Correct convertion of tcrules->mangle when a writable mangle exists

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -22,20 +22,64 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
+
 PRODUCT=shorewall-core
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <configuration-file> ] "
+    echo "       $ME -v"
+    echo "       $ME -h"
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
     if cp -f $1 $2; then
@@ -54,16 +98,16 @@ install_file() # $1 = source $2 = target $3 = mode
     exit 1
 }
 
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -82,7 +126,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -104,14 +148,14 @@ done
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -125,7 +169,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
@@ -241,12 +285,13 @@ case "$HOST" in
     debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
     *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac
 
 if [ -z "$file" ]; then
-    if [ $HOST = linux ]; then
+    if $HOST = linux; then
 	file=shorewallrc.default
     else
 	file=shorewallrc.${HOST}
@@ -259,8 +304,7 @@ if [ -z "$file" ]; then
     echo "" >&2
     echo "Example:" >&2
     echo "" >&2
-    echo "   ./install.sh $file" >&2
-    exit 1
+    echo "   ./install.sh $file" &>2
 fi
 
 if [ -n "$DESTDIR" ]; then
@@ -271,31 +315,45 @@ if [ -n "$DESTDIR" ]; then
     fi
 fi
 
-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Core Version $VERSION"
 
 #
 # Create directories
 #
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
 
-make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
 
-make_parent_directory ${DESTDIR}${CONFDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}
+chmod 755 ${DESTDIR}${CONFDIR}
 
-[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+if [ -n "${SYSCONFDIR}" ]; then
+    mkdir -p ${DESTDIR}${SYSCONFDIR}
+    chmod 755 ${DESTDIR}${SYSCONFDIR}
+fi
 
 if [ -z "${SERVICEDIR}" ]; then
     SERVICEDIR="$SYSTEMD"
 fi
 
-[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
+fi
 
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
+mkdir -p ${DESTDIR}${SBINDIR}
+chmod 755 ${DESTDIR}${SBINDIR}
 
-[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi
 
 if [ -n "${INITFILE}" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 
     if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -324,14 +382,8 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    case $f in
-        *installer)
-            ;;
-        *)
-            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
-            ;;
-    esac
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 
 if [ $SHAREDIR != /usr/share ]; then
@@ -346,11 +398,11 @@ fi
 if [ -n "$MANDIR" ]; then
     cd manpages
 
-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
 
     for f in *.8; do
 	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
@@ -367,7 +419,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
 if [ -z "${DESTDIR}" ]; then
     if [ $update -ne 0 ]; then
@@ -392,20 +444,14 @@ fi
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do
-        case $f in
-            *installer)
-                ;;
-            *)
-                if [ $BUILD != apple ]; then
-                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                else
-                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                fi
-                ;;
-        esac
+	if [ $BUILD != apple ]; then
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	else
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	fi
     done
 fi
 #
-# Report Success
+#  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "Shorewall Core Version $VERSION Installed"

Shorewall-core/lib.cli

@@ -4264,17 +4264,12 @@ usage() # $1 = exit status
     echo "   reenable <interface>"
     ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
-
-    if [ -n "$g_lite" ]; then
-	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
+    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
     fi
 
     echo "   reset [ <chain> ... ]"

Shorewall-core/lib.installer

@@ -1,89 +0,0 @@
-#
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products installer.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-make_parent_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}

Shorewall-core/lib.uninstaller

@@ -1,106 +0,0 @@
-#
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products uninstaller.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
-            rm -f $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_directory() # $1 = directory to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -d $1 ] ; then
-            rm -rf $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_file_with_wildcard() # $1 = file with wildcard to remove
-{
-    if [ -n "$1" ] ; then
-        for f in $1; do
-            if [ -d $f ] ; then
-                rm -rf $f
-                echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
-                rm -f $f
-                echo "$f Removed"
-            fi
-        done
-    fi
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}

Shorewall-core/manpages/shorewall.xml

@@ -432,33 +432,6 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6][-lite]</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>reload</option></arg>
-
-      <arg><option>-n</option></arg>
-
-      <arg><option>-p</option><arg><option>-d</option></arg></arg>
-
-      <arg><option>-f</option></arg>
-
-      <arg><option>-c</option></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><option>-C</option></arg>
-
-      <arg><replaceable>directory</replaceable></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -1943,11 +1916,10 @@
 
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
-        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
-        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
+        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
+        [ <replaceable>system</replaceable> ]</term>
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
@@ -1983,9 +1955,6 @@
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
 
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
-
           <para>If <emphasis role="bold">-s</emphasis> is specified and the
           <emphasis role="bold">start</emphasis> command succeeds, then the
           remote Shorewall-lite configuration is saved by executing <emphasis

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)

Shorewall-core/shorewallrc.default

@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
-BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
+BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.

Shorewall-core/shorewallrc.openwrt

@@ -1,8 +1,8 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
 #
-BUILD=                                 #Default is to detect the build system
-HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.

Shorewall-core/uninstall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Core Modules
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,75 +26,63 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx # The Build script inserts the actual version
-PRODUCT=shorewall-core
+VERSION=xxx #The Build script inserts the actual version
+PRODUCT="shorewall-core"
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <shorewallrc file> ]"
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -104,11 +92,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
@@ -116,26 +104,20 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
     INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Core $VERSION"
 
-if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
-    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
-fi
+rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc
+
+echo "Shorewall Core Uninstalled"
 
-remove_directory ${SHAREDIR}/shorewall
-remove_file ~/.shorewallrc
 
-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"

Shorewall-init/default.debian.systemd

@@ -1,21 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF

Shorewall-init/default.debian.sysvinit

@@ -1,27 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Set this to the name of the file that is to hold
-# ipset contents. Shorewall-init will load those ipsets
-# during 'start' and will save them there during 'stop'.
-#
-SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF

Shorewall-init/install.sh

@@ -27,21 +27,58 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
     exit $1
 }
 
+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
     if cp -f $1 $2; then
@@ -60,16 +97,23 @@ install_file() # $1 = source $2 = target $3 = mode
     exit 1
 }
 
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+require() 
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -90,7 +134,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -115,17 +159,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
     if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+     else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
     fi
 elif [ $# -eq 1 ]; then
     file=$1
@@ -133,11 +177,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
@@ -254,10 +298,12 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
     linux)
-	fatal_error "Shorewall-init is not supported on this system"
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	exit 1
 	;;
     *)
-	fatal_error "Unsupported HOST distribution: \"$HOST\""
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
 	;;
 esac
 
@@ -269,27 +315,30 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
     
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi
 
-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Init Version $VERSION"
 
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi
 
 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
     install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
     
@@ -308,21 +357,25 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 
 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
     install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
-    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
+    fi
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 
 #
 # Create /usr/share/shorewall-init if needed
 #
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
 
