ -1554,7 +1594,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1581,7 +1621,7 @@ sub finish_providers() {
 	}
 
 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1609,7 +1649,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
     } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
+	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
+	      '#',
+	      "delete_default_routes $default",
 	      ''
 	    );
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -216,6 +216,10 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
+#
+# Remembers NAT-oriented columns from top-level action invocations
+#
+our %nat_columns;
 
 #
 # Action/Inline options
@@ -369,6 +373,7 @@ sub initialize( $ ) {
 			    'icmp-host-prohibited'   => 1,
 			    'icmp-admin-prohibited'  => 1,
 			    'icmp-tcp-reset'         => 2,
+			    'tcp-reset'              => 2,
 	                  );
 			    
     } else {
@@ -383,6 +388,8 @@ sub initialize( $ ) {
 	                  );
     }
 
+    %nat_columns = ( dest => '-', proto => '-', ports => '-' );
+
     ############################################################################
     # Initialize variables moved from the Tc module in Shorewall 5.0.7         #
     ############################################################################
@@ -390,7 +397,7 @@ sub initialize( $ ) {
     %tcdevices = ();
     %tcclasses = ();
     $sticky    = 0;
-    $divertref = 0;    
+    $divertref = 0;
 }
 
 #
@@ -616,7 +623,7 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 
 	    if ( supplied $queue2 ) {
-		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
+		$fanout    = $queue2 =~ s/c$// ? ' --queue-cpu-fanout' : '';
 		$queuenum2 = numeric_value( $queue2 );
 
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -746,22 +753,21 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
-
     } else {
 	print_policy $client, $server, $originalpolicy, $chain;
     }
@@ -943,13 +949,14 @@ sub add_policy_rules( $$$$$ ) {
 		#
 		# Default action is an inline 
 		#
+		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
 
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
-				$loglevel,    #Log Level and Tag
+				$level || '', #Log Level and Tag
 				$paction,     #Target
 				$param || '', #Param
 				'-',          #Source
@@ -1651,6 +1658,19 @@ sub merge_inline_source_dest( $$ ) {
     $body || '';
 }
 
+#
+# This one is used by perl_action_helper()
+#
+sub merge_action_column( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( supplied( $body ) && $body ne '-' ) {
+	$body;
+    } else {
+	$invocation;
+    }
+}
+
 sub merge_macro_column( $$ ) {
     my ( $body, $invocation ) = @_;
 
@@ -1735,12 +1755,12 @@ sub process_action(\$\$$) {
 
     progress_message2 "$doing $actionfile for chain $chainref->{name}...";
 
-    push_open $actionfile, 2, 1, undef, 2;
-
     my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
     my $options = $actionref->{options};
     my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
 
+    push_open $actionfile, 2, 1, undef, 2;
+
     setup_audit_action( $action ) if $options & AUDIT_OPT;
 
     $active{$action}++;
@@ -2509,6 +2529,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $exceptionrule = '';
     my $usergenerated;
     my $prerule = '';
+    my %save_nat_columns = %nat_columns;
+    my $generated = 0;
     #
     # Subroutine for handling MARK and CONNMARK.
     #
@@ -2590,32 +2612,30 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
 
-	my $generated = process_macro( $basictarget,
-				       $chainref,
-				       $rule . $raw_matches,
-				       $matches1,
-				       $target,
-				       $current_param,
-				       $source,
-				       $dest,
-				       $proto,
-				       $ports,
-				       $sports,
-				       $origdest,
-				       $ratelimit,
-				       $user,
-				       $mark,
-				       $connlimit,
-				       $time,
-				       $headers,
-				       $condition,
-				       $helper,
-				       $wildcard );
+	$generated = process_macro( $basictarget,
+				    $chainref,
+				    $rule . $raw_matches,
+				    $matches1,
+				    $target,
+				    $current_param,
+				    $source,
+				    $dest,
+				    $proto,
+				    $ports,
+				    $sports,
+				    $origdest,
+				    $ratelimit,
+				    $user,
+				    $mark,
+				    $connlimit,
+				    $time,
+				    $headers,
+				    $condition,
+				    $helper,
+				    $wildcard );
 
 	$macro_nest_level--;
-
-	return $generated;
-
+	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
 	$action = handle_nfqueue( $param,
 				  1 # Allow 'bypass'
@@ -2687,6 +2707,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
+
 		  if ( $dest eq '-' ) {
 		      if ( $family == F_IPV4 ) {
 			  $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -2717,6 +2738,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			  # tcp-reset
 			  #
 			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
+			  $exceptionrule = '-p 6 ';
+			  $param = 'tcp-reset';
 		      }
 
 		      $action = "REJECT --reject-with $param";
@@ -2813,6 +2836,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
     }
+
     #
     # Isolate and validate source and destination zones
     #
@@ -2906,7 +2930,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} & BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		return 0 if $wildcard;
+		goto EXIT if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -2921,7 +2945,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $policy = $chainref->{policy};
 
 	if ( $policy eq 'NONE' ) {
-	    return 0 if $wildcard;
+	    goto EXIT if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -2930,9 +2954,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		return 0 if $target eq "${policy}:${loglevel}";
+		goto EXIT if $target eq "${policy}:${loglevel}";
 	    } else {
-		return 0 if $basictarget eq $policy;
+		goto EXIT if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -2977,6 +3001,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Save NAT-oriented column contents
+	#
+	@nat_columns{'dest', 'proto', 'ports' } = ( $dest,
+						    $proto eq '-' ? $nat_columns{proto} : $proto,
+						    $ports eq '-' ? $nat_columns{ports} : $ports );
+	#
+	# Push the current column array onto the column stack
+	#
+        my @savecolumns = @columns;
+	#
+	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper. We
+	# only need the NAT-oriented columns
+	#
+	@columns = ( undef , undef, $dest, $proto, $ports);
 	#
 	# Handle 'section' option
 	#
@@ -3020,6 +3059,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$action = $basictarget; # Remove params, if any, from $action.
+
+	@columns = @savecolumns;
     } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule() recursively for each rule in the action body
@@ -3036,34 +3077,34 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$actionresult = 0;
 
-	my $generated = process_inline( $basictarget,
-					$chainref,
-					$prerule . $rule,
-					$matches1 . $raw_matches,
-					$loglevel,
-					$target,
-					$param,
-					$source,
-					$dest,
-					$proto,
-					$ports,
-					$sports,
-					$origdest,
-					$ratelimit,
-					$user,
-					$mark,
-					$connlimit,
-					$time,
-					$headers,
-					$condition,
-					$helper,
-					$wildcard ) || $actionresult;
+	$generated = process_inline( $basictarget,
+				     $chainref,
+				     $prerule . $rule,
+				     $matches1 . $raw_matches,
+				     $loglevel,
+				     $target,
+				     $param,
+				     $source,
+				     $dest,
+				     $proto,
+				     $ports,
+				     $sports,
+				     $origdest,
+				     $ratelimit,
+				     $user,
+				     $mark,
+				     $connlimit,
+				     $time,
+				     $headers,
+				     $condition,
+				     $helper,
+				     $wildcard ) || $actionresult;
 
 	( $actionresult, @columns ) = @$savecolumns;;
 
 	$macro_nest_level--;
 
-	return $generated;
+	goto EXIT;
     }
     #
     # Generate Fixed part of the rule
@@ -3249,7 +3290,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
-    return 1;
+    $generated = 1;
+
+  EXIT:
+    {
+      %nat_columns = %save_nat_columns;
+    }
+
+    return $generated;
 }
 
 
@@ -3403,27 +3451,60 @@ sub perl_action_helper($$;$$) {
 				 '',                              # CurrentParam
 				 @columns );
     } else {
-	$result = process_rule( $chainref,
-				$matches,
-				$matches1,
-				merge_target( $actions{$action}, $target ),
-				'',                               # Current Param
-				'-',                              # Source
-				'-',                              # Dest
-				'-',                              # Proto
-				'-',                              # Port(s)
-				'-',                              # Source Port(s)
-				'-',                              # Original Dest
-				'-',                              # Rate Limit
-				'-',                              # User
-				'-',                              # Mark
-				'-',                              # Connlimit
-				'-',                              # Time
-				'-',                              # Headers,
-				'-',                              # condition,
-				'-',                              # helper,
-				0,                                # Wildcard
-			      );
+	if ( ( $targets{$target} || 0 ) & NATRULE ) {
+	    $result = process_rule( $chainref,
+				    $matches,
+				    $matches1,
+				    merge_target( $actions{$action}, $target ),
+				    '',                               # Current Param
+				    '-',                              # Source
+				    merge_action_column(              # Dest
+					$columns[2],			      
+					$nat_columns{dest}
+				    ),
+				    merge_action_column(              #Proto
+					$columns[3],
+					$nat_columns{proto}
+				    ),
+				    merge_action_column(              #Ports
+					$columns[4],
+					$nat_columns{ports}),
+				    '-',                              # Source Port(s)
+				    '-',                              # Original Dest
+				    '-',                              # Rate Limit
+				    '-',                              # User
+				    '-',                              # Mark
+				    '-',                              # Connlimit
+				    '-',                              # Time
+				    '-',                              # Headers,
+				    '-',                              # condition,
+				    '-',                              # helper,
+				    0,                                # Wildcard
+		);
+	} else {
+	    $result = process_rule( $chainref,
+				    $matches,
+				    $matches1,
+				    merge_target( $actions{$action}, $target ),
+				    '',                               # Current Param
+				    '-',                              # Source
+				    '-',                              # Dest
+				    '-',                              # Proto
+				    '-',                              # Port(s)
+				    '-',                              # Source Port(s)
+				    '-',                              # Original Dest
+				    '-',                              # Rate Limit
+				    '-',                              # User
+				    '-',                              # Mark
+				    '-',                              # Connlimit
+				    '-',                              # Time
+				    '-',                              # Headers,
+				    '-',                              # condition,
+				    '-',                              # helper,
+				    0,                                # Wildcard
+		);
+	}
+
 	allow_optimize( $chainref );
     }
     #
@@ -3489,7 +3570,8 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
-				  );
+		                  );
+
 	    allow_optimize( $chainref );
 	}
 	#
@@ -4060,10 +4142,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		expand_rule( $chainref,
 			     $restriction,
 			     $prerule ,
+			     do_proto( $proto, $ports, $sports ) .
 			     $match .
 			     do_user( $user ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
+			     do_test( $testval, $mask ) .
 			     do_length( $length ) .
 			     do_tos( $tos ) .
 			     do_connbytes( $connbytes ) .
@@ -4071,6 +4153,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
+			     do_time( $time ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
@@ -5283,7 +5366,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {
@@ -5639,15 +5722,23 @@ sub process_snat( )
 sub setup_snat( $ ) # Convert masq->snat if true
 {
     my $fn;
+    my $have_masq;
 
