Add BLACKLIST to IPv6 actions.std file

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -13,6 +13,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #

Shorewall/Actions/action.A_Reject.deprecated

@@ -11,6 +11,8 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #

Shorewall/Actions/action.AllowICMPs

@@ -7,5 +7,39 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 DEFAULTS ACCEPT
-@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+
-@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?if __IPV4
+    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?else
+?COMMENT Needed ICMP types (RFC4890)
+
+    @1	-		-	ipv6-icmp	destination-unreachable
+    @1	-		-	ipv6-icmp	packet-too-big
+    @1	-		-	ipv6-icmp	time-exceeded
+    @1	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	router-solicitation
+    @1	-		-	ipv6-icmp	router-advertisement
+    @1	-		-	ipv6-icmp	neighbour-solicitation
+    @1	-		-	ipv6-icmp	neighbour-advertisement
+    @1	-		-	ipv6-icmp	137	# Redirect
+    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
+    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
+    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+?endif

Shorewall/Actions/action.Broadcast

@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+# Broadcast[([<action>|[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,27 +29,37 @@
 DEFAULTS DROP,-
 
 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
-?begin perl;
+    ?begin perl;
 
-use Shorewall::IPAddrs;
+    use strict;
-use Shorewall::Config;
+    use Shorewall::IPAddrs;
-use Shorewall::Chains;
+    use Shorewall::Config;
+    use Shorewall::Chains;
 
-my ( $action )         = get_action_params( 1 );
+    my ( $action, $audit ) = get_action_params( 2 );
-my $chainref           = get_action_chain;
+    my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $level, $tag )    = get_action_logging;
 
-add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
 
-1;
+    my $target             = require_audit ( $action , $audit );
 
-?end perl;
+    if ( $family == F_IPV4 ) {
+        add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } elsif ($family == F_IPV6 ) {
+        add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    1;
+
+    ?end perl;
 ?endif

Shorewall/Actions/action.GlusterFS

@@ -13,9 +13,9 @@
 DEFAULTS 2,0
 
 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
+    ?error Invalid value (@1) for the GlusterFS Bricks argument
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
+    ?error Invalid value (@2) for the GlusterFS IB argument
 ?endif
 
 #ACTION		SOURCE		DEST		PROTO	DPORT

Shorewall/Actions/action.Multicast

@@ -29,22 +29,28 @@
 DEFAULTS DROP,-
 
 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
-?begin perl;
+    ?begin perl;
 
-use Shorewall::IPAddrs;
+    use strict;
-use Shorewall::Config;
+    use Shorewall::IPAddrs;
-use Shorewall::Chains;
+    use Shorewall::Config;
+    use Shorewall::Chains;
 
-my ( $action )         = get_action_params( 1 );
+    my ( $action, $audit ) = get_action_params( 2 );
-my $chainref           = get_action_chain;
+    my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $level, $tag )    = get_action_logging;
 
-log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 
-1;
+    my $target = require_audit ( $action , $audit );
+    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
 
-?end perl;
+    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+    add_jump $chainref, $target, 0, $dest;
+
+    1;
+
+    ?end perl;
 ?endif

Shorewall/Perl/Shorewall/Chains.pm

@@ -405,14 +405,14 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z12z2>
+#   Zone-pair chains for rules chain <z1-z2>
 #
-#      Syn Flood       - @<z12z2>
+#      Syn Flood       - @<z1-z2>
-#      Blacklist       - <z12z2>~
+#      Blacklist       - <z1-z2>~
-#      Established     - ^<z12z2>
+#      Established     - ^<z1-z2>
-#      Related         - +<z12z2>
+#      Related         - +<z1-z2>
-#      Invalid         - _<z12z2>
+#      Invalid         - _<z1-z2>
-#      Untracked       - &<z12z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -434,7 +434,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -1081,11 +1081,11 @@ sub format_option( $$ ) {
 
     assert( ! reftype $value );
 
-    my $rule = '';
+    my $rule;
 
     $value =~ s/\s*$//;
 
-    $rule .= join( ' ' , ' -m', $option, $value );
+    $rule = join( ' ' , ' -m', $option, $value );
 
     $rule;
 }

Shorewall/Perl/Shorewall/Config.pm

@@ -86,6 +86,9 @@ our @EXPORT = qw(
 		 kernel_version
 
                  compiletime
+				       
+		 F_IPV4
+		 F_IPV6
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -196,9 +199,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
                                        PARMSMODIFIED
                                        USEDCALLER
-				       
-		                       F_IPV4
-		                       F_IPV6
 