 #
 # Install logrotate file
@@ -335,53 +388,55 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    rm -f ${SHAREDIR}/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
-	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
     elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
     fi
 
-    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
-	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+	if [ -n "${DESTDIR}" ]; then
+	    mkdir -p ${DESTDIR}${ETC}/default
+	fi
 
-	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
-	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
-	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
     fi
 
     IFUPDOWN=ifupdown.debian.sh
 else
     if [ -n "$DESTDIR" ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
 
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on OpenWRT
+		# Not implemented on openwrt
 		/bin/true
 	    else
-		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
     fi
@@ -403,13 +458,13 @@ if [ $HOST != openwrt ]; then
 
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 
-    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 
-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
     install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 
@@ -428,8 +483,8 @@ case $HOST in
     suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi
 
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -463,17 +518,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "$Product will start automatically at boot"
+                    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/$PRODUCT; then
-                    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-                    echo "$Product will start automatically at boot"
+		    echo "$PRODUCT will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -494,31 +549,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable ${PRODUCT}.service; then
-		    echo "$Product will start automatically at boot"
+		if systemctl enable shorewall-init.service; then
+		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init ; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically at boot"
-		    chkconfig --list $PRODUCT
+		if chkconfig --add shorewall-init ; then
+		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
+		if rc-update add shorewall-init default; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/$PRODUCT enabled; then
+		if /etc/init.d/shorewall-init enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -532,11 +587,11 @@ else
     if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
+		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
 
-	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
-	    echo "$Product will start automatically at boot"
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    echo "Shorewall Init will start automatically at boot"
 	fi
     fi
 fi
@@ -547,8 +602,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
     case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -559,19 +614,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
     esac
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "shorewall Init Version $VERSION Installed"

Shorewall-init/uninstall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Init
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,34 +26,62 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <shorewallrc file> ]"
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
 finished=0
 configure=1
 
@@ -90,17 +118,16 @@ while [ $finished -eq 0 ]; do
 	    ;;
     esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -110,72 +137,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file || exit 1
 else
     usage 1
 fi
 
-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling $Product $VERSION"
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+
+echo "Uninstalling Shorewall Init $VERSION"
 
 [ -n "$SANDBOX" ] && configure=0
 
-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 
-remove_file  ${SBINDIR}/$PRODUCT
-
-FIREWALL=${CONFDIR}/init.d/$PRODUCT
-
-if [ -f "$FIREWALL" ]; then
+if [ -f "$INITSCRIPT" ]; then
     if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/$PRODUCT enabled; then
-		/etc/init.d/$PRODUCT disable
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
 	    fi
+	elif mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
+            insserv -r $INITSCRIPT
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
+	    chkconfig --del $(basename $INITSCRIPT)
 	fi
     fi
 
-    remove_file $FIREWALL
+    remove_file $INITSCRIPT
 fi
 
-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
 
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi
 
 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi
 
-remove_file ${CONFDIR}/default/$PRODUCT
-remove_file ${CONFDIR}/sysconfig/$PRODUCT
+remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init
 
 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
 
@@ -200,11 +227,10 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 fi
 
-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f  ${SBINDIR}/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
+
+echo "Shorewall Init Uninstalled"
+
 
-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"

Shorewall-lite/default.debian

@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall-lite to start
+# set the following varible to 1 in order to allow Shorewall-lite to start
 
 startup=0
 
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""
 
@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #

Shorewall-lite/default.debian.systemd

@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF

Shorewall-lite/install.sh

@@ -22,19 +22,62 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
     if cp -f $1 $2; then
@@ -53,6 +96,19 @@ install_file() # $1 = source $2 = target $3 = mode
     exit 1
 }
 
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
@@ -66,11 +122,6 @@ else
     Product="Shorewall6 Lite"
 fi
 
-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -117,14 +168,12 @@ done
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
     elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ~/.shorewallrc
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. /usr/share/shorewall/shorewallrc
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -134,11 +183,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
@@ -269,7 +318,8 @@ case "$HOST" in
     linux)
 	;;
     *)
-	fatal_error "ERROR: Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac
 
@@ -281,7 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
 
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 755
 
 else
     if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -321,20 +371,25 @@ fi
 
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
-[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SBINDIR}
+mkdir -p ${DESTDIR}${VARDIR}
+
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 
 if [ -n "$DESTDIR" ]; then
-    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi
 
 if [ -n "$INITFILE" ]; then
@@ -355,9 +410,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 
 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -386,14 +441,8 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-        case $f in
-            *installer)
-                ;;
-            *)
-                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-                ;;
-        esac
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
     fi
 done
 
@@ -421,12 +470,12 @@ if [ -f modules ]; then
 fi
 
 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
     echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
 
@@ -437,19 +486,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
     cd manpages
 
-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man5/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
-    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man8/
 
     for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
@@ -459,7 +508,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi
 
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
     echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 
@@ -467,7 +516,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -490,7 +539,10 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+    if [ ${DESTDIR} ]; then
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
+    fi
 
     install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
     echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -558,6 +610,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi
 
 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"

Shorewall-lite/uninstall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Lite
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite
+Product="Shorewall Lite"
 
 usage() # $1 = exit status
 {
@@ -39,27 +41,46 @@ usage() # $1 = exit status
     exit $1
 }
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
 
-if [ -f shorewall-lite.service ]; then
-    PRODUCT=shorewall-lite
-    Product="Shorewall Lite"
-else
-    PRODUCT=shorewall6-lite
-    Product="Shorewall6 Lite"
-fi
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
 
-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
 
-#
-# Parse the run line
-#
 finished=0
 configure=1
 
@@ -76,7 +97,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -96,17 +117,16 @@ while [ $finished -eq 0 ]; do
 	    ;;
     esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -116,50 +136,46 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
 
-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Lite $VERSION"
 
 [ -n "$SANDBOX" ] && configure=0
 
 if [ $configure -eq 1 ]; then
     if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	${SBINDIR}/$PRODUCT clear
-    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall-lite clear
     fi
 fi
 
-remove_file ${SBINDIR}/$PRODUCT
-
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
     if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
-	    /etc/init.d/$PRODUCT disable
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
     else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
     fi
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
@@ -167,10 +183,10 @@ fi
 
 if [ -f "$FIREWALL" ]; then
     if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
             insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -179,29 +195,26 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
 
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi
 
-remove_directory ${CONFDIR}/$PRODUCT
-remove_directory ${VARDIR}
-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f ${SBINDIR}/shorewall-lite
 
-if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
-fi
+rm -rf ${CONFDIR}/shorewall-lite
+rm -rf ${VARDIR}
+rm -rf ${SHAREDIR}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -f  ${SYSCONFDIR}/shorewall-lite
 
 if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
-    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
 fi
 
-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
+echo "Shorewall Lite Uninstalled"
+

Shorewall/Actions/action.A_Drop

@@ -31,10 +31,9 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts and multicasts
+# Don't log broadcasts
 #
 dropBcast(audit)
-dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.