-    convert_masq() if $_[0];
-
-    if ( $fn = open_file( 'masq', 1, 1 ) ) {
+    if ( $_[0] ) {
+	convert_masq();
+    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0) while read_a_line( NORMAL_READ );
-    } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
-	process_snat while read_a_line( NORMAL_READ );
+	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
+    }
+
+    unless ( $have_masq ) {
+	#
+	# Masq file empty or didn't exist
+	#
+	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
+	    process_snat while read_a_line( NORMAL_READ );
+	}
     }
 }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
 
@@ -2312,9 +2312,10 @@ EOF
 EOF
 
 	}
-
-	return ( $mangle, $fn1 );
     }
+
+    return ( $mangle, $fn1 );
+
 }
 
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -92,7 +92,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-                    get_interface_origin
+		    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -108,55 +108,37 @@ our @EXPORT = ( qw( NOTHING
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
-
-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	       };
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 #
 # Zone Table.
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        complex =>    0|1
-#                        super   =>    0|1
-#                        options =>    { in_out  => < policy match string >
-#                                        in      => < policy match string >
-#                                        out     => < policy match string >
-#                                      }
-#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
-#                        children =>   [ <children> ]
-#                        interfaces => { <interfaces1> => 1, ... }
-#                        bridge =>     <bridge>
-#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#                                                                  options => { <option1> => <value1>
-#                                                                               ...
-#                                                                             }
-#                                                                  hosts   => [ <net1> , <net2> , ... ]
-#                                                                  exclusions => [ <net1>, <net2>, ... ]
-#                                                                  origin   => <where defined>
-#                                                                }
-#                                                <interface2> => ...
-#                                              }
-#                                            ]
-#                       }
-#             <zone2> => ...
-#           }
+#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
+#			 complex =>    0|1
+#			 super	 =>    0|1
+#			 options =>    { in_out	 => < policy match string >
+#					 in	 => < policy match string >
+#					 out	 => < policy match string >
+#				       }
+#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
+#			 children =>   [ <children> ]
+#			 interfaces => { <interfaces1> => 1, ... }
+#			 bridge =>     <bridge>
+#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#								   options => { <option1> => <value1>
+#										...
+#									      }
+#								   hosts   => [ <net1> , <net2> , ... ]
+#								   exclusions => [ <net1>, <net2>, ... ]
+#								   origin   => <where defined>
+#								 }
+#						 <interface2> => ...
+#					       }
+#					     ]
+#			}
+#	      <zone2> => ...
+#	    }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -178,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name        => <name of interface>
-#                                     root        => <name without trailing '+'>
-#                                     options     => { port => undef|1
-#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
-#                                                      ...
-#                                                    }
-#                                     zone        => <zone name>
-#                                     multizone   => undef|1   #More than one zone interfaces through this interface
-#                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
-#                                     ports       => <number of port on this bridge>
-#                                     ipsec       => undef|1 # Has an ipsec host group
-#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#                                     number      => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
-#                                     base        => <shell variable base representing this interface>
-#                                     wildcard    => undef|1 # Wildcard Name
-#                                     zones       => { zone1 => 1, ... }
-#                                     origin      => <where defined>
-#                                   }
-#                 }
+#     %interfaces { <interface1> => { name	  => <name of interface>
+#				      root	  => <name without trailing '+'>
+#				      options	  => { port => undef|1
+#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
+#						       ...
+#						     }
+#				      zone	  => <zone name>
+#				      multizone	  => undef|1   #More than one zone interfaces through this interface
+#				      nets	  => <number of nets in interface/hosts records referring to this interface>
+#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
+#				      ports	  => <number of port on this bridge>
+#				      ipsec	  => undef|1 # Has an ipsec host group
+#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#				      number	  => <ordinal position in the interfaces file>
+#				      physical	  => <physical interface name>
+#				      base	  => <shell variable base representing this interface>
+#				      wildcard	  => undef|1 # Wildcard Name
+#				      zones	  => { zone1 => 1, ... }
+#				      origin	  => <where defined>
+#				    }
+#		  }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -221,6 +203,26 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 
+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	     };
+
+sub NETWORK() {
+    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
+}
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -276,19 +278,7 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =
 
 our %validhostoptions;
 
-our %validzoneoptions = ( mss            => NUMERIC,
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
+our %validzoneoptions;
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -330,6 +320,20 @@ sub initialize( $$ ) {
     $minroot = 0;
     $loopback_interface = '';
 
+    %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );
+
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
@@ -407,6 +411,8 @@ sub initialize( $$ ) {
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
+				    upnp        => SIMPLE_IF_OPTION,
+				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -695,6 +701,40 @@ sub haveipseczones() {
     0;
 }
 
+#
+# Returns 1 if the two interfaces passed are related
+#
+sub interface_match( $$ ) {
+    my ( $piface, $ciface ) = @_;
+
+    return 1 if $piface eq $ciface;
+
+    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
+
+    return 1 if $piface eq $cifaceref->{bridge};
+    return 1 if $ciface eq $pifaceref->{bridge};
+
+    if ( $minroot ) {
+	if ( $piface =~ /\+$/ ) {
+	    my $root    = $pifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $ciface ) >= $rlength ) {
+		return 1 if $ciface eq $root;
+		chop $ciface;
+	    }
+	} elsif ( $ciface =~ /\+$/ ) {
+	    my $root    = $cifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $piface ) >= $rlength ) {
+		return 1 if $piface eq $root;
+		chop $piface;
+	    }
+	}
+    }
+
+    0;
+}
+
 #
 # Report about zones.
 #
@@ -732,7 +772,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -741,6 +781,17 @@ sub zone_report()
 	    }
 	}
 
+      PARENT:
+	for my $p ( @{$zoneref->{parents}} ) {
+	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
+		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
+		    next PARENT if interface_match( $pi, $ci );
+		}
+	    }
+
+	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
+	}
+
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1313,7 +1364,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The '$option' option requires a value" unless supplied $value;
 
 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
@@ -1569,9 +1620,7 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
-	    chop $iface;
-
+	while ( length $iface >= $minroot ) {
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1593,6 +1642,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
+
+	    chop $iface;
 	}
     }
 

Shorewall/Perl/compiler.pl

@@ -43,6 +43,8 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
+#    If the <filename> is omitted, then a 'check' operation is performed.
+#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then nable an optional
+#	    reenable			Disable then enable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
     $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
     done
 } 
 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
             conntrack -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
     local interface
     interface=$1
@@ -912,6 +912,8 @@ detect_gateway() # $1 = interface
     # Maybe there's a default route through this gateway already
     #
     [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+
+    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #

Shorewall/Perl/prog.footer

@@ -78,11 +78,13 @@ reload_command() {
     detect_configuration
     define_firewall
     status=$?
-    if [ -n "$SUBSYSLOCK" ]; then
- 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-    fi
 
-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
+	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	progress_message3 "done."
+    else
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    fi
 }
 
 ################################################################################
@@ -127,8 +129,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockeringress=
 g_dockernetwork=
 g_forcereload=
+g_fallback=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -418,9 +422,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
+	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    disable_provider $1 Yes
+	    COMMAND=enable
+	    detect_configuration $1
+	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0

Shorewall/Samples/Universal/shorewall.conf

@@ -33,7 +33,7 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
+LOG_LEVEL="info"
 
 BLACKLIST_LOG_LEVEL=
 
@@ -55,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -109,11 +109,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -205,8 +205,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -217,6 +215,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=Yes
@@ -247,6 +247,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/one-interface/shorewall.conf

@@ -120,11 +120,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -216,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -228,6 +226,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -258,6 +258,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -41,7 +41,7 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
+LOG_LEVEL="info"
 
 BLACKLIST_LOG_LEVEL=
 
@@ -63,19 +63,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -117,11 +117,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -213,8 +213,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -225,6 +223,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -255,6 +255,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -44,7 +44,7 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
+LOG_LEVEL="info"
 
 BLACKLIST_LOG_LEVEL=
 
@@ -66,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -120,11 +120,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -216,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -228,6 +226,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -258,6 +258,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/two-interfaces/snat

@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			92.168.0.0/16		eth0
+			192.168.0.0/16		eth0

Shorewall/actions.std

@@ -8,10 +8,12 @@
 #
 ###############################################################################
 #ACTION
+A_AllowICMPs inline		# Audited version of AllowICMPs
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
+AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
@@ -23,6 +25,7 @@ Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
+dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
@@ -30,6 +33,7 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
+FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event

Shorewall/configfiles/disabled

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/disabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully disabled using the 'disable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall/configfiles/enabled

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/enabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully enabled using the 'enable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall/configfiles/shorewall.conf

@@ -33,7 +33,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL=info
+LOG_LEVEL="info"
 
 BLACKLIST_LOG_LEVEL=
 
@@ -55,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 
 UNTRACKED_LOG_LEVEL=
 
@@ -109,11 +109,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -205,8 +205,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX=ko
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -217,6 +215,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No
@@ -247,6 +247,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=No
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/install.sh

@@ -442,6 +442,14 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Drop
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Reject
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_AllowICMPs
+    else
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.A_AllowICMPs
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.AllowICMPs
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.Broadcast
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.Multicast
     fi
 fi
 
@@ -484,8 +492,11 @@ fi
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 $PRODUCT.conf           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 $PRODUCT.conf            ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+
+if [ $PRODUCT = shorewall ]; then
+    run_install $OWNERSHIP -m 0644 shorewall.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+fi
 
 if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
     run_install $OWNERSHIP -m 0600 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
@@ -605,8 +616,14 @@ run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 if [ -f ${DESTDIR}${CONFDIR}/$PRODUCT/params ]; then
     chmod 0644 ${DESTDIR}${CONFDIR}/$PRODUCT/params
 else
-    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
-    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
+    case "$SPARSE" in
+	[Vv]ery)
+	;;
+	*)
+	    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
+	    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
+	    ;;
+    esac
 fi
 
 if [ $PRODUCT = shorewall ]; then
@@ -682,10 +699,16 @@ fi
 run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
-if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
-    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
-    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
-fi
+case "$SPARSE" in
+    [Vv]ery)
+    ;;
+    *)
+	if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+	    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+	    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
+	fi
+	;;
+esac
 
 #
 # Install the Mangle file
@@ -1139,13 +1162,39 @@ if [ -n "$MANDIR" ]; then
 
 cd manpages
 
-[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+if [ $PRODUCT = shorewall ]; then
+    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
 