 				       TCP
 				       UDP
@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.3",
+		    VERSION                 => "5.1.4-Beta1",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -907,6 +907,7 @@ sub initialize( $;$$) {
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
+	  PERL_HASH_SEED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1092,7 +1093,7 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '', callfile => '', callline => ''  );
     $parmsmodified = 0;
     $usedcaller    = 0;
     %ipsets = ();
@@ -1218,7 +1219,7 @@ sub compiletime() {
 sub currentlineinfo() {
     my $linenumber = $currentlinenumber || 1;
 
-    if ( $currentfile ) {
+    if ( $currentfilename ) {
 	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
@@ -2177,7 +2178,7 @@ sub split_list3( $$ ) {
 	    $element = join ',', $element , $_;
 	}
     }
-    
+
     unless ( $opencount == 0 ) {
 	fatal_error "Invalid $type ($list)";
     }
@@ -2232,7 +2233,7 @@ sub split_list4( $ ) {
 sub split_columns( $ ) {
     my ($list) = @_;
 
-    return split ' ', $list unless $list =~ /\(/;
+    return split ' ', $list unless $list =~ /[()]/;
 
     my @list1 = split ' ', $list;
     my @list2;
@@ -2273,9 +2274,7 @@ sub split_columns( $ ) {
 	}
     }
 
-    unless ( $opencount == 0 ) {
+    fatal_error "Mismatched parentheses ($list)" unless $opencount == 0;
-	fatal_error "Mismatched parentheses ($list)";
-    }
 
     @list2;
 }
@@ -2288,7 +2287,7 @@ sub clear_comment();
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
-#    Handles segragating raw iptables input in INLINE rules
+#    Handles segragating raw iptables input in rules
 #
 sub split_line2( $$;$$$ ) {
     my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
@@ -2437,12 +2436,12 @@ sub split_line2( $$;$$$ ) {
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-		$column = $columnsref->{$column};
-		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
-		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $value =~ /[^\s[:print:]]/;
-		$line[$column] = $value;
+		my $colnum = $columnsref->{$column};
+		warning_message qq(Replacing "$line[$colnum]" with "$value" in the ) . uc( $column ) . ' column' if $line[$colnum] ne '-';
+		$line[$colnum] = $value;
 	    }
 	}
     }
@@ -2782,7 +2781,7 @@ sub evaluate_expression( $$$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var eq 'caller';
+	    $usedcaller = USEDCALLER if $var =~ /^(?:caller|callfile|callline)$/;
 	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2818,7 +2817,6 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-
 	declare_passed unless $evals++;
 
 	$val = eval qq(package Shorewall::User;
@@ -2835,6 +2833,7 @@ sub evaluate_expression( $$$$ ) {
     $val;
 }
 
+sub pop_open();
 #
 # Set callback
 #
@@ -2842,6 +2841,40 @@ sub directive_callback( $ ) {
     $directive_callback = shift;
 }
 
+sub directive_message( \&$$$$ ) {
+    my ( $functptr, $verbose, $expression, $filename, $linenumber ) = @_;
+
+    unless ( $omitting ) {
+	if ( $actparams{0} ) {
+	    #
+	    # When issuing a message from an action, report the action invocation
+	    # site rather than the action file and line number.
+	    #
+	    # Avoid double-reporting by temporarily removing the invocation site
+	    # from the open stack.
+	    #
+	    my $saveopens = pop @openstack;
+
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $actparams{callfile} ,
+			 $actparams{callline} );
+	    push @openstack, $saveopens;
+	} else {
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $filename ,
+			 $linenumber );
+	}
+    }
+}
+
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
@@ -2855,7 +2888,8 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber )
+	unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -2957,15 +2991,16 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      if ( exists $actparams{$var} ) {
-			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
+			  if ( $var =~ /^(?:loglevel|logtag|chain|disposition|caller|callfile|callline)$/ ) {
 			      $actparams{$var} = '';
 			  } else {
 			      delete $actparams{$var}
 			  }
+
+			  $parmsmodified = PARMSMODIFIED if @ifstack > $ifstack;
 		      } else {
 			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
-
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
@@ -2996,68 +3031,85 @@ sub process_compiler_directive( $$$$ ) {
 
 	  ERROR => sub() {
 	      unless ( $omitting ) {
-		  directive_error( evaluate_expression( $expression ,
+		  if ( $actparams{0} ) {
-							$filename ,
+		      close $currentfile;
-							$linenumber ,
+		      #
-							1 ) ,
+		      # Avoid 'missing ?ENDIF' error in pop_open'
-				   $filename ,
+		      #
-				   $linenumber ) unless $omitting;
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action invocation site
+		      #
+		      pop_open;
+
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  } else {
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $filename ,
+				       $linenumber ) unless $omitting;
+		  }
 	      }
 	  } ,
 