Shorewall/Actions/action.A_Reject.deprecated

@@ -25,11 +25,10 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts and multicasts so they don't clutter up the log
-# (these must *not* be rejected).
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
-dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be

Shorewall/Actions/action.Limit

@@ -22,49 +22,6 @@
 #
 # Limit(<recent-set>,<num-connections>,<timeout>)
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -,-,-
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref        = get_action_chain;
-my @param           = get_action_params(3);
-my ( $level, $tag ) = get_action_logging;
-
-@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
-
-fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
-
-my $set   = $param[0];
-
-for ( @param[1,2] ) {
-    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
-}
-
-my $count = $param[1] + 1;
-
-require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
-
-warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
-
-add_irule $chainref, recent => "--name $set --set";
-
-if ( $level ne '' ) {
-    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
-    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
-    add_ijump $xchainref, j => 'DROP';
-    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
-} else {
-    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
-}
-
-add_ijump $chainref, j => 'ACCEPT';
-
-1;
-
-?end perl

Shorewall/Actions/action.allowBcast

@@ -22,17 +22,6 @@
 #
 # allowBcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_ACCEPT)
-    ?else
-	?error "Invalid argument (@1) to allowBcast"
-    ?endif
-?else
-    Broadcast(ACCEPT)
-?endif

Shorewall/Actions/action.allowMcast

@@ -22,17 +22,6 @@
 #
 # allowMcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Multicast(A_ACCEPT)
-    ?else
-	?error "Invalid argument (@1) to allowMcast"
-    ?endif
-?else
-    Multicast(ACCEPT)
-?endif

Shorewall/Actions/action.allowinUPnP

@@ -22,19 +22,6 @@
 #
 # allowinUPnP[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_ACCEPT - - 17 1900
-	A_ACCEPT - -  6 49152
-    ?else
-	?error "Invalid argument (@1) to allowinUPnP"
-    ?endif
-?else
-    ACCEPT - - 17 1900
-    ACCEPT - -	6 49152
-?endif

Shorewall/Actions/action.dropBcast

@@ -22,18 +22,6 @@
 #
 # dropBcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcast"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-

Shorewall/Actions/action.dropMcast

@@ -22,17 +22,6 @@
 #
 # dropMcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Multicast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropMcast"
-    ?endif
-?else
-    Multicast(DROP)
-?endif

Shorewall/Actions/action.dropNotSyn

@@ -22,17 +22,6 @@
 #
 # dropNotSyn[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_DROP {proto=6:!syn}
-    ?else
-	?error "Invalid argument (@1) to dropNotSyn"
-    ?endif
-?else
-    DROP {proto=6:!syn}
-?endif

Shorewall/Actions/action.forwardUPnP

@@ -22,22 +22,6 @@
 #
 # forwardUPnP
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref = get_action_chain;
-
-set_optflags( $chainref, DONT_OPTIMIZE );
-
-add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
-
-1;
-
-?end perl

Shorewall/Actions/action.rejNotSyn

@@ -22,18 +22,6 @@
 #
 # rejNotSyn[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_REJECT {proto=6:!syn}
-    ?else
-	?error "Invalid argument (@1) to rejNotSyn"
-    ?endif
-?else
-    REJECT(tcp-reset) {proto=6:!syn}
-?endif
-

Shorewall/Perl/Shorewall/Accounting.pm

@@ -519,9 +519,9 @@ sub setup_accounting() {
 
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {

Shorewall/Perl/Shorewall/Chains.pm

@@ -1223,7 +1223,7 @@ sub merge_rules( $$$ ) {
 	}
     }
 
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -1239,7 +1239,7 @@ sub merge_rules( $$$ ) {
 
     set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
 
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -3691,7 +3691,7 @@ sub optimize_level8( $$$ ) {
 	}
 
 	if ( $progress ) {
-	    my @rename = keys %rename;
+	    my @rename = sort keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4556,8 +4556,7 @@ sub do_proto( $$$;$ )
 
     if ( $proto ne '' ) {
 
-	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
-	my $notsyn   = $1;
+	my $synonly  = ( $proto =~ s/:syn$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -4575,7 +4574,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
+		$output = "-p $proto --syn ";
 	    }
 
 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -6981,13 +6980,13 @@ sub set_global_variables( $$ ) {
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sort keys %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = keys %interfacegateways;
+	@interfaces = sort keys %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -6997,36 +6996,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = keys %interfacemacs;
+	@interfaces = sort keys %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $_     for sort values %interfaceaddr;
+	emit "$_\n" for sort values %interfacegateways;
+	emit $_     for sort values %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $_ for sort values %interfaceaddrs;
+	emit $_ for sort values %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $_ for sort values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $_ for sort values %interfaceacasts;
 	    }
 	}
     }
 }
 
 sub verify_address_variables() {
-    for my $variable ( keys %address_variables ) {
+    for my $variable ( sort keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
 
@@ -7943,7 +7942,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
+	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 
 	    assert( $chainref );
@@ -7962,7 +7961,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8048,7 +8047,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8454,7 +8453,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = keys %ipsets;
+	    my @sets = sort keys %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8630,7 +8629,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sort keys %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8645,7 +8644,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( sort keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9121,7 +9120,7 @@ sub initialize_switches() {
     if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( keys %switches ) {
+	for my $switch ( sort keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";

Shorewall/Perl/Shorewall/Compiler.pm

@@ -93,10 +93,11 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;
 
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
 
-	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
     }
 
     my $lib = find_file 'lib.private';
@@ -944,7 +945,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer';
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
 
 	disable_script;
 	#

Shorewall/Perl/Shorewall/Config.pm

@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.3",
+		    VERSION                 => "5.1.1-RC1",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -3056,7 +3056,7 @@ sub process_compiler_directive( $$$$ ) {
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-		  fatal_error "Unknown capability ($expression)" unless $capdesc{$expression};
+		  fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
 		  require_capability( $expression, "The $actparams{action} action", 's' );
 	      }
 	  } ,
@@ -3689,7 +3689,6 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
-	    $val = $config{$var};
 	}
 
 	$val = '' unless defined $val;
@@ -5369,12 +5368,8 @@ sub update_config_file( $ ) {
 		    }
 
 		}
-		if ( supplied $val ) {
-		    #
-		    # Log LEVEL and DEFAULT settings often contain parens
-		    #
-		    $val = ($var =~ /(?:LEVEL|DEFAULT)$/) ? qq("$val") : conditional_quote $val;
-		}
+
+		$val = conditional_quote $val;
 