-for f in *.5; do
-    gzip -9c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
-done
+    for f in *.5; do
+	gzip -9c $f > $f.gz
+	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+    done
+fi
+
+if [ $PRODUCT = shorewall6 ]; then
+    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+
+    rm -f ${DESTDIR}${MANDIR}/man5/shorewall6*
+
+    for f in \
+	shorewall-accounting.5  shorewall-ipsets.5   shorewall-providers.5     shorewall-tcclasses.5     \
+	shorewall-actions.5     shorewall-maclist.5                            shorewall-tcdevices.5     \
+	                        shorewall-mangle.5   shorewall-proxyndp.5      shorewall-tcfilters.5     \
+	shorewall-blacklist.5   shorewall-masq.5     shorewall-routes.5        shorewall-tcinterfaces.5  \
+	shorewall-blrules.5     shorewall-modules.5  shorewall-routestopped.5  shorewall-tcpri.5         \
+	shorewall-conntrack.5   shorewall-nat.5      shorewall-rtrules.5       shorewall-tcrules.5       \
+                                shorewall-nesting.5  shorewall-rules.5         shorewall-tos.5           \
+	shorewall-exclusion.5   shorewall-netmap.5   shorewall-secmarks.5      shorewall-tunnels.5       \
+	shorewall-hosts.5       shorewall-params.5   shorewall-snat.5          shorewall-vardir.5        \
+	shorewall-interfaces.5  shorewall-policy.5   shorewall-stoppedrules.5  shorewall-zones.5
+    do
+	f6=shorewall6-${f#*-}
+	echo ".so man5/$f" > ${DESTDIR}${MANDIR}/man5/$f6
+    done
+
+    echo ".so man5/shorewall.conf.5" > ${DESTDIR}${MANDIR}/man5/shorewall6.conf.5
+fi
 
 [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
 

Shorewall/lib.cli-std

@@ -341,6 +341,18 @@ get_config() {
 	setup_dbl
     fi
 
+    if [ -z "$PERL_HASH_SEED" ]; then
+	PERL_HASH_SEED=0
+    else
+	case $PERL_HASH_SEED in
+	    [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random)
+	        ;;
+	    *)
+		fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED"
+		;;
+	esac
+    fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib
@@ -484,8 +496,17 @@ compiler() {
     #
     [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
 
-    PERL_HASH_SEED=0
-    export PERL_HASH_SEED
+    case $PERL_HASH_SEED in
+	random)
+	    unset PERL_HASH_SEED
+	    unset PERL_PERTURB_KEYS
+	    ;;
+	*)
+	    export PERL_HASH_SEED
+	    PERL_PERTURB_KEYS=0
+	    export PERL_PERTURB_KEYS
+	    ;;
+    esac
 
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
@@ -513,28 +534,6 @@ start_command() {
     local rc
     rc=0
 
-    do_it() {
-	if [ -n "$AUTOMAKE" ]; then
-	    [ -n "$nolock" ] || mutex_on
-	    run_it ${VARDIR}/firewall $g_debugging start
-	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    g_file="${VARDIR}/.start"
-	    if compiler $g_debugging $nolock compile "$g_file"; then
-		[ -n "$nolock" ] || mutex_on
-		run_it ${VARDIR}/.start $g_debugging start
-		rc=$?
-		[ -n "$nolock" ] || mutex_off
-	    else
-		rc=$?
-		mylogger kern.err "ERROR:$g_product start failed"
-	    fi
-	fi
-
-	exit $rc
-    }
-
     if product_is_started; then
 	error_message "Shorewall is already running"
 	exit 0
@@ -626,7 +625,25 @@ start_command() {
 	fi
     fi
 
-    do_it
+    if [ -n "$AUTOMAKE" ]; then
+	[ -n "$nolock" ] || mutex_on
+	run_it ${VARDIR}/firewall $g_debugging start
+	rc=$?
+	[ -n "$nolock" ] || mutex_off
+    else
+	g_file="${VARDIR}/.start"
+	if compiler $g_debugging $nolock compile "$g_file"; then
+	    [ -n "$nolock" ] || mutex_on
+	    run_it ${VARDIR}/.start $g_debugging start
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    rc=$?
+	    mylogger kern.err "ERROR:$g_product start failed"
+	fi
+    fi
+
+    exit $rc
 }
 
 #
@@ -1539,10 +1556,10 @@ remote_reload_command() # $* = original arguments less the command.
 
 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
     fi

Shorewall/manpages/shorewall-accounting.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/accounting</command>
+      <command>/etc/shorewall[6]/accounting</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -783,6 +783,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/accounting</para>
+
+    <para>/etc/shorewall6/accounting</para>
   </refsect1>
 
   <refsect1>
@@ -798,14 +800,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-actions.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/actions</command>
+      <command>/etc/shorewall[6]/actions</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -148,9 +148,9 @@
               <listitem>
                 <para>Added in Shorewall 5.0.7. Specifies that this action is
                 to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
+                rather than <ulink
+                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -160,11 +160,11 @@
               <listitem>
                 <para>Added in Shorewall 5.0.13. Specifies that this action is
                 to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
-                <option>mangle</option> and <option>nat</option> options are
-                mutually exclusive.</para>
+                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
+                rather than <ulink
+                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
+                The <option>mangle</option> and <option>nat</option> options
+                are mutually exclusive.</para>
               </listitem>
             </varlistentry>
 
@@ -206,7 +206,7 @@
                 <para>Given that neither the <filename>snat</filename> nor the
                 <filename>mangle</filename> file is sectioned, this parameter
                 has no effect when <option>mangle</option> or
-                <option>nat</option> is specified. </para>
+                <option>nat</option> is specified.</para>
               </listitem>
             </varlistentry>
 
@@ -239,6 +239,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/actions</para>
+
+    <para>/etc/shorewall6/actions</para>
   </refsect1>
 
   <refsect1>
@@ -247,14 +249,6 @@
     <para><ulink
     url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-arprules.xml

@@ -25,6 +25,8 @@
   <refsect1>
     <title>Description</title>
 
+    <para>IPv4 only.</para>
+
     <para>This file was added in Shorewall 4.5.12 and is used to describe
     low-level rules managed by arptables (8). These rules only affect Address
     Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@@ -377,4 +379,10 @@ SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlis
 
     <para>/etc/shorewall/arprules</para>
   </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8)</para>
+  </refsect1>
 </refentry>

Shorewall/manpages/shorewall-blrules.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/blrules</command>
+      <command>/etc/shorewall[6]/blrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -27,12 +27,9 @@
 
     <para>This file is used to perform blacklisting and whitelisting.</para>
 
-    <para>Rules in this file are applied depending on the setting of
-    BLACKLISTNEWONLY in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
-    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
-    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
-    connections in the NEW and INVALID states.</para>
+    <para>Rules in this file are applied depending on the setting of BLACKLIST
+    in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
     <para>The format of rules in this file is the same as the format of rules
     in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@@ -118,10 +115,10 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_DROP and A_DROP!</term>
+              <term>A_DROP</term>
 
               <listitem>
-                <para>Audited versions of DROP. Requires AUDIT_TARGET support
+                <para>Audited version of DROP. Requires AUDIT_TARGET support
                 in the kernel and ip6tables.</para>
               </listitem>
             </varlistentry>
@@ -170,7 +167,7 @@
               <listitem>
                 <para>queues matching packets to a back end logging daemon via
                 a netlink socket then continues to the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -276,11 +273,11 @@
   </refsect1>
 
   <refsect1>
-    <title>Example</title>
+    <title>Examples</title>
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>Drop Teredo packets from the net.</para>
@@ -290,7 +287,28 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
+
+        <listitem>
+          <para>Don't subject packets from 2001:DB8::/64 to the remaining
+          rules in the file.</para>
+
+          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>Drop Teredo packets from the net.</para>
+
+          <programlisting>DROP          net:[2001::/32]            all</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
 
         <listitem>
           <para>Don't subject packets from 2001:DB8::/64 to the remaining
@@ -306,6 +324,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/blrules</para>
+
+    <para>/etc/shorewall6/blrules</para>
   </refsect1>
 
   <refsect1>
@@ -317,12 +337,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
-    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-conntrack.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/conntrack</command>
+      <command>/etc/shorewall[6]/conntrack</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -35,7 +35,7 @@
     <emphasis role="bold">conntrack</emphasis>.</para>
 
     <para>The file supports three different column layouts: FORMAT 1, FORMAT
-    2, and FORMAT 3, FORMAT 1 being the default. The three differ as
+    2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
     follows:</para>
 
     <itemizedlist>
@@ -311,9 +311,9 @@
             <listitem>
               <para><option>ULOG</option></para>
 
-              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
-              logging daemon using the ULOG netfilter target with the
-              specified <replaceable>ulog-parameters</replaceable>.</para>
+              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
+              a backend logging daemon using the ULOG netfilter target with
+              the specified <replaceable>ulog-parameters</replaceable>.</para>
             </listitem>
           </itemizedlist>
 
@@ -689,31 +689,57 @@
   <refsect1>
     <title>EXAMPLE</title>
 
-    <para>Example 1:</para>
+    <para>IPv4 Example 1:</para>
 
     <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
 
-    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+    <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
 
     <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
 
-    <programlisting>FORMAT 2
+    <programlisting>?FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
 
-    <para>or<programlisting>FORMAT 3
+    <para>or<programlisting>?FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
+
+    <para>IPv6 Example 1:</para>
+
+    <para>Use the FTP helper for TCP port 21 connections from the firewall
+    itself.</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
+CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+
+    <para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
+
+    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
+DROP                          all-:2001:1.2.3::4 -
+DROP                          all                2001:1.2.3::4
+</programlisting>
+
+    <para>or<programlisting>FORMAT 3
+#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
+DROP:P                        2001:1.2.3::4      -
+DROP:PO                       -                  2001:1.2.3::4</programlisting></para>
   </refsect1>
 
   <refsect1>
     <title>FILES</title>
 
     <para>/etc/shorewall/conntrack</para>
+
+    <para>/etc/shorewall6/conntrack</para>
   </refsect1>
 
   <refsect1>
@@ -722,14 +748,6 @@ DROP:PO                       -                  1.2.3.4
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-ecn.xml

@@ -25,8 +25,12 @@
   <refsect1>
     <title>Description</title>
 
+    <para>IPv4 only.</para>
+
     <para>Use this file to list the destinations for which you want to disable
-    ECN (Explicit Congestion Notification).</para>
+    ECN (Explicit Congestion Notification). Use of this file is deprecated in
+    favor of ECN rules in <ulink
+    url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
 
     <para>The columns in the file are as follows.</para>
 
@@ -65,14 +69,6 @@
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-exclusion.xml