 	  WARNING => sub() {
-	      unless ( $omitting ) {
+	      directive_message( &directive_warning ,
-		  directive_warning( $config{VERBOSE_MESSAGES} ,
+				 $config{VERBOSE_MESSAGES},
-				     evaluate_expression( $expression ,
+				 $expression ,
-							  $filename ,
+				 $filename ,
-							  $linenumber ,
+				 $linenumber );
-							  1 ),
-				     $filename ,
-				     $linenumber ) unless $omitting;
-	      }
 	  } ,
 
 	  INFO => sub() {
-	      unless ( $omitting ) {
+	      directive_message( &directive_info,
-		  directive_info( $config{VERBOSE_MESSAGES} ,
+				 $config{VERBOSE_MESSAGES} ,
-				  evaluate_expression( $expression ,
+				 $expression ,
-						       $filename ,
+				 $filename ,
-						       $linenumber ,
+				 $linenumber );
-						       1 ),
-				  $filename ,
-				  $linenumber ) unless $omitting;
-	      }
 	  } ,
 
 	  'WARNING!' => sub() {
-	      unless ( $omitting ) {
+	      directive_message( &directive_warning ,
-		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
+				 ! $config{VERBOSE_MESSAGES} ,
-				     evaluate_expression( $expression ,
+				 $expression ,
-							  $filename ,
+				 $filename ,
-							  $linenumber ,
+				 $linenumber );
-							  1 ),
-				     $filename ,
-				     $linenumber ) unless $omitting;
-	      }
 	  } ,
 
 	  'INFO!' => sub() {
-	      unless ( $omitting ) {
+	      directive_message( &directive_info ,
-		  directive_info( ! $config{VERBOSE_MESSAGES} ,
+				 ! $config{VERBOSE_MESSAGES} ,
-				  evaluate_expression( $expression ,
+				 $expression ,
-						       $filename ,
+				 $filename ,
-						       $linenumber ,
+				 $linenumber );
-						       1 ),
-				  $filename ,
-				  $linenumber ) unless $omitting;
-	      }
 	  } ,
 
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-		  fatal_error "Unknown capability ($expression)" unless $capdesc{$expression};
+		  fatal_error "Unknown capability ($expression)" unless ( my $capdesc = $capdesc{$expression} );
-		  require_capability( $expression, "The $actparams{action} action", 's' );
+		  unless ( have_capability( $expression ) ) {
+		      close $currentfile;
+		      #
+		      # Avoid 'missing ?ENDIF' error in pop_open'
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action call site
+		      #
+		      pop_open;
+
+		      directive_error( "The $actparams{action} action requires the $capdesc capability",
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  }
 	      }
 	  } ,
 
@@ -3559,6 +3611,8 @@ sub push_action_params( $$$$$$ ) {
     $actparams{loglevel}    = $loglevel;
     $actparams{logtag}      = $logtag;
     $actparams{caller}      = $caller;
+    $actparams{callfile}    = $currentfilename;
+    $actparams{callline}    = $currentlinenumber;
     $actparams{disposition} = '' if $chainref->{action};
     #
     # The Shorewall variable '@chain' has non-word characters other than hyphen removed

Shorewall/Perl/Shorewall/Misc.pm

@@ -1213,55 +1213,53 @@ sub add_common_rules ( $ ) {
 	}
     }
 
-    if ( $family == F_IPV4 ) {
+    my $announced = 0;
-	my $announced = 0;
 
-	$list = find_interfaces_by_option 'upnp';
+    $list = find_interfaces_by_option 'upnp';
 
-	if ( @$list ) {
+    if ( @$list ) {
-	    progress_message2 "$doing UPnP";
+	progress_message2 "$doing UPnP";
 
-	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
 
-	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
-	    my $chainref1;
+	my $chainref1;
 
-	    if ( $config{MINIUPNPD} ) {
+	if ( $config{MINIUPNPD} ) {
-		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
-	    }
-
-	    $announced = 1;
-
-	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
-	    }
 	}
 
-	$list = find_interfaces_by_option 'upnpclient';
+	$announced = 1;
 
-	if ( @$list ) {
+	for $interface ( @$list ) {
-	    progress_message2 "$doing UPnP" unless $announced;
+	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+	}
+    }
 
-	    for $interface ( @$list ) {
+    $list = find_interfaces_by_option 'upnpclient';
-		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc var_base get_physical $interface;
-		my $optional = interface_is_optional( $interface );
-		my $variable = get_interface_gateway( $interface, ! $optional );
-		my $origin   = get_interface_origin( $interface );
 