 		$_ = "$var=$val\n";
 	    }
@@ -5437,7 +5432,6 @@ EOF
 sub process_shorewall_conf( $$ ) {
     my ( $update, $annotate ) = @_;
     my $file   = find_file "$product.conf";
-    my @vars;
 
     if ( -f $file ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
@@ -5451,7 +5445,7 @@ sub process_shorewall_conf( $$ ) {
 	    # Don't expand shell variables or allow embedded scripting
 	    #
 	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*)$/ ) {
+		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 
 		    if ( exists $config{$var} ) {
@@ -5470,12 +5464,6 @@ sub process_shorewall_conf( $$ ) {
 			next;
 		    }
 
-		    if ( $update ) {
-			push @vars, $var;
-		    } else {
-			expand_variables( $val ) unless $val =~ /^'.*'$/;
-		    }
-
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
 
 		    warning_message "Option $var=$val is deprecated"
@@ -5496,19 +5484,14 @@ sub process_shorewall_conf( $$ ) {
     #
     # Now update the config file if asked
     #
-    if ( $update ) {
-	update_config_file( $annotate ); 
-	#
-	# Config file update requires that the option values not have
-	# Shell variables expanded. We do that now.
-	#
-	# To handle options like LOG_LEVEL, we process the options
-	# in the order in which they appear in the .conf file.
-	#
-	for ( @vars ) {
-	    if ( supplied( my $val = $config{$_} ) ) {
-		expand_variables( $config{$_} ) unless $val =~ /^'.*'$/;
-	    }
+    update_config_file( $annotate ) if $update;
+    #
+    # Config file update requires that the option values not have
+    # Shell variables expanded. We do that now.
+    #
+    for ( values  %config ) {
+	if ( supplied $_ ) {
+	    expand_variables( $_ ) unless /^'(.+)'$/;
 	}
     }
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -389,8 +389,6 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    $proto =~ s/:.*//;
-
     if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;

Shorewall/Perl/Shorewall/Misc.pm

@@ -127,7 +127,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -1297,7 +1297,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sort keys %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1618,7 +1618,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
@@ -1639,8 +1639,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
 
-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1662,7 +1662,7 @@ sub add_interface_jumps {
     our %input_jump_added;
     our %output_jump_added;
     our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
     my $dummy;
     my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
     #
@@ -1776,7 +1776,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2288,9 +2288,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2375,9 +2375,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {

Shorewall/Perl/Shorewall/Providers.pm

@@ -1799,7 +1799,7 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1963,7 +1963,7 @@ sub compile_updown() {
     }
 
     my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2158,7 +2158,7 @@ sub handle_optional_interfaces( $ ) {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
     }

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Rules.pm

@@ -144,6 +144,8 @@ our %macros;
 
 our $family;
 
+our @builtins;
+
 #
 # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
 #
@@ -350,7 +352,7 @@ sub initialize( $ ) {
     #
     $macro_nest_level  = 0;
     #
-    # All actions mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
     #
     %actions           = ();
     #
@@ -361,6 +363,7 @@ sub initialize( $ ) {
     @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
 
     if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -373,6 +376,7 @@ sub initialize( $ ) {
 	                  );
 			    
     } else {
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -747,21 +751,22 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
+
     } else {
 	print_policy $client, $server, $originalpolicy, $chain;
     }
@@ -1705,6 +1710,191 @@ sub map_old_actions( $ ) {
     }
 }
 
+#
+# The following small functions generate rules for the builtin actions of the same name
+#
+sub dropBcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit ( 'DROP', $audit );
+
+    if ( have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
+	    if ( $family == F_IPV4 ) {
+		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
+	    } else {
+		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
+	    }
+	}
+
+	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => '$address';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+    }
+}
+
+sub dropMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit ( 'DROP', $audit );
+
+    if ( $family == F_IPV4 ) {
+	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
+    } else {
+	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
+    }
+}
+    
+sub allowBcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
+
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
+	}
+
+	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => '$address';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+    }
+}
+
+sub allowMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
+
+    if ( $family == F_IPV4 ) {
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
+    } else {
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
+    }
+}
+
+sub dropNotSyn ( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'DROP', $audit );
+
+    log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
+    add_ijump $chainref , j => $target, p => '6 ! --syn';
+}
+
+sub rejNotSyn ( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)";
+
+    my $target = 'REJECT --reject-with tcp-reset';
+
+    if ( supplied $audit ) {
+	$target = require_audit( 'REJECT' , $audit );
+    }
+
+    log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
+    add_ijump $chainref , j => $target, p => '6 ! --syn';
+}
+
+sub forwardUPnP ( $$$$ ) {
+    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
+
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+}
+
+sub allowinUPnP ( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
+
+    if ( $level ne '' ) {
+	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
+	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
+    }
+
+    add_ijump $chainref, j => $target, p => '17 --dport 1900';
+    add_ijump $chainref, j => $target, p => '6 --dport 49152';
+}
+
+sub Limit( $$$$ ) {
+    my ($chainref, $level, $tag, $param ) = @_;
+
+    my @param;
+
+    if ( $param ) {
+	@param = split /,/, $param;
+    } else {
+	@param = split /,/, $tag;
+	$tag = '';
+    }
+
+    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
+
+    my $set   = $param[0];
+
+    for ( @param[1,2] ) {
+	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+    }
+
+    my $count = $param[1] + 1;
+
+    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+    warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
+
+    add_irule $chainref, recent => "--name $set --set";
+
+    if ( $level ne '' ) {
+	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+	log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
+	add_ijump $xchainref, j => 'DROP';
+	add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
+    } else {
+	add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
+    }
+
+    add_ijump $chainref, j => 'ACCEPT';
+}
+
+my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		   'dropMcast'      => \&dropMcast,
+		   'allowBcast'     => \&allowBcast,
+		   'allowMcast'     => \&allowMcast,
+		   'dropNotSyn'     => \&dropNotSyn,
+		   'rejNotSyn'      => \&rejNotSyn,
+		   'allowinUPnP'    => \&allowinUPnP,
+		   'forwardUPnP'    => \&forwardUPnP,
+		   'Limit'          => \&Limit,
+		 );
+
+
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -1726,6 +1916,12 @@ sub process_action(\$\$$) {
     my $actionref = $actions{$action};
     my $matches   = fetch_inline_matches;
 
+    if ( $type & BUILTIN ) {
+	$level = '' if $level =~ /none!?/;
+	$builtinops{$action}->( $chainref, $level, $tag, $param );
+	return 0;
+    }
+
     if ( $type & MANGLE_TABLE ) {
 	fatal_error "Action $action may only be used in the mangle file" unless $chainref->{table} eq 'mangle';
     } else {
@@ -1998,6 +2194,7 @@ sub process_action(\$\$$) {
 #
 # This function is called prior to processing of the policy file. It:
 #
+# - Adds the builtin actions to the target table
 # - Reads actions.std and actions (in that order) and for each entry:
 #   o Adds the action to the target table
 #   o Verifies that the corresponding action file exists
@@ -2006,6 +2203,10 @@ sub process_action(\$\$$) {
 sub process_actions() {
 
     progress_message2 "Locating Action Files...";
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file( $file, 2 );