@@ -49,9 +49,10 @@
 
     <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
     allowed after <emphasis role="bold">all</emphasis> and <emphasis
-    role="bold">any</emphasis> in the SOURCE and DEST columns of
-    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
-    generated by those key words.</para>
+    role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
+    url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
+    you to omit arbitrary zones from the list generated by those key
+    words.</para>
 
     <warning>
       <para>If you omit a sub-zone and there is an explicit or explicit
@@ -117,7 +118,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
 
     <variablelist>
       <varlistentry>
-        <term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
+        <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
 
         <listitem>
           <para>!192.168.3.4</para>
@@ -125,8 +126,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
-        and the host 10.2.3.4</term>
+        <term>IPv4 Example 2 - All IPv4 addresses except the network
+        192.168.1.0/24 and the host 10.2.3.4</term>
 
         <listitem>
           <para>!192.168.1.0/24,10.1.3.4</para>
@@ -134,7 +135,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>Example 3 - All IPv4 addresses except the range
+        <term>IPv4 Example 3 - All IPv4 addresses except the range
         192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
 
         <listitem>
@@ -143,8 +144,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
-        and 192.168.1.9</term>
+        <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
+        192.168.1.3 and 192.168.1.9</term>
 
         <listitem>
           <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
@@ -176,14 +177,6 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-hosts.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/hosts</command>
+      <command>/etc/shorewall[6]/hosts</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -270,6 +270,8 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <title>FILES</title>
 
     <para>/etc/shorewall/hosts</para>
+
+    <para>/etc/shorewall6/hosts</para>
   </refsect1>
 
   <refsect1>
@@ -278,14 +280,6 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-init.xml

@@ -165,14 +165,6 @@
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-interfaces.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/interfaces</command>
+      <command>/etc/shorewall[6]/interfaces</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -104,9 +104,7 @@ loc     eth2            -</programlisting>
           <para>You may use wildcards here by specifying a prefix followed by
           the plus sign ("+"). For example, if you want to make an entry that
           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, … Please note that the '+' means '<emphasis
-          role="bold">one</emphasis> or more additional characters' so 'ppp'
-          does not match 'ppp+'.</para>
+          ppp1, ppp2, …</para>
 
           <para>When using Shorewall versions before 4.1.4, care must be
           exercised when using wildcards where there is another zone that uses
@@ -199,11 +197,12 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
 
               <listitem>
-                <para>If specified, this interface will only respond to ARP
-                who-has requests for IP addresses configured on the interface.
-                If not specified, the interface can respond to ARP who-has
-                requests for IP addresses on any of the firewall's interface.
-                The interface must be up when Shorewall is started.</para>
+                <para>IPv4 only. If specified, this interface will only
+                respond to ARP who-has requests for IP addresses configured on
+                the interface. If not specified, the interface can respond to
+                ARP who-has requests for IP addresses on any of the firewall's
+                interface. The interface must be up when Shorewall is
+                started.</para>
 
                 <para>Only those interfaces with the
                 <option>arp_filter</option> option will have their setting
@@ -225,8 +224,8 @@ loc     eth2            -</programlisting>
               role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
 
               <listitem>
-                <para>If specified, this interface will respond to arp
-                requests based on the value of <emphasis>number</emphasis>
+                <para>IPv4 only. If specified, this interface will respond to
+                arp requests based on the value of <emphasis>number</emphasis>
                 (defaults to 1).</para>
 
                 <para>1 - reply only if the target IP address is local address
@@ -257,7 +256,7 @@ loc     eth2            -</programlisting>
                 <warning>
                   <para>Do not specify <emphasis
                   role="bold">arp_ignore</emphasis> for any interface involved
-                  in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
+                  in <ulink url="/ProxyARP.htm">Proxy ARP</ulink>.</para>
                 </warning>
               </listitem>
             </varlistentry>
@@ -323,7 +322,7 @@ loc     eth2            -</programlisting>
                 and/or destination address is to be compared against the
                 ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                 <ulink
-                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                 The default is determine by the setting of
                 DYNAMIC_BLACKLIST:</para>
 
@@ -411,13 +410,13 @@ loc     eth2            -</programlisting>
 
                   <listitem>
                     <para>the interface is a <ulink
-                    url="../SimpleBridge.html">simple bridge</ulink> with a
-                    DHCP server on one port and DHCP clients on another
+                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
+                    server on one port and DHCP clients on another
                     port.</para>
 
                     <note>
                       <para>If you use <ulink
-                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
+                      url="/bridge-Shorewall-perl.html">Shorewall-perl for
                       firewall/bridging</ulink>, then you need to include
                       DHCP-specific rules in <ulink
                       url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
@@ -467,15 +466,15 @@ loc     eth2            -</programlisting>
               role="bold">logmartians[={0|1}]</emphasis></term>
 
               <listitem>
-                <para>Turn on kernel martian logging (logging of packets with
-                impossible source addresses. It is strongly suggested that if
-                you set <emphasis role="bold">routefilter</emphasis> on an
-                interface that you also set <emphasis
-                role="bold">logmartians</emphasis>. Even if you do not specify
-                the <option>routefilter</option> option, it is a good idea to
-                specify <option>logmartians</option> because your distribution
-                may have enabled route filtering without you knowing
-                it.</para>
+                <para>IPv4 only. Turn on kernel martian logging (logging of
+                packets with impossible source addresses. It is strongly
+                suggested that if you set <emphasis
+                role="bold">routefilter</emphasis> on an interface that you
+                also set <emphasis role="bold">logmartians</emphasis>. Even if
+                you do not specify the <option>routefilter</option> option, it
+                is a good idea to specify <option>logmartians</option> because
+                your distribution may have enabled route filtering without you
+                knowing it.</para>
 
                 <para>Only those interfaces with the
                 <option>logmartians</option> option will have their setting
@@ -576,8 +575,8 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">nosmurfs</emphasis></term>
 
               <listitem>
-                <para>Filter packets for smurfs (packets with a broadcast
-                address as the source).</para>
+                <para>IPv4 only. Filter packets for smurfs (packets with a
+                broadcast address as the source).</para>
 
                 <para>Smurfs will be optionally logged based on the setting of
                 SMURF_LOG_LEVEL in <ulink
@@ -596,9 +595,9 @@ loc     eth2            -</programlisting>
                 <itemizedlist>
                   <listitem>
                     <para>a <filename
-                    class="directory">/proc/sys/net/ipv4/conf/</filename>
+                    class="directory">/proc/sys/net/ipv[46]/conf/</filename>
                     entry for the interface cannot be modified (including for
-                    proxy ARP).</para>
+                    proxy ARP or proxy NDP).</para>
                   </listitem>
 
                   <listitem>
@@ -638,7 +637,7 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
 
               <listitem>
-                <para>Sets
+                <para>IPv4 only. Sets
                 /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                 Do NOT use this option if you are employing Proxy ARP through
                 entries in <ulink
@@ -659,6 +658,24 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>IPv6 only. Sets
+                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
+
+                <para><emphasis role="bold">Note</emphasis>: This option does
+                not work with a wild-card <replaceable>interface</replaceable>
+                name (e.g., eth0.+) in the INTERFACE column.</para>
+
+                <para>Only those interfaces with the <option>proxyndp</option>
+                option will have their setting changed; the value assigned to
+                the setting will be the value specified (if any) or 1 if no
+                value is given.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">required</emphasis></term>
 
@@ -700,8 +717,8 @@ loc     eth2            -</programlisting>
               role="bold">routefilter[={0|1|2}]</emphasis></term>
 
               <listitem>
-                <para>Turn on kernel route filtering for this interface
-                (anti-spoofing measure).</para>
+                <para>IPv4 only. Turn on kernel route filtering for this
+                interface (anti-spoofing measure).</para>
 
                 <para>Only those interfaces with the
                 <option>routefilter</option> option will have their setting
@@ -886,10 +903,13 @@ loc     eth2            -</programlisting>
                       role="bold">routefilter</emphasis></member>
 
                       <member><emphasis
-                      role="bold">sourceroute</emphasis></member>
+                      role="bold">proxyarp</emphasis></member>
 
                       <member><emphasis
-                      role="bold">proxyndp</emphasis></member>
+                      role="bold">proxyudp</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">sourceroute</emphasis></member>
                     </simplelist>
                   </listitem>
                 </itemizedlist>
@@ -902,7 +922,9 @@ loc     eth2            -</programlisting>
               <listitem>
                 <para>Incoming requests from this interface may be remapped
                 via UPNP (upnpd). See <ulink
-                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
+                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
+                Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
+                later.</para>
               </listitem>
             </varlistentry>
 
@@ -916,7 +938,8 @@ loc     eth2            -</programlisting>
                 causes Shorewall to detect the default gateway through the
                 interface and to accept UDP packets from that gateway. Note
                 that, like all aspects of UPnP, this is a security hole so use
-                this option at your own risk.</para>
+                this option at your own risk. Supported in IPv4 and in IPv6 in
+                Shorewall 5.1.4 and later.</para>
               </listitem>
             </varlistentry>
 
@@ -943,7 +966,7 @@ loc     eth2            -</programlisting>
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>Suppose you have eth0 connected to a DSL modem and eth1
@@ -956,7 +979,7 @@ loc     eth2            -</programlisting>
 
           <para>Your entries for this setup would look like:</para>
 
-          <programlisting>FORMAT 1
+          <programlisting>?FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
@@ -971,7 +994,7 @@ dmz     eth2      192.168.2.255</programlisting>
           <para>The same configuration without specifying broadcast addresses
           is:</para>
 
-          <programlisting>FORMAT 2
+          <programlisting>?FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     eth0      dhcp
 loc     eth1      
@@ -986,7 +1009,7 @@ dmz     eth2</programlisting>
           <para>You have a simple dial-in system with no Ethernet
           connections.</para>
 
-          <programlisting>FORMAT 2
+          <programlisting>?FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
         </listitem>
@@ -999,7 +1022,7 @@ net     ppp0      -</programlisting>
           <para>You have a bridge with no IP address and you want to allow
           traffic through the bridge.</para>
 
-          <programlisting>FORMAT 2
+          <programlisting>?FORMAT 2
 #ZONE   INTERFACE OPTIONS
 -       br0       bridge</programlisting>
         </listitem>
@@ -1011,6 +1034,8 @@ net     ppp0      -</programlisting>
     <title>FILES</title>
 
     <para>/etc/shorewall/interfaces</para>
+
+    <para>/etc/shorewall6/interfaces</para>
   </refsect1>
 
   <refsect1>
@@ -1019,13 +1044,6 @@ net     ppp0      -</programlisting>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-ipsets.xml

@@ -103,7 +103,7 @@
 
     <important>
       <para>These additional match options are not available in <ulink
-      url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
+      url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
     </important>
 