-		if ( $optional ) {
+    if ( @$list ) {
-		    add_commands( $chainref,
+	progress_message2 "$doing UPnP" unless $announced;
-				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+
-		    incr_cmd_level( $chainref );
+	for $interface ( @$list ) {
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+	    my $chainref = $filter_table->{input_option_chain $interface};
-		    decr_cmd_level( $chainref );
+	    my $base     = uc var_base get_physical $interface;
-		    add_commands( $chainref, 'fi' );
+	    my $optional = interface_is_optional( $interface );
-		} else {
+	    my $variable = get_interface_gateway( $interface, ! $optional );
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+	    my $origin   = get_interface_origin( $interface );
-		}
+
+	    if ( $optional ) {
+		add_commands( $chainref,
+			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+		incr_cmd_level( $chainref );
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		decr_cmd_level( $chainref );
+		add_commands( $chainref, 'fi' );
+	    } else {
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Zones.pm

@@ -108,24 +108,6 @@ our @EXPORT = ( qw( NOTHING
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
-
-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	       };
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 #
 # Zone Table.
 #
@@ -221,6 +203,26 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 
+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	     };
+
+sub NETWORK() {
+    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
+}
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -276,19 +278,7 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =
 
 our %validhostoptions;
 
-our %validzoneoptions = ( mss            => NUMERIC,
+our %validzoneoptions;
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -330,6 +320,20 @@ sub initialize( $$ ) {
     $minroot = 0;
     $loopback_interface = '';
 
+    %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );
+
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
@@ -407,6 +411,8 @@ sub initialize( $$ ) {
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
+				    upnp        => SIMPLE_IF_OPTION,
+				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -1313,7 +1319,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The '$option' option requires a value" unless supplied $value;
 
 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;

Shorewall/Perl/compiler.pl

@@ -43,6 +43,8 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
+#    If the <filename> is omitted, then a 'check' operation is performed.
+#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";

Shorewall/Perl/lib.runtime

@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then nable an optional
+#	    reenable			Disable then enable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall

Shorewall/Samples/Universal/shorewall.conf

@@ -217,6 +217,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=Yes

Shorewall/Samples/one-interface/shorewall.conf

@@ -228,6 +228,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -225,6 +225,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -228,6 +228,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/actions.std

@@ -8,6 +8,7 @@
 #
 ###############################################################################
 #ACTION
+A_AllowICMPs inline		# Audited version of AllowICMPs
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request

Shorewall/configfiles/shorewall.conf

@@ -217,6 +217,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/install.sh

@@ -444,6 +444,12 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Drop
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Reject
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_AllowICMPs
+    else
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.A_AllowICMPs
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.AllowICMPs
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.Broadcast
+	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.Multicast
     fi
 fi
 

Shorewall/lib.cli-std

@@ -341,6 +341,18 @@ get_config() {
 	setup_dbl
     fi
 
+    if [ -z "$PERL_HASH_SEED" ]; then
+	PERL_HASH_SEED=0
+    else
+	case $PERL_HASH_SEED in
+	    [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random)
+	        ;;
+	    *)
+		fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED"
+		;;
+	esac
+    fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib
@@ -484,8 +496,17 @@ compiler() {
     #
     [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
 
-    PERL_HASH_SEED=0
+    case $PERL_HASH_SEED in
-    export PERL_HASH_SEED
+	random)
+	    unset PERL_HASH_SEED
+	    unset PERL_PERTURB_KEYS
+	    ;;
+	*)
+	    export PERL_HASH_SEED
+	    PERL_PERTURB_KEYS=0
+	    export PERL_PERTURB_KEYS
+	    ;;
+    esac
 
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
@@ -513,28 +534,6 @@ start_command() {
     local rc
     rc=0
 
-    do_it() {
-	if [ -n "$AUTOMAKE" ]; then
-	    [ -n "$nolock" ] || mutex_on
-	    run_it ${VARDIR}/firewall $g_debugging start
-	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    g_file="${VARDIR}/.start"
-	    if compiler $g_debugging $nolock compile "$g_file"; then
-		[ -n "$nolock" ] || mutex_on
-		run_it ${VARDIR}/.start $g_debugging start
-		rc=$?
-		[ -n "$nolock" ] || mutex_off
-	    else
-		rc=$?
-		mylogger kern.err "ERROR:$g_product start failed"
-	    fi
-	fi
-
-	exit $rc
-    }
-
     if product_is_started; then
 	error_message "Shorewall is already running"
 	exit 0
@@ -626,7 +625,25 @@ start_command() {
 	fi
     fi
 