Shorewall/Perl/Shorewall/Tc.pm

@@ -1924,7 +1924,7 @@ sub process_traffic_shaping() {
 
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
 
-			for my $option ( keys %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
 			    my $type = $validredoptions{$option};
 
 			    if ( my $value = $redopts->{$option} ) {
@@ -1943,7 +1943,7 @@ sub process_traffic_shaping() {
 
 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
 
-			for my $option ( keys %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};
 
 			    if ( my $value = $codelopts->{$option} ) {

Shorewall/Perl/Shorewall/Zones.pm

@@ -713,10 +713,10 @@ sub zone_report()
 	my $printed = 0;
 
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -766,10 +766,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -2219,9 +2219,9 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2249,9 +2249,9 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {

Shorewall/Samples/Universal/shorewall.conf

@@ -33,7 +33,7 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -55,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -109,11 +109,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -120,11 +120,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -41,7 +41,7 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -63,19 +63,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -117,11 +117,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -44,7 +44,7 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -66,19 +66,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -120,11 +120,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################

Shorewall/Samples/two-interfaces/snat

@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			92.168.0.0/16		eth0

Shorewall/actions.std

@@ -6,41 +6,45 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
+# Builtin Actions are:
+#
+?if 0
+allowBcast			# Silently Allow Broadcast
+allowMcast			# Silently Allow Multicast
+dropBcast			# Silently Drop Broadcast
+dropMcast			# Silently Drop Multicast
+dropNotSyn			# Silently Drop Non-syn TCP packets
+rejNotSyn			# Silently Reject Non-syn TCP packets
+allowinUPnP			# Allow UPnP inbound (to firewall) traffic
+forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit				# Limit the rate of connections from each individual IP address
+?endif
 ###############################################################################
 #ACTION
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
-AllowICMPs   inline		# Allow Required ICMP packets
-allowBcast   inline		# Silently Allow Broadcast
-allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
+AllowICMPs   inline             # Allow Required ICMP packets
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
-dropBcast    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
-Limit	     noinline		# Limit the rate of connections from each individual IP address
 Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#

Shorewall/configfiles/shorewall.conf

@@ -33,7 +33,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -55,19 +55,19 @@ LOGTAGONLY=No
 
 LOGLIMIT="s:1/sec:10"
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -109,11 +109,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################

Shorewall/default.debian

@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall to start
+# set the following varible to 1 in order to allow Shorewall to start
 
 startup=0
 
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/reload/stop options
+# Global start/restart options
 #
 OPTIONS=""
 
@@ -28,17 +28,12 @@ STARTOPTIONS=""
 #
 # Restart options
 #
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
 RELOADOPTIONS=""
 
 #
-# Stop options
+# Restart options
 #
-STOPOPTIONS=""
+RESTARTOPTIONS=""
 
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf

Shorewall/default.debian.systemd

@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF

Shorewall/install.sh

@@ -22,22 +22,55 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=4.5.5       #The Build script inserts the actual version
 
+#
+# Change to the directory containing this script
+#
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -s"
-    echo "  -a"
-    echo "  -p"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -a"
+    echo "       $ME -n"
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 run_install()
 {
     if ! install $*; then
@@ -47,14 +80,27 @@ run_install()
     fi
 }
 
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $PRODUCT to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-#
-# Change to the directory containing this script
-#
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 cd "$(dirname $0)"
 
 if [ -f shorewall.service ]; then
@@ -65,11 +111,6 @@ else
     Product=Shorewall6
 fi
 
-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -131,14 +172,11 @@ done
 #
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ~/.shorewallrc || exit 1
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. /usr/share/shorewall/shorewallrc
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -148,11 +186,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
@@ -267,7 +305,8 @@ case "$HOST" in
     linux)
 	;;
     *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac
 
@@ -278,7 +317,8 @@ if [ $PRODUCT = shorewall ]; then
 	#
 	if [ "$DIGEST" != SHA ]; then
 	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
-		fatal_error "Perl compilation with Digest::$DIGEST failed"
+		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
+		exit 1;
 	    fi
 
 	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
@@ -301,7 +341,8 @@ if [ $PRODUCT = shorewall ]; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
-		fatal_error "Shorewall $VERSION requires either Digest::SHA or Digest::SHA1"
+		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
+		exit 1
 	    fi
 	fi
     fi
@@ -329,10 +370,11 @@ if [ $BUILD != cygwin ]; then
     fi
 fi
 
-run_install -d $OWNERSHIP -m 0755 ${DESTDIR}${SBINDIR}
-[ -n "${INITFILE}" ] && run_install -d $OWNERSHIP -m 0755 ${DESTDIR}${INITDIR}
+install -d $OWNERSHIP -m 755 ${DESTDIR}${SBINDIR}
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 if [ -z "$DESTDIR" -a $PRODUCT != shorewall ]; then
-    [ -x ${LIBEXECDIR}/shorewall/compiler.pl ] || fatal_error "Shorewall >= 4.5.0 is not installed"
+    [ -x ${LIBEXECDIR}/shorewall/compiler.pl ] || \
+	{ echo "   ERROR: Shorewall >= 4.5.0 is not installed" >&2; exit 1; }
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -346,7 +388,7 @@ else
     first_install="Yes"
 fi
 
-if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/shorewall/coreversion ]; then
+if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreversion ]; then
     echo "Shorewall $VERSION requires Shorewall Core which does not appear to be installed"
     exit 1
 fi
@@ -368,16 +410,22 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${PERLLIBDIR}/Shorewall 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated 0755
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
+mkdir -p ${DESTDIR}${VARDIR}
 
-chmod 0755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 
-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi
 
 #
 # Install the .service file
@@ -387,9 +435,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 
 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 0644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -442,8 +490,6 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Drop
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Reject
     fi
 fi
 
@@ -1048,14 +1094,8 @@ cd ..
 #
 for f in lib.* Perl/lib.*; do
     if [ -f $f ]; then
-        case $f in
-            *installer)
-                ;;
-            *)
-                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
-                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-                ;;
-        esac
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
     fi
 done
 