     <para>Available options are:</para>
@@ -251,34 +251,44 @@
 
     <para>/etc/shorewall/accounting</para>
 
+    <para>/etc/shorewall6/accounting</para>
+
     <para>/etc/shorewall/blrules</para>
 
+    <para>/etc/shorewall6/blrules</para>
+
     <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
     Multiple matches enclosed in +[...] may not be used in this file.</para>
 
+    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
     <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
     Multiple matches enclosed in +[...] may not be used in this file.</para>
 
-    <para>/etc/shorewall/masq</para>
+    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
 
     <para>/etc/shorewall/rules</para>
 
+    <para>/etc/shorewall6/rules</para>
+
     <para>/etc/shorewall/secmarks</para>
 
+    <para>/etc/shorewall6/secmarks</para>
+
     <para>/etc/shorewall/mangle</para>
+
+    <para>/etc/shorewall6/mangle</para>
+
+    <para>/etc/shorewall/snat</para>
+
+    <para>/etc/shorewall6/snat</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-maclist.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/maclist</command>
+      <command>/etc/shorewall[6]/maclist</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -97,6 +97,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/maclist</para>
+
+    <para>/etc/shorewall6/maclist</para>
   </refsect1>
 
   <refsect1>
@@ -108,14 +110,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-mangle.xml

@@ -18,31 +18,17 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/mangle</command>
+      <command>/etc/shorewall[6]/mangle</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
-    <para>This file was introduced in Shorewall 4.6.0 and is intended to
-    replace <ulink
+    <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
     url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
-    <orderedlist numeration="loweralpha">
-      <listitem>
-        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
-        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
-        or</para>
-      </listitem>
-
-      <listitem>
-        <para>The first file named 'tcrules' found on the CONFIG_PATH contains
-        no non-commentary entries.</para>
-      </listitem>
-    </orderedlist>
-
     <para>Entries in this file cause packets to be marked as a means of
     classifying them for traffic control or policy routing.</para>
 
@@ -117,9 +103,7 @@
           SOURCE is $FW, the generated rule is always placed in the OUTPUT
           chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
           Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body unless the action is declared as
-          <option>inline</option> in <ulink
-          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
+          be specified in an action body.</para>
 
           <para>Where a command takes parameters, those parameters are
           enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -299,7 +283,7 @@
                 configuration described at <ulink
                 url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
                 place this entry in <ulink
-                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
+                url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
 
                 <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
 TProxy   1        -       -          lo        -               tproxy</programlisting>
@@ -365,8 +349,9 @@ DIVERTHA        -               -               tcp</programlisting>
 
               <listitem>
                 <para>Added in Shorewall 5.0.6 as an alternative to entries in
-                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
-                PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                <ulink
+                url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
+                If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
                 supplied, TCP is assumed. This action causes all ECN bits in
                 the TCP header to be cleared.</para>
               </listitem>
@@ -788,7 +773,7 @@ Normal-Service       =&gt; 0x00</programlisting>
               <listitem>
                 <para>where <replaceable>interface</replaceable> is the
                 logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                 Matches packets entering the firewall from the named
                 interface. May not be used in CLASSIFY rules or in rules using
                 the :T chain qualifier.</para>
@@ -864,7 +849,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 on the firewall and whose source IP address matches one of the
                 listed addresses and does not match any address listed in the
                 <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
+                chain qualifier (:P, :F, etc.) in the ACTION column.</para>
               </listitem>
             </varlistentry>
 
@@ -911,11 +896,12 @@ Normal-Service       =&gt; 0x00</programlisting>
               <listitem>
                 <para>where <replaceable>interface</replaceable> is the
                 logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                 Matches packets leaving the firewall through the named
                 interface. May not be used in the PREROUTING chain (:P in the
                 mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
+                in <ulink
+                url="/manpages/shorewall.conf">shorewall.conf</ulink>
                 (5)).</para>
               </listitem>
             </varlistentry>
@@ -952,7 +938,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 when both the outgoing interface and destination IP address
                 match. May not be used in the PREROUTING chain (:P in the mark
                 column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
+                <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
                 (5)).</para>
               </listitem>
             </varlistentry>
@@ -967,7 +953,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 <replaceable>exclusion</replaceable>. May not be used in the
                 PREROUTING chain (:P in the mark column or no chain qualifier
                 and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="manpages/shorewall.conf">shorewall.conf</ulink>
+                url="/manpages/shorewall.conf">shorewall.conf</ulink>
                 (5)).</para>
               </listitem>
             </varlistentry>
@@ -1028,15 +1014,16 @@ Normal-Service       =&gt; 0x00</programlisting>
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">{tcp:syn</emphasis>|<emphasis
+        role="bold">{tcp:[!]syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
         role="bold">ipp2p:udp</emphasis>|<emphasis
         role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
         role="bold">all}[,...]}</emphasis></term>
 
         <listitem>
-          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
-          ipp2p match support in your kernel and iptables.</para>
+          <para>See <ulink
+          url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
+          details.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>
@@ -1542,7 +1529,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@@ -1571,7 +1558,7 @@ Normal-Service       =&gt; 0x00</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -1583,12 +1570,41 @@ Normal-Service       =&gt; 0x00</programlisting>
        #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
        CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
 
-/etc/shorewall/masq:
+/etc/shorewall/snat:
 
-       #INTERFACE SOURCE         ADDRESS     ...
-       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
-       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+       #ACTION          SOURCE              DEST     ...
+       SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
+       SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
+       SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
+          to peer traffic with packet mark 4.</para>
+
+          <para>This is a little more complex than otherwise expected. Since
+          the ipp2p module is unable to determine all packets in a connection
+          are P2P packets, we mark the entire connection as P2P if any of the
+          packets are determined to match.</para>
+
+          <para>We assume packet/connection mark 0 means unclassified.</para>
+
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
+       MARK(1):T  ::/0      ::/0         icmp    echo-request
+       MARK(1):T  ::/0      ::/0         icmp    echo-reply
+       RESTORE:T  ::/0      ::/0         all     -             -       -       0
+       CONTINUE:T ::/0      ::/0         all     -             -       -       !0
+       MARK(4):T  ::/0      ::/0         ipp2p:all
+       SAVE:T     ::/0      ::/0         all     -             -       -       !0</programlisting>
+
+          <para>If a packet hasn't been classified (packet mark is 0), copy
+          the connection mark to the packet mark. If the packet mark is set,
+          we're done. If the packet is P2P, set the packet mark to 4. If the
+          packet mark has been set, save it to the connection mark.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -1598,6 +1614,8 @@ Normal-Service       =&gt; 0x00</programlisting>
     <title>FILES</title>
 
     <para>/etc/shorewall/mangle</para>
+
+    <para>/etc/shorewall6/mangle</para>
   </refsect1>
 
   <refsect1>
@@ -1615,14 +1633,6 @@ Normal-Service       =&gt; 0x00</programlisting>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-masq.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/masq</command>
+      <command>/etc/shorewall[6]/masq</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -579,7 +579,7 @@
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>You have a simple masquerading setup where eth0 connects to a
@@ -594,7 +594,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>You add a router to your local network to connect subnet
@@ -607,7 +607,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 3:</term>
+        <term>IPv4 Example 3:</term>
 
         <listitem>
           <para>You have an IPSEC tunnel through ipsec0 and you want to
@@ -620,7 +620,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 4:</term>
+        <term>IPv4 Example 4:</term>
 
         <listitem>
           <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -634,7 +634,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 5:</term>
+        <term>IPv4 Example 5:</term>
 
         <listitem>
           <para>You want all outgoing SMTP traffic entering the firewall from
@@ -654,7 +654,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 6:</term>
+        <term>IPv4 Example 6:</term>
 
         <listitem>
           <para>Connections leaving on eth0 and destined to any host defined
@@ -667,7 +667,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 7:</term>
+        <term>IPv4 Example 7:</term>
 
         <listitem>
           <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -689,7 +689,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 8:</term>
+        <term>IPv4 Example 8:</term>
 
         <listitem>
           <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -716,6 +716,49 @@
 </programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>You have a simple 'masquerading' setup where eth0 connects to
+          a DSL or cable modem and eth1 connects to your local network with
+          subnet 2001:470:b:787::0/64</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
+        eth0         2001:470:b:787::0/64    -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2 
+</programlisting>
+
+          <para>If INLINE_MATCHES=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          then these rules may be specified as follows:</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -723,6 +766,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/masq</para>
+
+    <para>/etc/shorewall6/masq</para>
   </refsect1>
 
   <refsect1>
@@ -731,14 +776,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-modules.xml

@@ -18,11 +18,11 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/usr/share/shorewall/modules</command>
+      <command>/usr/share/shorewall[6]/modules</command>
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>/usr/share/shorewall/helpers</command>
+      <command>/usr/share/shorewall[6]/helpers</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -51,7 +51,7 @@
 
     <para>The <replaceable>modulename</replaceable> names a kernel module
     (without suffix). Shorewall will search for modules based on your
-    MODULESDIR and MODULE_SUFFIX settings in <ulink
+    MODULESDIR setting in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
     <replaceable>moduleoption</replaceable>s are passed to modprobe (if
     installed) or to insmod.</para>
@@ -82,19 +82,19 @@
     <para>/etc/shorewall/modules</para>
 
     <para>/etc/shorewall/helpers</para>
+
+    <para>/usr/share/shorewall6/modules</para>
+
+    <para>/usr/share/shorewall6/helpers</para>
+
+    <para>/etc/shorewall6/modules</para>
+
+    <para>/etc/shorewall6/helpers</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-nat.xml

@@ -34,6 +34,8 @@
       url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
       in many cases, Proxy ARP (<ulink
       url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
+      or Proxy-NDP(<ulink
+      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
       is a better solution that one-to-one NAT.</para>
     </warning>
 
@@ -199,7 +201,7 @@ all		all		REJECT		info
 
       <listitem>
         <para>Set IMPLICIT_CONTINUE=Yes in <ulink
-        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
       </listitem>
     </orderedlist>
   </refsect1>
@@ -208,6 +210,8 @@ all		all		REJECT		info
     <title>FILES</title>
 
     <para>/etc/shorewall/nat</para>
+
+    <para>/etc/shorewall6/nat</para>
   </refsect1>
 
   <refsect1>
@@ -219,14 +223,6 @@ all		all		REJECT		info
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-nesting.xml