-    do_it
+    if [ -n "$AUTOMAKE" ]; then
+	[ -n "$nolock" ] || mutex_on
+	run_it ${VARDIR}/firewall $g_debugging start
+	rc=$?
+	[ -n "$nolock" ] || mutex_off
+    else
+	g_file="${VARDIR}/.start"
+	if compiler $g_debugging $nolock compile "$g_file"; then
+	    [ -n "$nolock" ] || mutex_on
+	    run_it ${VARDIR}/.start $g_debugging start
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    rc=$?
+	    mylogger kern.err "ERROR:$g_product start failed"
+	fi
+    fi
+
+    exit $rc
 }
 
 #

Shorewall/manpages/shorewall-rules.xml

@@ -136,10 +136,8 @@
     <note>
       <para>If you are not familiar with Netfilter to the point where you are
       comfortable with the differences between the various connection tracking
-      states, then it is suggested that you omit the <emphasis
+      states, then it is suggested that you place all of your rules in the NEW
-      role="bold">ESTABLISHED</emphasis> and <emphasis
+      section (That's after the line that reads ?SECTION NEW').</para>
-      role="bold">RELATED</emphasis> sections and place all of your rules in
-      the NEW section (That's after the line that reads ?SECTION NEW').</para>
     </note>
 
     <warning>
@@ -148,8 +146,8 @@
       <emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
       role="bold">RELATED</emphasis> sections must be empty.</para>
 
-      <para>An except is made if you are running Shorewall 4.4.27 or later and
+      <para>An exception is made if you are running Shorewall 4.4.27 or later
-      you have specified a non-default value for RELATED_DISPOSITION or
+      and you have specified a non-default value for RELATED_DISPOSITION or
       RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
       section of this file.</para>
     </warning>
@@ -594,7 +592,7 @@
                 <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>The <replaceable>nflog-parameters</replaceable> are a
                 comma-separated list of up to 3 numbers:</para>
@@ -847,7 +845,7 @@
                 <para>Added in Shorewall 4.5.10. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>Similar to<emphasis role="bold">
                 LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],

Shorewall/manpages/shorewall-zones.xml

@@ -55,14 +55,14 @@
             <para>The maximum length of an iptables log prefix is 29 bytes. As
             explained in <ulink
             url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
-            the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
+            the legacy default LOGPREFIX formatting string is
-            where the first %s is replaced by the chain name and the second is
+            “Shorewall:%s:%s:” where the first %s is replaced by the chain
-            replaced by the disposition.</para>
+            name and the second is replaced by the disposition.</para>
 
             <itemizedlist>
               <listitem>
-                <para>The default formatting string has 12 fixed characters
+                <para>The "Shorewall:%s:%s:" formatting string has 12 fixed
-                ("Shorewall" and three colons).</para>
+                characters ("Shorewall" and three colons).</para>
               </listitem>
 
               <listitem>
@@ -90,6 +90,29 @@
                 </simplelist>
               </listitem>
             </itemizedlist>
+
+            <para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
+            shorewall.conf files was changed to "%s:%s ".</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>That formatting string has 2 fixed characters (":" and a
+                space).</para>
+              </listitem>
+
+              <listitem>
+                <para>So the maximum zone name length M is calculated
+                as:</para>
+
+                <simplelist>
+                  <member>2 + 6 + 2*M + 1 = 29</member>
+
+                  <member>2M = 29 - 2 + 6 + 1 = 20</member>
+
+                  <member>M = 10</member>
+                </simplelist>
+              </listitem>
+            </itemizedlist>
           </blockquote>
 
           <para>The order in which Shorewall matches addresses from packets to

Shorewall/manpages/shorewall.conf.xml

@@ -1443,15 +1443,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </listitem>
           </itemizedlist>
 
-          <para/>
-
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
-            logging from the nat table's PREROUTING chain is:</para>
+            logging from the nat table's PREROUTING chain is as follows in
+            versions prior to 5.1.0:</para>
 
             <programlisting>    Shorewall:nat:PREROUTING
  </programlisting>
 
+            <para>In Shorewall 5.1.0 and later releases, the log prefix
+            is:</para>
+
+            <programlisting>    nat:PREROUTING
+ </programlisting>
+
             <important>
               <para>To help insure that all packets in the NEW state are
               logged, rate limiting (LOGLIMIT) should be disabled when using
@@ -1515,6 +1520,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
             (5).</para>
           </note>
+
+          <caution>
+            <para>Beginning with Shorewall 5.1.0, the default and sample
+            shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
+            messages that use this LOGFORMAT can be uniquely identified using
+            the following regular expression:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
+            </simplelist>
+
+            <para>To match all Netfilter log messages (Both IPv4 and IPv6),
+            use:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.* DST='</member>
+            </simplelist>
+          </caution>
         </listitem>
       </varlistentry>
 