@@ -1065,7 +1105,7 @@ if [ $PRODUCT = shorewall6 ]; then
     #
     ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
     #
-    # And create a symbolic link for the CLI
+    # And create a sybolic link for the CLI
     #
     ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
@@ -1074,7 +1114,8 @@ if [ -d Perl ]; then
     #
     # ${SHAREDIR}/$PRODUCT/$Product if needed
     #
-    make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product 0755
+    mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product
+    chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product
     #
     # Install the Compiler
     #
@@ -1123,7 +1164,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -1141,7 +1182,7 @@ if [ -n "$MANDIR" ]; then
 
 cd manpages
 
-[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
 
 for f in *.5; do
     gzip -9c $f > $f.gz
@@ -1149,7 +1190,7 @@ for f in *.5; do
     echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 
-[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
 
 for f in *.8; do
     gzip -9c $f > $f.gz
@@ -1172,7 +1213,8 @@ fi
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
     if [ ${DESTDIR} ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
     fi
 
     run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
@@ -1230,6 +1272,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi
 
 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"

Shorewall/lib.cli-std

@@ -484,9 +484,6 @@ compiler() {
     #
     [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
 
-    PERL_HASH_SEED=0
-    export PERL_HASH_SEED
-
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
     else

Shorewall/manpages/shorewall-mangle.xml

@@ -864,7 +864,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 on the firewall and whose source IP address matches one of the
                 listed addresses and does not match any address listed in the
                 <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
               </listitem>
             </varlistentry>
 
@@ -1028,16 +1028,15 @@ Normal-Service       =&gt; 0x00</programlisting>
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">{tcp:[!]syn</emphasis>|<emphasis
+        role="bold">{tcp:syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
         role="bold">ipp2p:udp</emphasis>|<emphasis
         role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
         role="bold">all}[,...]}</emphasis></term>
 
         <listitem>
-          <para>See <ulink
-          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
-          details.</para>
+          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
+          ipp2p match support in your kernel and iptables.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>

Shorewall/manpages/shorewall-rules.xml

@@ -66,7 +66,7 @@
           this section.</para>
 
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG and QUEUE</para>
 
           <para>There is an implicit ACCEPT rule inserted at the end of this
           section.</para>
@@ -81,7 +81,7 @@
           section.</para>
 
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG and QUEUE</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the RELATED_DISPOSITION (<ulink
@@ -97,7 +97,7 @@
           processed by rules in this section.</para>
 
           <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG and QUEUE.</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the INVALID_DISPOSITION (<ulink
@@ -113,7 +113,7 @@
           processed by rules in this section.</para>
 
           <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG and QUEUE.</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the UNTRACKED_DISPOSITION (<ulink
@@ -138,8 +138,9 @@
       comfortable with the differences between the various connection tracking
       states, then it is suggested that you omit the <emphasis
       role="bold">ESTABLISHED</emphasis> and <emphasis
-      role="bold">RELATED</emphasis> sections and place all of your rules in
-      the NEW section (That's after the line that reads ?SECTION NEW').</para>
+      role="bold">RELATED</emphasis> sections and place all of your
+      non-blacklisting rules in the NEW section (That's after the line that
+      reads ?SECTION NEW').</para>
     </note>
 
     <warning>
@@ -729,9 +730,7 @@
                   <member><option>icmp-admin-prohibited</option></member>
 
                   <member><option>icmp-tcp-reset</option> (the PROTO column
-                  must specify TCP). Beginning with Shorewall 5.1.3, this
-                  option may also be specified as
-                  <option>tcp-reset</option>.</member>
+                  must specify TCP)</member>
                 </simplelist>
               </listitem>
             </varlistentry>
@@ -1594,7 +1593,7 @@
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis>- {<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">tcp:[!]syn</emphasis>|<emphasis
+        role="bold">tcp:syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
         role="bold">ipp2p:udp</emphasis>|<emphasis
         role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
@@ -1605,10 +1604,7 @@
           requires ipp2p match support in your kernel and iptables. <emphasis
           role="bold">tcp:syn</emphasis> implies <emphasis
           role="bold">tcp</emphasis> plus the SYN flag must be set and the
-          RST, ACK and FIN flags must be reset. Beginning with Shorewall
-          5.1.3, you may also specify <emphasis
-          role="bold">tcp:!syn</emphasis>, which matches if SYN is not set or
-          if RST, ACK or FIN is set.</para>
+          RST,ACK and FIN flags must be reset.</para>
 
           <para>Beginning with Shorewall 4.4.19, this column can contain a
           comma-separated list of protocol-numbers and/or protocol

Shorewall/manpages/shorewall-secmarks.xml

@@ -229,9 +229,8 @@
         role="bold">all}[,...]</emphasis></term>
 
         <listitem>
-          <para> See <ulink
-          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
-          details.</para>
+          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
+          ipp2p match support in your kernel and iptables.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>

Shorewall/manpages/shorewall-snat.xml

@@ -256,9 +256,8 @@
 
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number here. See
-          <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
-          details.</para>
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>

Shorewall/uninstall.sh

@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall
+Product=Shorewall
 
 usage() # $1 = exit status
 {
@@ -39,27 +41,51 @@ usage() # $1 = exit status
     exit $1
 }
 
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 
-if [ -f shorewall.service ]; then
-    PRODUCT=shorewall
-    Product=Shorewall
-else
-    PRODUCT=shorewall6
-    Product=Shorewall6
-fi
-
-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
 finished=0
 configure=1
 
@@ -76,7 +102,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -97,16 +123,13 @@ while [ $finished -eq 0 ]; do
     esac
 done
 
-#
-# Read the RC file
-#
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
     elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
     elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
     else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
     fi
@@ -116,53 +139,52 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
     esac
 
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
     usage 1
 fi
 
-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling $Product $VERSION"
+
+echo "Uninstalling shorewall $VERSION"
 
 [ -n "$SANDBOX" ] && configure=0
 
 if [ $configure -eq 1 ]; then
     if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
-	${SBINDIR}/$PRODUCT clear
-    elif qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall clear
     fi
 fi
 
-remove_file ${SBINDIR}/$PRODUCT
+rm -f ${SBINDIR}/shorewall
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+if [ -L ${SHAREDIR}/shorewall/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
 
 if [ -f "$FIREWALL" ]; then
     if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
+	    updaterc.d ${PRODUCT} remove
+	elif mywhich insserv ; then
             insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -171,56 +193,51 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
-
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall.service
 fi
 
-remove_file ${SHAREDIR}/$PRODUCT/version
-remove_directory ${CONFDIR}/$PRODUCT
+rm -rf ${SHAREDIR}/shorewall/version
+rm -rf ${CONFDIR}/shorewall
 
 if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
 fi
 
-remove_directory ${VARDIR}
-[ ${LIBEXECDIR} = ${SHAREDIR} ] || remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_directory ${SHAREDIR}/$PRODUCT/configfiles
-remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/module\*
-remove_file  ${SHAREDIR}/$PRODUCT/helpers
-remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/action\*
-remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/macro.\*
+rm -rf ${VARDIR}/shorewall
+rm -rf ${PERLLIBDIR}/Shorewall/*
+[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
+rm -rf ${SHAREDIR}/shorewall/configfiles/
+rm -rf ${SHAREDIR}/shorewall/Samples/
+rm -rf ${SHAREDIR}/shorewall/Shorewall/
+rm -f  ${SHAREDIR}/shorewall/lib.cli-std
+rm -f  ${SHAREDIR}/shorewall/lib.runtime
+rm -f  ${SHAREDIR}/shorewall/compiler.pl
+rm -f  ${SHAREDIR}/shorewall/prog.*
+rm -f  ${SHAREDIR}/shorewall/module*
+rm -f  ${SHAREDIR}/shorewall/helpers
+rm -f  ${SHAREDIR}/shorewall/action*
+rm -f  ${SHAREDIR}/shorewall/macro.*
+rm -f  ${SHAREDIR}/shorewall/init
 