@@ -200,6 +200,16 @@
     <para>/etc/shorewall/policy</para>
 
     <para>/etc/shorewall/rules</para>
+
+    <para>/etc/shorewall6/zones</para>
+
+    <para>/etc/shorewall6/interfaces</para>
+
+    <para>/etc/shorewall6/hosts</para>
+
+    <para>/etc/shorewall6/policy</para>
+
+    <para>/etc/shorewall6/rules</para>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-netmap.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/netmap</command>
+      <command>/etc/shorewall[6]/netmap</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -44,8 +44,6 @@
         role="bold">SNAT}</emphasis></term>
 
         <listitem>
-          <para>Must be DNAT or SNAT</para>
-
           <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
           its destination address rewritten to the corresponding address in
           NET2.</para>
@@ -169,6 +167,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/netmap</para>
+
+    <para>/etc/shorewall6/netmap</para>
   </refsect1>
 
   <refsect1>
@@ -180,14 +180,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-params.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/params</command>
+      <command>/etc/shorewall[6]/params</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -107,7 +107,7 @@
 
     <programlisting>NET_IF=eth0
 NET_BCAST=130.252.100.255
-NET_OPTIONS=routefilter,norfc1918</programlisting>
+NET_OPTIONS=routefilter</programlisting>
 
     <para>Example <ulink
     url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
@@ -119,13 +119,15 @@ net     $NET_IF         $NET_BCAST      $NET_OPTIONS</programlisting>
     <para>This is the same as if the interfaces file had contained:</para>
 
     <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
-net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
+net     eth0            130.252.100.255 routefilter</programlisting>
   </refsect1>
 
   <refsect1>
     <title>FILES</title>
 
     <para>/etc/shorewall/params</para>
+
+    <para>/etc/shorewall6/params</para>
   </refsect1>
 
   <refsect1>
@@ -134,14 +136,6 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
     <para><ulink
     url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-policy.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/policy</command>
+      <command>/etc/shorewall[6]/policy</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -33,25 +33,30 @@
       <para>The order of entries in this file is important</para>
 
       <para>This file determines what to do with a new connection request if
-      we don't get a match from the /etc/shorewall/rules file . For each
-      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any source or destination).</para>
+      we don't get a match from the <ulink
+      url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5) or
+      <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5)
+      files. For each source/destination pair, the file is processed in order
+      until a match is found ("all" will match any source or
+      destination).</para>
     </important>
 
     <important>
       <para>Intra-zone policies are pre-defined</para>
 
-      <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
-      the POLICY for connections from the zone to itself is ACCEPT (with no
+      <para>For $FW and for all of the zones defined in <ulink
+      url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), the
+      POLICY for connections from the zone to itself is ACCEPT (with no
       logging or TCP connection rate limiting) but may be overridden by an
       entry in this file. The overriding entry must be explicit (specifying
       the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
       4.5.17 or later).</para>
 
-      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
-      then the implicit policy to/from any sub-zone is CONTINUE. These
-      implicit CONTINUE policies may also be overridden by an explicit entry
-      in this file.</para>
+      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink
+      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then the
+      implicit policy to/from any sub-zone is CONTINUE. These implicit
+      CONTINUE policies may also be overridden by an explicit entry in this
+      file.</para>
     </important>
 
     <para>The columns in the file are as follows (where the column name is
@@ -396,6 +401,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/policy</para>
+
+    <para>/etc/shorewall6/policy</para>
   </refsect1>
 
   <refsect1>
@@ -404,14 +411,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-providers.xml

@@ -82,14 +82,11 @@
           url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
           file to direct packets to this provider.</para>
 
-          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
+          <para>If PROVIDER_OFFSET is non-zero in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 256 between 256 and 65280 or their
-          hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
-          of the value being zero). Otherwise, the value must be between 1 and
-          255. Each provider must be assigned a unique mark value. This column
-          may be omitted if you don't use packet marking to direct connections
-          to a particular provider.</para>
+          the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
+          number of significant bits may not exceed PROVIDER_OFFSET +
+          PROVIDER_BITS.</para>
         </listitem>
       </varlistentry>
 
@@ -116,9 +113,9 @@
           listed in <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
           In general, that interface should not have the
-          <option>proxyarp</option> option specified unless
-          <option>loose</option> is given in the OPTIONS column of this
-          entry.</para>
+          <option>proxyarp</option> or <option>proxyndp</option> option
+          specified unless <option>loose</option> is given in the OPTIONS
+          column of this entry.</para>
 
           <para>Where more than one provider is serviced through a single
           interface, the <emphasis>interface</emphasis> must be followed by a
@@ -217,7 +214,14 @@
                 BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                 unless the <option>fallback</option>, <option>loose</option>,
                 <option>load</option> or <option>tproxy</option> option is
-                specified.</para>
+                specified.I</para>
+
+                <caution>
+                  <para>In IPV6, the <option>balance</option> option does not
+                  cause balanced default routes to be created; it rather
+                  causes a sequence of default routes with different metrics
+                  to be created.</para>
+                </caution>
               </listitem>
             </varlistentry>
 
@@ -340,6 +344,14 @@
                 <para>Prior to Shorewall 4.4.24, the option is ignored with a
                 warning message if USE_DEFAULT_RT=Yes in
                 <filename>shorewall.conf</filename>.</para>
+
+                <caution>
+                  <para>In IPV6, specifying the <option>fallback</option>
+                  option on multiple providers does not cause balanced
+                  fallback routes to be created; it rather causes a sequence
+                  of fallback routes with different metrics to be
+                  created.</para>
+                </caution>
               </listitem>
             </varlistentry>
 
@@ -426,6 +438,14 @@
                   <command>enable</command> and <command>reenable</command>
                   commands can reenable the provider.</para>
                 </note>
+
+                <important>
+                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
+                  recommended when the <option>persistent</option> option is
+                  used, as restoring default routes to the main routing table
+                  can prevent link status monitors such as foolsm from
+                  correctly detecting non-working providers.</para>
+                </important>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -461,7 +481,7 @@
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
@@ -473,7 +493,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>eth0 connects to ISP 1. The IP address of eth0 is
@@ -491,6 +511,36 @@
         ISP2  2       2    main      eth1      130.252.99.254  track,balance      eth2</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
+          Your DMZ interface is eth2</para>
+
+          <programlisting>        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY              OPTIONS
+        Squid   1       1    -          eth2      2002:ce7c:92b4:1::2  -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
+
+        <listitem>
+          <para>eth0 connects to ISP 1. The ISP's gateway router has IP
+          address 2001:ce7c:92b4:1::2.</para>
+
+          <para>eth1 connects to ISP 2. The ISP's gateway router has IP
+          address 2001:d64c:83c9:12::8b.</para>
+
+          <para>eth2 connects to a local network.</para>
+
+          <programlisting>        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY               OPTIONS    COPY
+        ISP1  1       1    main      eth0     2001:ce7c:92b4:1::2   track      eth2
+        ISP2  2       2    main      eth1     2001:d64c:83c9:12::8b track      eth2</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -498,6 +548,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/providers</para>
+
+    <para>/etc/shorewall6/providers</para>
   </refsect1>
 
   <refsect1>
@@ -509,14 +561,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-proxyarp.xml

@@ -25,6 +25,8 @@
   <refsect1>
     <title>Description</title>
 
+    <para>IPv4 only.</para>
+
     <para>This file is used to define Proxy ARP. There is one entry in this
     file for each IP address to be proxied.</para>
 
@@ -139,14 +141,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-routes.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/routes</command>
+      <command>/etc/shorewall[6]/routes</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -109,6 +109,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/routes</para>
+
+    <para>/etc/shorewall6/routes</para>
   </refsect1>
 
   <refsect1>
@@ -117,14 +119,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-rtrules.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/rtrules</command>
+      <command>/etc/shorewall[6]/rtrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -177,7 +177,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>You use OpenVPN (routed setup /tunX) in combination with
@@ -199,6 +199,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/rtrules</para>
+
+    <para>/etc/shorewall6/rtrules</para>
   </refsect1>
 
   <refsect1>
@@ -210,14 +212,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-rules.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/rules</command>
+      <command>/etc/shorewall[6]/rules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -54,7 +54,8 @@
         <listitem>
           <para>This section was added in Shorewall 4.4.23. Rules in this
           section are applied, regardless of the connection tracking state of
-          the packet.</para>
+          the packet and are applied before rules in the other
+          sections.</para>
         </listitem>
       </varlistentry>
 
@@ -136,10 +137,8 @@
     <note>
       <para>If you are not familiar with Netfilter to the point where you are
       comfortable with the differences between the various connection tracking
-      states, then it is suggested that you omit the <emphasis
-      role="bold">ESTABLISHED</emphasis> and <emphasis
-      role="bold">RELATED</emphasis> sections and place all of your rules in
-      the NEW section (That's after the line that reads ?SECTION NEW').</para>
+      states, then it is suggested that you place all of your rules in the NEW
+      section (That's after the line that reads ?SECTION NEW').</para>
     </note>
 
     <warning>
@@ -148,8 +147,8 @@
       <emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
       role="bold">RELATED</emphasis> sections must be empty.</para>
 
-      <para>An except is made if you are running Shorewall 4.4.27 or later and
-      you have specified a non-default value for RELATED_DISPOSITION or
+      <para>An exception is made if you are running Shorewall 4.4.27 or later
+      and you have specified a non-default value for RELATED_DISPOSITION or
       RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
       section of this file.</para>
     </warning>
@@ -213,7 +212,8 @@
                 role="bold">DNAT</emphasis>[<emphasis
                 role="bold">-</emphasis>] or <emphasis
                 role="bold">REDIRECT</emphasis>[<emphasis
-                role="bold">-</emphasis>] rules.</para>
+                role="bold">-</emphasis>] rules. Use with IPv6 requires
+                Shorewall 4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -234,7 +234,7 @@
                 <para>The name of an <emphasis>action</emphasis> declared in
                 <ulink
                 url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-                or in /usr/share/shorewall/actions.std.</para>
+                or in /usr/share/shorewall[6]/actions.std.</para>
               </listitem>
             </varlistentry>
 
@@ -288,7 +288,8 @@
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
                 ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
-                in the kernel and iptables.</para>
+                in the kernel and iptables. A_ACCEPT+ with IPv6 requires
+                Shorewall 4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -403,7 +404,8 @@
 
               <listitem>
                 <para>Forward the request to another system (and optionally
-                another port).</para>
+                another port). Use with IPv6 requires Shorewall 4.5.14 or
+                later.</para>
               </listitem>
             </varlistentry>
 