@@ -1551,8 +1574,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Using the default LOGFORMAT, chain names may not exceed 11
+          <para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
-          characters or truncation of the log prefix may occur. Longer chain
+          5 characters or truncation of the log prefix may occur. Longer chain
           names may be used with log tags if you set LOGTAGONLY=Yes. With
           LOGTAGONLY=Yes, if a log tag is specified then the tag is included
           in the log prefix in place of the chain name.</para>
@@ -1564,10 +1587,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           separated by a comma. So this rule:</para>
 
           <programlisting>#ACTION                                SOURCE         DEST
-LOG:info:foo,bar                 net                   fw</programlisting>
+LOG:info:foo,bar                       net            fw</programlisting>
 
-          <para>would generate the following log prefix when using the default
+          <para>would generate the following log prefix when using
-          LOGFORMAT setting:</para>
+          LOGFORMAT=“Shorewall:%s:%s:”:</para>
 
           <simplelist>
             <member>Shorewall:foo:bar:</member>
@@ -2153,6 +2176,21 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">PERL_HASH_SEED=</emphasis><emphasis
+        role="bold"><replaceable>seed</replaceable><emphasis
+        role="bold">|random</emphasis></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. Sets the Perl hash
+          <replaceable>seed</replaceable> (an integer in the range 0-99999)
+          when running the Shorewall rules compiler. If not specified, the
+          value 0 is assumed. If <option>random</option> is specified, a
+          random seed will be chosed by Perl. See perlsec(1) for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">PROVIDER_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall6/Actions/action.A_AllowICMPs

@@ -1,38 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
-#
-# This action A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE		DEST	PROTO		DPORT
-
-?comment Needed ICMP types (RFC4890)
-
-A_ACCEPT	-		-	ipv6-icmp	destination-unreachable
-A_ACCEPT	-		-	ipv6-icmp	packet-too-big
-A_ACCEPT	-		-	ipv6-icmp	time-exceeded
-A_ACCEPT	-		-	ipv6-icmp	parameter-problem
-
-# The following should have a ttl of 255 and must be allowed to transit a bridge
-A_ACCEPT	-		-	ipv6-icmp	router-solicitation
-A_ACCEPT	-		-	ipv6-icmp	router-advertisement
-A_ACCEPT	-		-	ipv6-icmp	neighbour-solicitation
-A_ACCEPT	-		-	ipv6-icmp	neighbour-advertisement
-A_ACCEPT	-		-	ipv6-icmp	137	# Redirect
-A_ACCEPT	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-A_ACCEPT	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
-
-# The following should have a link local source address and must be allowed to transit a bridge
-A_ACCEPT	fe80::/10	-	ipv6-icmp	130	# Listener query
-A_ACCEPT	fe80::/10	-	ipv6-icmp	131	# Listener report
-A_ACCEPT	fe80::/10	-	ipv6-icmp	132	# Listener done
-A_ACCEPT	fe80::/10	-	ipv6-icmp	143	# Listener report v2
-
-# The following should be received with a ttl of 255 and must be allowed to transit a bridge
-A_ACCEPT	-		-	ipv6-icmp	148	# Certificate path solicitation
-A_ACCEPT	-		-	ipv6-icmp	149	# Certificate path advertisement
-
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
-A_ACCEPT	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-A_ACCEPT	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-A_ACCEPT	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall6/Actions/action.AllowICMPs

@@ -1,40 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
-#
-# This action ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION	SOURCE		DEST	PROTO		DPORT
-
-DEFAULTS ACCEPT
-
-?COMMENT Needed ICMP types (RFC4890)
-
-$1	-		-	ipv6-icmp	destination-unreachable
-$1	-		-	ipv6-icmp	packet-too-big
-$1	-		-	ipv6-icmp	time-exceeded
-$1	-		-	ipv6-icmp	parameter-problem
-
-# The following should have a ttl of 255 and must be allowed to transit a bridge
-$1	-		-	ipv6-icmp	router-solicitation
-$1	-		-	ipv6-icmp	router-advertisement
-$1	-		-	ipv6-icmp	neighbour-solicitation
-$1	-		-	ipv6-icmp	neighbour-advertisement
-$1	-		-	ipv6-icmp	137	# Redirect
-$1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-$1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
-
-# The following should have a link local source address and must be allowed to transit a bridge
-$1	fe80::/10	-	ipv6-icmp	130	# Listener query
-$1	fe80::/10	-	ipv6-icmp	131	# Listener report
-$1	fe80::/10	-	ipv6-icmp	132	# Listener done
-$1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
-
-# The following should be received with a ttl of 255 and must be allowed to transit a bridge
-$1	-		-	ipv6-icmp	148	# Certificate path solicitation
-$1	-		-	ipv6-icmp	149	# Certificate path advertisement
-
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
-$1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-$1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-$1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall6/Actions/action.Broadcast