-if [ $PRODUCT = shorewall ]; then
-    remove_file_with_wildcard ${PERLLIBDIR}/$Product/\*
-    remove_directory ${SHAREDIR}/$PRODUCT/Samples
-    remove_directory ${SHAREDIR}/$PRODUCT/$Product
-    remove_file  ${SHAREDIR}/$PRODUCT/lib.cli-std
-    remove_file  ${SHAREDIR}/$PRODUCT/lib.runtime
-    remove_file  ${SHAREDIR}/$PRODUCT/compiler.pl
-    remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/prog.\*
-    remove_file  ${SHAREDIR}/$PRODUCT/init
-else
-    remove_directory ${SHAREDIR}/$PRODUCT
-fi
-
-for f in ${MANDIR}/man5/${PRODUCT}* ${MANDIR}/man8/${PRODUCT}*; do
+for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
     case $f in
-	shorewall[6]-lite*)
+	shorewall6*|shorewall-lite*)
 	    ;;
 	*)
-	    remove_file $f
+	    rm -f $f
 	    ;;
     esac
 done
 
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f  ${CONFDIR}/logrotate.d/shorewall
+
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall.service
+
+echo "Shorewall Uninstalled"
 
-[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/${PRODUCT}.service
 
-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"

Shorewall6-lite/default.debian

@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall6-lite to start
+# set the following varible to 1 in order to allow Shorewall6-lite to start
 
 startup=0
 
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""
 
@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #

Shorewall6-lite/default.debian.systemd

@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF

Shorewall6-lite/uninstall.sh

@@ -0,0 +1,221 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall 6 Lite
+#
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.sourceforge.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall6-lite
+Product="Shorewall6 Lite"
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME [ <shorewallrc file> ]"
+    exit $1
+}
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6-lite/version)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall6 Lite Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall6 Lite Version $VERSION is not installed"
+    VERSION=""
+fi
+
+echo "Uninstalling Shorewall6 Lite $VERSION"
+
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/shorewall6-lite clear
+    fi
+fi
+
+if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
+    if [ $HOST = openwrt ]; then
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall6-lite enabled; then
+	    /etc/init.d/shorewall6-lite disable
+	fi
+	
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall6-lite/init)
+    else
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
+    fi
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
+fi
+
+if [ -f "$FIREWALL" ]; then
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall6-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	elif mywhich systemctl ; then
+	    systemctl disable shorewall6-lite
+	fi
+    fi
+
+    remove_file $FIREWALL
+fi
+
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall6-lite.service
+fi
+
+rm -f ${SBINDIR}/shorewall6-lite
+rm -rf ${CONFDIR}/shorewall6-lite
+rm -rf ${VARDIR}
+rm -rf ${SHAREDIR}/shorewall6-lite
+rm -rf ${LIBEXECDIR}/shorewall6-lite
+rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
+rm -f  ${SYSCONFDIR}/shorewall6-lite
+
+if [ -n "${MANDIR}" ]; then
+    rm -f ${MANDIR}/man5/shorewall6-lite*
+    rm -f ${MANDIR}/man8/shorewall6-lite*
+fi
+
+echo "Shorewall6 Lite Uninstalled"

Shorewall6/Actions/action.Multicast

@@ -50,7 +50,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
 
     add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
 } else {
-    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
+    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
     add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -34,7 +34,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -54,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -106,11 +106,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -206,7 +206,7 @@ RESTORE_ROUTEMARKS=Yes
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Shared
+TC_ENABLED=No
 
 TC_EXPERT=No
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -35,7 +35,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -55,19 +55,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -107,11 +107,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -207,7 +207,7 @@ RESTORE_ROUTEMARKS=Yes
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Shared
+TC_ENABLED=No
 
 TC_EXPERT=No
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -34,7 +34,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -54,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -106,11 +106,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -206,7 +206,7 @@ RESTORE_ROUTEMARKS=Yes
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Shared
+TC_ENABLED=No
 
 TC_EXPERT=No
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -34,7 +34,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -54,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=info
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=info
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=info
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=info
 
 UNTRACKED_LOG_LEVEL=
 
@@ -106,11 +106,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -206,7 +206,7 @@ RESTORE_ROUTEMARKS=Yes
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Shared
+TC_ENABLED=No
 
 TC_EXPERT=No
 

Shorewall6/actions.std

@@ -6,23 +6,28 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
+# Builtin Actions are:
+#
+?if 0
+allowBcasts                     # Accept anycast packets
+allowMcasts                     # Accept multicast packets
+dropBcasts                      # Silently Drop anycast packets
+dropMcasts                      # Silently Drop multicast packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
 A_Reject	                # Audited Default Action for REJECT policy
 A_AllowICMPs	                # Audited Accept needed ICMP6 types
 AllowICMPs   	                # Accept needed ICMP6 types
-allowBcast   inline		# Silently Allow Broadcast
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-allowMcast   inline		# Silently Allow Multicast
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline      	# Handles Broadcast/Anycast
 Drop		        	# Default Action for DROP policy (deprecated)
-dropBcast    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
@@ -34,7 +39,6 @@ Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy (deprecated)
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 Related      inline,\		# Handles packets in the RELATED conntrack state
              state=RELATED
 ResetEvent   inline		# Reset an Event

Shorewall6/configfiles/shorewall6.conf

@@ -34,7 +34,7 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 
-LOG_LEVEL="info"
+LOG_LEVEL=info
 
 BLACKLIST_LOG_LEVEL=
 
@@ -54,19 +54,19 @@ LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=$LOG_LEVEL
 
 RELATED_LOG_LEVEL=
 
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=$LOG_LEVEL
 
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=$LOG_LEVEL
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
 
 UNTRACKED_LOG_LEVEL=
 
@@ -106,11 +106,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
@@ -206,7 +206,7 @@ RESTORE_ROUTEMARKS=Yes
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Shared
+TC_ENABLED=No
 
 TC_EXPERT=No
 

Shorewall6/default.debian

@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall6 to start
+# set the following varible to 1 in order to allow Shorewall6 to start
 
 startup=0
 
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""
 