@@ -416,7 +418,8 @@
                 <para>Like <emphasis role="bold">DNAT</emphasis> but only
                 generates the <emphasis role="bold">DNAT</emphasis> iptables
                 rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
+                Shorewall 4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -498,11 +501,11 @@
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
-                <para>This action allows you to specify an iptables target
-                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the <replaceable>iptables-target</replaceable> is not one
-                recognized by Shorewall, the following error message will be
-                issued:</para>
+                <para>IPv4 only. This action allows you to specify an iptables
+                target with options (e.g., 'IPTABLES(MARK --set-xmark
+                0x01/0xff)'. If the <replaceable>iptables-target</replaceable>
+                is not one recognized by Shorewall, the following error
+                message will be issued:</para>
 
                 <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
 
@@ -523,6 +526,39 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
+              [<replaceable>option</replaceable> ...])</term>
+
+              <listitem>
+                <para>IPv6 only. This action allows you to specify an
+                ip6tables target with options (e.g., 'IPTABLES(MARK
+                --set-xmark 0x01/0xff)'. If the
+                <replaceable>ip6tables-target</replaceable> is not one
+                recognized by Shorewall, the following error message will be
+                issued:</para>
+
+                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
+
+                <para>This error message may be eliminated by adding
+                the<replaceable>
+                ip6tables-</replaceable><replaceable>target</replaceable> as a
+                builtin action in <ulink
+                url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>ip6tables-target</replaceable>, the target of
+                  the rule will be the i6ptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
@@ -594,7 +630,7 @@
                 <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>The <replaceable>nflog-parameters</replaceable> are a
                 comma-separated list of up to 3 numbers:</para>
@@ -675,7 +711,8 @@
                 <para>Excludes the connection from any subsequent <emphasis
                 role="bold">DNAT</emphasis>[-] or <emphasis
                 role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic.</para>
+                a rule to accept the traffic. Use with IPv6 requires Shorewall
+                4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -710,7 +747,7 @@
 
                 <para>Beginning with Shorewall 5.0.8, the type of reject may
                 be specified in the <replaceable>option</replaceable>
-                paramater. Valid <replaceable>option</replaceable> values
+                paramater. Valid IPv4 <replaceable>option</replaceable> values
                 are:</para>
 
                 <simplelist>
@@ -729,7 +766,31 @@
                   <member><option>icmp-admin-prohibited</option></member>
 
                   <member><option>icmp-tcp-reset</option> (the PROTO column
-                  must specify TCP)</member>
+                  must specify TCP). Beginning with Shorewall 5.1.3, this
+                  option may also be specified as
+                  <option>tcp-reset</option>.</member>
+                </simplelist>
+
+                <para>Valid IPv6 <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp6-no-route</option></member>
+
+                  <member><option>no-route</option></member>
+
+                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
+
+                  <member><option>adm-prohibited</option></member>
+
+                  <member><option>icmp6-addr-unreachable</option></member>
+
+                  <member><option>addr-unreach</option></member>
+
+                  <member><option>icmp6-port-unreachable</option></member>
+
+                  <member><option>tcp-reset</option> (the PROTO column must
+                  specify TCP)</member>
                 </simplelist>
               </listitem>
             </varlistentry>
@@ -749,7 +810,8 @@
 
               <listitem>
                 <para>Redirect the request to a server running on the
-                firewall.</para>
+                firewall. Use with IPv6 requires Shorewall 4.5.14 or
+                later.</para>
               </listitem>
             </varlistentry>
 
@@ -762,7 +824,8 @@
                 <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                 generates the <emphasis role="bold">REDIRECT</emphasis>
                 iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
+                Shorewall 4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -842,10 +905,10 @@
               role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
 
               <listitem>
-                <para>Added in Shorewall 4.5.10. Queues matching packets to a
-                back end logging daemon via a netlink socket then continues to
-                the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
+                packets to a back end logging daemon via a netlink socket then
+                continues to the next rule. See <ulink
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>Similar to<emphasis role="bold">
                 LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
@@ -889,10 +952,10 @@
             </listitem>
           </itemizedlist>
 
-          <para>You may also specify <emphasis role="bold">ULOG</emphasis> or
-          <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
-          log level.This will log to the ULOG or NFLOG target for routing to a
-          separate log through use of ulogd (<ulink
+          <para>You may also specify <emphasis role="bold">ULOG</emphasis>
+          (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
+          upper case) as a log level.This will log to the ULOG or NFLOG target
+          for routing to a separate log through use of ulogd (<ulink
           url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
 
           <para>Actions specifying logging may be followed by a log tag (a
@@ -922,9 +985,9 @@
 
               <listitem>
                 <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet source may be any
-                host in that zone.</para>
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
+                When only the zone name is specified, the packet source may be
+                any host in that zone.</para>
 
                 <para>zone may also be one of the following:</para>
 
@@ -989,11 +1052,12 @@
                 <replaceable>interface</replaceable> must be the name of an
                 interface associated with the named
                 <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                 or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets from hosts in the <replaceable>zone</replaceable> that
-                arrive through the named interface will match the rule.</para>
+                url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5).
+                Only packets from hosts in the <replaceable>zone</replaceable>
+                that arrive through the named interface will match the
+                rule.</para>
               </listitem>
             </varlistentry>
 
@@ -1007,7 +1071,7 @@
                   <listitem>
                     <para>A host or network IP address. A network address may
                     be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                    url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
                   </listitem>
 
                   <listitem>
@@ -1067,7 +1131,7 @@
               <listitem>
                 <para>This form matches if the host IP address does not match
                 any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -1208,6 +1272,49 @@
                 of the net zone.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>dmz:[2002:ce7c:2b4:1::2]</term>
+
+              <listitem>
+                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:2001:4d48:ad51:24::/64</term>
+
+              <listitem>
+                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
+
+              <listitem>
+                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
+                local zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:~00-A0-C9-15-39-78</term>
+
+              <listitem>
+                <para>Host in the local zone with MAC address
+                00:A0:C9:15:39:78.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
+
+              <listitem>
+                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
+                2001:4d48:ad51:24:6::/80.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
@@ -1229,9 +1336,9 @@
 
               <listitem>
                 <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet destination may be
-                any host in that zone.</para>
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
+                When only the zone name is specified, the packet destination
+                may be any host in that zone.</para>
 
                 <para>zone may also be one of the following:</para>
 
@@ -1296,11 +1403,11 @@
                 <replaceable>interface</replaceable> must be the name of an
                 interface associated with the named
                 <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                 or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets to hosts in the <replaceable>zone</replaceable> that
-                are sent through the named interface will match the
+                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
+                Only packets to hosts in the <replaceable>zone</replaceable>
+                that are sent through the named interface will match the
                 rule.</para>
               </listitem>
             </varlistentry>
@@ -1315,7 +1422,7 @@
                   <listitem>
                     <para>A host or network IP address. A network address may
                     be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                    url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
                   </listitem>
 
                   <listitem>
@@ -1370,7 +1477,7 @@
               <listitem>
                 <para>This form matches if the host IP address does not match
                 any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -1592,7 +1699,7 @@
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis>- {<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">tcp:syn</emphasis>|<emphasis
+        role="bold">tcp:[!]syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
         role="bold">ipp2p:udp</emphasis>|<emphasis
         role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
@@ -1603,7 +1710,10 @@
           requires ipp2p match support in your kernel and iptables. <emphasis
           role="bold">tcp:syn</emphasis> implies <emphasis
           role="bold">tcp</emphasis> plus the SYN flag must be set and the
-          RST,ACK and FIN flags must be reset.</para>
+          RST, ACK and FIN flags must be reset. Beginning with Shorewall
+          5.1.3, you may also specify <emphasis
+          role="bold">tcp:!syn</emphasis>, which matches if SYN is not set or
+          if RST, ACK or FIN is set.</para>
 
           <para>Beginning with Shorewall 4.4.19, this column can contain a
           comma-separated list of protocol-numbers and/or protocol
@@ -2079,12 +2189,100 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HEADERS</emphasis></term>
+        <term><emphasis role="bold">HEADERS -
+        [!][any:|exactly:]</emphasis><replaceable>header-list
+        </replaceable>(Optional - Added in Shorewall 4.4.15)</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
-          you with to supply a value for one of the later columns, enter '-'
-          in this column.</para>
+          <para>This column is only used in IPv6. In IPv4, supply "-" in this
+          column if you with to place a value in one of the following
+          columns.</para>
+
+          <para>The <replaceable>header-list</replaceable> consists of a
+          comma-separated list of headers from the following list.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">auth</emphasis>, <emphasis
+              role="bold">ah</emphasis>, or <emphasis
+              role="bold">51</emphasis></term>
+
+              <listitem>
+                <para><firstterm>Authentication Headers</firstterm> extension
+                header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">esp</emphasis>, or <emphasis
+              role="bold">50</emphasis></term>
+
+              <listitem>
+                <para><firstterm>Encrypted Security Payload</firstterm>
+                extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">hop</emphasis>, <emphasis
+              role="bold">hop-by-hop</emphasis> or <emphasis
+              role="bold">0</emphasis></term>
+
+              <listitem>
+                <para>Hop-by-hop options extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">route</emphasis>, <emphasis
+              role="bold">ipv6-route</emphasis> or <emphasis
+              role="bold">43</emphasis></term>
+
+              <listitem>
+                <para>IPv6 Route extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">frag</emphasis>, <emphasis
+              role="bold">ipv6-frag</emphasis> or <emphasis
+              role="bold">44</emphasis></term>
+
+              <listitem>
+                <para>IPv6 fragmentation extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">none</emphasis>, <emphasis
+              role="bold">ipv6-nonxt</emphasis> or <emphasis
+              role="bold">59</emphasis></term>
+
+              <listitem>
+                <para>No next header</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto</emphasis>, <emphasis
+              role="bold">protocol</emphasis> or <emphasis
+              role="bold">255</emphasis></term>
+
+              <listitem>
+                <para>Any protocol header.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>If <emphasis role="bold">any:</emphasis> is specified, the
+          rule will match if any of the listed headers are present. If
+          <emphasis role="bold">exactly:</emphasis> is specified, the will
+          match packets that exactly include all specified headers. If neither
+          is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
+
+          <para>If <emphasis role="bold">!</emphasis> is entered, the rule
+          will match those packets which would not be matched when <emphasis
+          role="bold">!</emphasis> is omitted.</para>
         </listitem>
       </varlistentry>
 
@@ -2410,6 +2608,20 @@
         SECCTX             builtin</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 15:</term>
+
+        <listitem>
+          <para>You want to accept SSH connections to your firewall only from
+          internet IP addresses 2002:ce7c::92b4:1::2 and
+          2002:ce7c::92b4:1::22</para>
+
+          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
+        ACCEPT   net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
+                        $FW              tcp     22</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -2417,6 +2629,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/rules</para>
+
+    <para>/etc/shorewall6/rules</para>
   </refsect1>
 