@@ -1,65 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
-#
-# Multicast/Anycast IPv6 Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Broadcast[([<action>|-[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref           = get_action_chain;
-my ( $action, $audit ) = get_action_params( 2 );
-my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );
-
-fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
-
-if ( have_capability( 'ADDRTYPE' ) ) {
-    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }
-
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
-} else {
-    add_commands $chainref, 'for address in $ALL_ACASTS; do';
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-}
-
-1;
-
-?end perl;

Shorewall6/Actions/action.Multicast

@@ -1,59 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/action.Multicast
-#
-# Multicast/Anycast IPv6 Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Multicast[([<action>|-[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref           = get_action_chain;
-my ( $action, $audit ) = get_action_params( 2 );
-my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );
-
-fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
-
-if ( have_capability( 'ADDRTYPE' ) ) {
-    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-    }
-
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
-} else {
-    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
-    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
-}
-
-1;
-
-?end perl;

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"
 
 MUTEX_TIMEOUT=60
@@ -196,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=Yes

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -189,6 +189,8 @@ MANGLE_ENABLED=Yes
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"
 
 MUTEX_TIMEOUT=60
@@ -197,6 +199,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"
 
 MUTEX_TIMEOUT=60
@@ -196,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"
 
 MUTEX_TIMEOUT=60
@@ -196,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/actions.std

@@ -17,6 +17,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 allowMcast   inline		# Silently Allow Multicast
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
+BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline      	# Handles Broadcast/Anycast
 Drop		        	# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
@@ -27,6 +28,7 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
+forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
              state=INVALID

Shorewall6/configfiles/shorewall6.conf

@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX=ko
 
 MUTEX_TIMEOUT=60
@@ -196,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/manpages/shorewall6-zones.xml

@@ -42,26 +42,27 @@
         role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
 
         <listitem>
-          <para>Name of the <emphasis>zone</emphasis>. The names "all",
+          <para>Name of the <emphasis>zone</emphasis>. Must start with a
-          "none", "SOURCE" and "DEST" are reserved and may not be used as zone
+          letter and consist of letters, digits or '_'. The names "all",
-          names. The maximum length of a zone name is determined by the
+          "none", "any", "SOURCE" and "DEST" are reserved and may not be used
-          setting of the LOGFORMAT option in <ulink
+          as zone names. The maximum length of a zone name is determined by
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          the setting of the LOGFORMAT option in <ulink
-          With the default LOGFORMAT, zone names can be at most 5 characters
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). With
+          the default LOGFORMAT, zone names can be at most 5 characters
           long.</para>
 
           <blockquote>
             <para>The maximum length of an iptables log prefix is 29 bytes. As
             explained in <ulink
-            url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
+            url="shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
-            the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
+            default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
-            where the first %s is replaced by the chain name and the second is
+            the first %s is replaced by the chain name and the second is
             replaced by the disposition.</para>
 
             <itemizedlist>
               <listitem>
-                <para>The default formatting string has 12 fixed characters
+                <para>The "Shorewall:%s:%s:" formatting string has 12 fixed
-                ("Shorewall" and three colons).</para>
+                characters ("Shorewall" and three colons).</para>
               </listitem>
 
               <listitem>
@@ -72,7 +73,8 @@
               <listitem>
                 <para>The canonical name for the chain containing the rules
                 for traffic going from zone 1 to zone 2 is "&lt;zone
-                1&gt;2&lt;zone 2&gt;".</para>
+                1&gt;2&lt;zone 2&gt;" or "&lt;zone 1&gt;-&lt;zone
+                2&gt;".</para>
               </listitem>
 
               <listitem>
@@ -88,6 +90,29 @@
                 </simplelist>
               </listitem>
             </itemizedlist>
+
+            <para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
+            shorewall.conf files was changed to "%s:%s ".</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>That formatting string has 2 fixed characters (":" and a
+                space).</para>
+              </listitem>
+
+              <listitem>
+                <para>So the maximum zone name length M is calculated
+                as:</para>
+
+                <simplelist>
+                  <member>2 + 6 + 2*M + 1 = 29</member>
+
+                  <member>2M = 29 - 2 + 6 + 1 = 20</member>
+
+                  <member>M = 10</member>
+                </simplelist>
+              </listitem>
+            </itemizedlist>
           </blockquote>
 