@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #

Shorewall6/default.debian.systemd

@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF

Shorewall6/manpages/shorewall6-mangle.xml

@@ -1026,9 +1026,8 @@ Normal-Service       =&gt; 0x00</programlisting>
         role="bold">all}[,...]}</emphasis></term>
 
         <listitem>
-          <para>See <ulink
-          url="shorewall-rules.html">shorewall6-rules(5)</ulink> for
-          details.</para>
+          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
+          ipp2p match support in your kernel and iptables.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>

Shorewall6/manpages/shorewall6-rules.xml

@@ -59,7 +59,7 @@
           this section.</para>
 
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG and QUEUE</para>
 
           <para>There is an implicit ACCEPT rule inserted at the end of this
           section.</para>
@@ -74,7 +74,7 @@
           section.</para>
 
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG and QUEUE</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the RELATED_DISPOSITION (<ulink
@@ -90,7 +90,7 @@
           processed by rules in this section.</para>
 
           <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG and QUEUE.</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the INVALID_DISPOSITION (<ulink
@@ -106,7 +106,7 @@
           processed by rules in this section.</para>
 
           <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG and QUEUE.</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the UNTRACKED_DISPOSITION (<ulink
@@ -1392,7 +1392,7 @@
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">tcp:[!]syn</emphasis>|<emphasis
+        role="bold">tcp:syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
         role="bold">ipp2p:udp</emphasis>|<emphasis
         role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
@@ -1403,9 +1403,7 @@
           requires ipp2p match support in your kernel and ip6tables. <emphasis
           role="bold">tcp:syn</emphasis> implies <emphasis
           role="bold">tcp</emphasis> plus the SYN flag must be set and the
-          RST,ACK and FIN flags must be reset. Beginning with Shorewall 5.1.3,
-          you may also specify <emphasis role="bold">tcp:!syn</emphasis>,
-          which matches if SYN is not set or if RST, ACK or FIN is set.</para>
+          RST,ACK and FIN flags must be reset.</para>
 
           <para>Beginning with Shorewall6 4.4.19, this column can contain a
           comma-separated list of protocol-numbers and/or protocol names

Shorewall6/manpages/shorewall6-secmarks.xml

@@ -222,9 +222,8 @@
         role="bold">all}</emphasis></term>
 
         <listitem>
-          <para>See <ulink
-          url="shorewall-rules.html">shorewall6-rules(5)</ulink> for
-          details.</para>
+          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
+          ipp2p match support in your kernel and iptables.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>

Shorewall6/manpages/shorewall6-snat.xml

@@ -234,9 +234,8 @@
 
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number here. See
-          <ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink> for
-          details.</para>
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
           comma-separated list of protocols.</para>

Shorewall6/uninstall.sh

@@ -0,0 +1,226 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall 6
+#
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall6
+Product=Shorewall6
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME [ <shorewallrc file> ]"
+    exit $1
+}
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall6/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6/version)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall6 Version $VERSION is not installed"
+    VERSION=""
+fi
+
+echo "Uninstalling shorewall6 $VERSION"
+
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
+	${SBINDIR}/shorewall6 clear
+    fi
+fi
+
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
+fi
+
+if [ -f "$FIREWALL" ]; then
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall6 remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
+    fi
+
+    remove_file $FIREWALL
+fi
+
+[ -n "$SERVICEDIR" ] || SERVICEDIR=${SYSTEMD}
+
+if [ -n "$SERVICEDIR" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall6.service
+fi
+
+rm -rf ${SHAREDIR}/shorewall6/version
+rm -rf ${CONFDIR}/shorewall6
+
+if [ -n "$SYSCONFDIR" ]; then
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
+fi
+
+rm -f ${SBINDIR}/shorewall6
+rm -rf ${CONFDIR}/shorewall6
+rm -rf ${VARDIR}
+rm -rf ${LIBEXECDIR}/shorewall6
+rm -rf ${SHAREDIR}/shorewall6
+
+for f in ${MANDIR}/man5/shorewall6* ${SHAREDIR}/man/man8/shorewall6*; do
+    case $f in
+	shorewall6-lite*)
+	    ;;
+	*)
+	    rm -f $f
+    esac
+done
+
+rm -f  ${CONFDIR}/logrotate.d/shorewall6
+[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6.service
+
+echo "Shorewall6 Uninstalled"
+
+

docs/Actions.xml

@@ -351,8 +351,8 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
       </varlistentry>
     </variablelist>
 
-    <para>The recommended settings for the 6 policy actions for IPv4
-    are:</para>
+    <para>The recommended settings for the 6 policy actions for IPv4 are:
+    </para>
 
     <programlisting>        ACCEPT_DEFAULT=none
         BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
@@ -365,7 +365,7 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
     <para>The recommended settings for IPv6 are:</para>
 
     <programlisting>        ACCEPT_DEFAULT=none
-        BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+        BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
         DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
         NFQUEUE_DEFAULT=none
         QUEUE_DEFAULT=none

docs/KVM.xml

@@ -50,7 +50,7 @@
     Linux Distributions. The following diagram shows the entire
     network.</para>
 
-    <graphic align="center" fileref="images/Network2008a.png"/>
+    <graphic align="center" fileref="images/Network2008a.png" />
 
     <para>My personal laptop (Ursa) hosts the virtual machines. As shown in
     the diagram, Ursa has routes to the Internet through both the
@@ -66,12 +66,12 @@
   <section>
     <title>Networking Configuration</title>
 
-    <para>I use a network configuration where each VM has its own VNET and tap
-    device and the tap devices are all configured as ports on a Linux Bridge.
-    For clarity, I've only shown four of the virtual machines available on the
-    system.</para>
+    <para>I use a network configuration where each VM has its own VNET and
+    tap device and the tap devices are all configured as ports on a Linux
+    Bridge. For clarity, I've only shown four of the virtual machines
+    available on the system.</para>
 
-    <graphic align="center" fileref="images/KVM1.png"/>
+    <graphic align="center" fileref="images/KVM1.png" />
 
     <para>I run <ulink url="???">dmsmasq</ulink> to act as a DHCP server and
     name server for the VMs.</para>
@@ -82,10 +82,11 @@
 
     <para>With this configuration, and with only a single network interface on
     the laptop, this is just a simple <ulink
-    url="two-interface.htm">two-interface masquerading setup</ulink> where the
-    local network interface is <filename class="devicefile">br0</filename>. As
-    with all bridges, <filename class="devicefile">br0</filename> must be
-    configured with the <option>routeback</option> option in <ulink
+    url="two-interface.html">two-interface masquerading setup</ulink> where
+    the local network interface is <filename
+    class="devicefile">br0</filename>. As with all bridges, <filename
+    class="devicefile">br0</filename> must be configured with the
+    <option>routeback</option> option in <ulink
     url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
 
     <para>For additional information about this setup, including the Shorewall