   <refsect1>
@@ -2431,14 +2645,6 @@
     <para><ulink
     url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-secmarks.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/secmarks</command>
+      <command>/etc/shorewall[6]/secmarks</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -229,8 +229,9 @@
         role="bold">all}[,...]</emphasis></term>
 
         <listitem>
-          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
-          ipp2p match support in your kernel and iptables.</para>
+          <para>See <ulink
+          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
+          details.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>
@@ -403,6 +404,8 @@ RESTORE                               I:ER</programlisting>
     <title>FILES</title>
 
     <para>/etc/shorewall/secmarks</para>
+
+    <para>/etc/shorewall6/secmarks</para>
   </refsect1>
 
   <refsect1>
@@ -414,14 +417,6 @@ RESTORE                               I:ER</programlisting>
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-snat.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/snat</command>
+      <command>/etc/shorewall[6]/snat</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -27,7 +27,7 @@
 
     <para>This file is used to define dynamic NAT (Masquerading) and to define
     Source NAT (SNAT). It superseded <ulink
-    url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
+    url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
     5.0.14.</para>
 
     <warning>
@@ -78,7 +78,7 @@
               role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
+              role="bold">detect</emphasis>)</term>
 
               <listitem>
                 <para>If you specify an address here, matching packets will
@@ -86,7 +86,7 @@
                 ADD_SNAT_ALIASES is set to Yes or yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 then Shorewall will automatically add this address to the
-                INTERFACE named in the first column.</para>
+                INTERFACE named in the first column (IPv4 only).</para>
 
                 <para>You may also specify a range of up to 256 IP addresses
                 if you want the SNAT address to be assigned from that range in
@@ -105,9 +105,7 @@
                 role="bold">:random</emphasis>) with <emphasis
                 role="bold">:persistent</emphasis>. This is only useful when
                 an address range is specified and causes a client to be given
-                the same source/destination IP pair. This feature replaces the
-                SAME modifier which was removed from Shorewall in version
-                4.4.0.</para>
+                the same source/destination IP pair.</para>
 
                 <para>You may also use the special value
                 <option>detect</option> which causes Shorewall to determine
@@ -150,8 +148,8 @@
               <listitem>
                 <para>where <replaceable>action</replaceable> is an action
                 declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
-                the <option>nat</option> option. See <ulink
+                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
+                with the <option>nat</option> option. See <ulink
                 url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
                 further information.</para>
               </listitem>
@@ -256,8 +254,10 @@
 
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
+          then enter the protocol name (from protocols(5)) or number here. See
+          <ulink
+          url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
+          details.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>
@@ -598,7 +598,7 @@
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>You have a simple masquerading setup where eth0 connects to a
@@ -613,7 +613,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>You add a router to your local network to connect subnet
@@ -627,7 +627,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 3:</term>
+        <term>IPv4 Example 3:</term>
 
         <listitem>
           <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -641,7 +641,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 4:</term>
+        <term>IPv4 Example 4:</term>
 
         <listitem>
           <para>You want all outgoing SMTP traffic entering the firewall from
@@ -665,7 +665,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 5:</term>
+        <term>IPv4 Example 5:</term>
 
         <listitem>
           <para>Connections leaving on eth0 and destined to any host defined
@@ -673,12 +673,12 @@
           address changed to 206.124.146.177.</para>
 
           <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
+        SNAT(206.124.146.177)   -               eth0:+myset[dst]</programlisting>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>Example 6:</term>
+        <term>IPv4 Example 6:</term>
 
         <listitem>
           <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -700,19 +700,34 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 7:</term>
+        <term>IPv6 Example 1:</term>
 
         <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
-          70.90.191.123. You want to use the iptables statistics match to
-          masquerade outgoing connections evenly between these two
-          addresses.</para>
+          <para>You have a simple 'masquerading' setup where eth0 connects to
+          a DSL or cable modem and eth1 connects to your local network with
+          subnet 2001:470:b:787::0/64</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #ACTION      SOURCE                  DEST
+        MASQUERADE   2001:470:b:787::0/64    eth0</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
 
           <programlisting>/etc/shorewall/snat:
 
-       #ACTION                 SOURCE           DEST
-       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
-       SNAT(70.90.191.123)     -                eth1</programlisting>
+       #ACTION                      SOURCE     DEST
+       SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
+       SNAT(2001:470:a:227::2)      ::/0       sit</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -722,6 +737,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/snat</para>
+
+    <para>/etc/shorewall6/snat</para>
   </refsect1>
 
   <refsect1>
@@ -730,14 +747,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-stoppedrules.xml

@@ -19,7 +19,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/stoppedrules</command>
+      <command>/etc/shorewall[6]/stoppedrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -153,6 +153,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/stoppedrules</para>
+
+    <para>/etc/shorewall6/stoppedrules</para>
   </refsect1>
 
   <refsect1>
@@ -164,14 +166,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tcclasses.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/tcclasses</command>
+      <command>/etc/shorewall[6]/tcclasses</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -763,6 +763,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/tcclasses</para>
+
+    <para>/etc/shorewall6/tcclasses</para>
   </refsect1>
 
   <refsect1>
@@ -778,14 +780,6 @@
 
     <para>tc-red(8)</para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tcdevices.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/tcdevices</command>
+      <command>/etc/shorewall[6]/tcdevices</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -276,6 +276,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/tcdevices</para>
+
+    <para>/etc/shorewall6/tcdevices</para>
   </refsect1>
 
   <refsect1>
@@ -292,14 +294,6 @@
     <para><ulink
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tcfilters.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/tcfilters</command>
+      <command>/etc/shorewall[6]/tcfilters</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -89,12 +89,12 @@
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
           Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
-          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
-          details.</para>
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The ipset name may optionally be followed by a number
+          or a comma separated list of src and/or dst enclosed in square
+          brackets ([...]). See <ulink
+          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
+          for details.</para>
         </listitem>
       </varlistentry>
 
@@ -108,12 +108,12 @@
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
           Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
-          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
-          details.</para>
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The ipset name may optionally be followed by a number
+          or a comma separated list of src and/or dst enclosed in square
+          brackets ([...]). See <ulink
+          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
+          for details.</para>
 
           <para>You may exclude certain hosts from the set already defined
           through use of an <emphasis>exclusion</emphasis> (see <ulink
@@ -288,7 +288,7 @@
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>Place all 'ping' traffic on interface 1 in class 10. Note that
@@ -310,7 +310,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>Add two filters with priority 10 (Shorewall 4.5.8 or
@@ -324,6 +324,22 @@
        1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
+          later).</para>
+
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
+
+       IPV6
+
+       1:10      ::/0      ::/0         icmp    echo-request    10
+       1:10      ::/0      ::/0         icmp    echo-reply      10</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -331,6 +347,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/tcfilters</para>
+
+    <para>/etc/shorewall6/tcfilters</para>
   </refsect1>
 
   <refsect1>
@@ -348,14 +366,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tcinterfaces.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/tcinterfaces</command>
+      <command>/etc/shorewall[6]/tcinterfaces</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -201,7 +201,9 @@
   <refsect1>
     <title>FILES</title>
 
-    <para>/etc/shorewall/tcinterfaces.</para>
+    <para>/etc/shorewall/tcinterfaces</para>
+
+    <para>/etc/shorewall6/tcinterfaces</para>
   </refsect1>
 
   <refsect1>
@@ -213,14 +215,6 @@
     <para><ulink
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tcpri.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/tcpri</command>
+      <command>/etc/shorewall[6]/tcpri</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -148,6 +148,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/tcpri</para>
+
+    <para>/etc/shorewall6/tcpri</para>
   </refsect1>
 
   <refsect1>
@@ -156,14 +158,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>prio(8), shorewall(8), shorewall-accounting(5),
-    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    <para>prio(8), shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tunnels.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/tunnels</command>
+      <command>/etc/shorewall[6]/tunnels</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -173,7 +173,7 @@
 
     <variablelist>
       <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
 
         <listitem>
           <para>IPSec tunnel.</para>
@@ -187,7 +187,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
 
         <listitem>
           <para>Road Warrior (LapTop that may connect from anywhere) where the
@@ -199,7 +199,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 3:</term>
+        <term>IPv4 Example 3:</term>
 
         <listitem>
           <para>Host 4.33.99.124 is a standalone system connected via an ipsec
@@ -211,7 +211,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 4:</term>
+        <term>IPv4 Example 4:</term>
 
         <listitem>
           <para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
@@ -225,7 +225,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 5:</term>
+        <term>IPv4 Example 5:</term>
 
         <listitem>
           <para>You run the Linux PPTP client on your firewall and connect to
@@ -237,7 +237,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 6:</term>
+        <term>IPv4 Example 6:</term>
 
         <listitem>
           <para>You run a PPTP server on your firewall.</para>
@@ -260,7 +260,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 8:</term>
+        <term>IPv4 Example 8:</term>
 
         <listitem>
           <para>You have a tunnel that is not one of the supported types. Your
@@ -273,7 +273,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 9:</term>
+        <term>IPv4 Example 9:</term>
 
         <listitem>
           <para>TINC tunnel where the remote gateways are not specified. If
@@ -284,6 +284,83 @@
         tinc             net     0.0.0.0/0</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>IPSec tunnel.</para>
+
+          <para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
+          use the AH protocol</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY
+        ipsec:noah      net     2002:cec792b4:1::44</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
+
+        <listitem>
+          <para>Road Warrior (LapTop that may connect from anywhere) where the
+          "gw" zone is used to represent the remote LapTop</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
+        ipsec           net     ::/0                    gw</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 3:</term>
+
+        <listitem>
+          <para>Host 2001:cec792b4:1::44 is a standalone system connected via
+          an ipsec tunnel to the firewall system. The host is in zone
+          gw.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
+        ipsec           net     2001:cec792b4:1::44     gw</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 4:</term>
+
+        <listitem>
+          <para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
+          openvpn uses port 7777.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
+        openvpn:7777    net     2001:cec792b4:1::44</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 8:</term>
+
+        <listitem>
+          <para>You have a tunnel that is not one of the supported types. Your
+          tunnel uses UDP port 4444. The other end of the tunnel is
+          2001:cec792b4:1::44.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY                GATEWAY ZONES
+        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 9:</term>
+
+        <listitem>
+          <para>TINC tunnel where the remote gateways are not specified. If
+          you wish to specify a list of gateways, you can do so in the GATEWAY
+          column.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
+        tinc             net     ::/0</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -291,6 +368,8 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/tunnels</para>
+
+    <para>/etc/shorewall6/tunnels</para>
   </refsect1>
 
   <refsect1>
@@ -299,14 +378,6 @@
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-zones(5)</para>
+    <para>shorewall(8)</para>
   </refsect1>
 </refentry>