           <para>The order in which Shorewall6 matches addresses from packets

Shorewall6/manpages/shorewall6.conf.xml

@@ -1229,7 +1229,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
         <listitem>
           <para>This option is intended for use as a debugging aid. When set
-          to a log level, this option causes Shorewall6 to generate a logging
+          to a log level, this option causes Shorewall to generate a logging
           rule as the first rule in each builtin chain.</para>
 
           <itemizedlist>
@@ -1244,14 +1244,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </listitem>
           </itemizedlist>
 
-          <para/>
-
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
-            logging from the nat table's PREROUTING chain is:</para>
+            logging from the nat table's PREROUTING chain is as follows in
+            versions prior to 5.1.0:</para>
 
             <programlisting>    Shorewall:nat:PREROUTING
-</programlisting>
+ </programlisting>
+
+            <para>In Shorewall 5.1.0 and later releases, the log prefix
+            is:</para>
+
+            <programlisting>    nat:PREROUTING
+ </programlisting>
 
             <important>
               <para>To help insure that all packets in the NEW state are
@@ -1295,7 +1300,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
         <listitem>
           <para>The value of this variable generate the --log-prefix setting
-          for Shorewall6 logging rules. It contains a “printf” formatting
+          for Shorewall logging rules. It contains a “printf” formatting
           template which accepts three arguments (the chain name, logging rule
           number (optional) and the disposition). To use LOGFORMAT with
           fireparse, set it as:</para>
@@ -1306,14 +1311,31 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           logging rule number is calculated and formatted in that position; if
           that substring is not included then the rule number is not included.
           If not supplied or supplied as empty (LOGFORMAT="") then
-          “Shorewall6:%s:%s:” is assumed.</para>
+          “Shorewall:%s:%s:” is assumed.</para>
 
           <note>
             <para>The setting of LOGFORMAT has an effect of the permitted
             length of zone names. See <ulink
-            url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
+            url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>
             (5).</para>
           </note>
+
+          <caution>
+            <para>Beginning with Shorewall 5.1.0, the default and sample
+            shorewall.conf files set LOGFORMAT="%s %s ". Shorewall6 log
+            messages that use this LOGFORMAT can be uniquely identified using
+            the following regular expression:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
+            </simplelist>
+
+            <para>To match all Netfilter log messages, use:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.* DST='</member>
+            </simplelist>
+          </caution>
         </listitem>
       </varlistentry>
 
@@ -1350,8 +1372,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Using the default LOGFORMAT, chain names may not exceed 11
+          <para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
-          characters or truncation of the log prefix may occur. Longer chain
+          5 characters or truncation of the log prefix may occur. Longer chain
           names may be used with log tags if you set LOGTAGONLY=Yes. With
           LOGTAGONLY=Yes, if a log tag is specified then the tag is included
           in the log prefix in place of the chain name.</para>
@@ -1363,10 +1385,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           separated by a comma. So this rule:</para>
 
           <programlisting>#ACTION                                SOURCE         DEST
-LOG:info:foo,bar                 net                   fw</programlisting>
+LOG:info:foo,bar                       net            fw</programlisting>
 
-          <para>would generate the following log prefix when using the default
+          <para>would generate the following log prefix when using
-          LOGFORMAT setting:</para>
+          LOGFORMAT=“Shorewall:%s:%s:”:</para>
 
           <simplelist>
             <member>Shorewall:foo:bar:</member>
@@ -1375,7 +1397,7 @@ LOG:info:foo,bar                 net                   fw</programlisting>
           <para>Similarly,</para>
 
           <programlisting>#ACTION                               SOURCE            DEST
-LOG:info:,bar                        net                    fw</programlisting>
+LOG:info:,bar                         net               fw</programlisting>
 
           <para>would generate</para>
 
@@ -1555,6 +1577,28 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
         role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
@@ -1868,6 +1912,21 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">PERL_HASH_SEED=</emphasis><emphasis
+        role="bold"><replaceable>seed</replaceable><emphasis
+        role="bold">|random</emphasis></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. Sets the Perl hash
+          <replaceable>seed</replaceable> (an integer in the range 0-99999)
+          when running the Shorewall rules compiler. If not specified, the
+          value 0 is assumed. If <option>random</option> is specified, a
+          random seed will be chosed by Perl. See perlsec(1) for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">PROVIDER_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

docs/Documentation_Index.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2016</year>
+      <year>2001-2017</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>

docs/configuration_file_basics.xml

@@ -446,40 +446,42 @@ br0                -                    routeback</programlisting></para>
     backslash (<quote>\</quote>) followed immediately by a new line character
     (Enter key).</para>
 
-    <example id="continuation">
+    <programlisting>ACCEPT  net     $FW      tcp \↵
-      <title>Line Continuation</title>
-
-      <programlisting>ACCEPT  net     $FW      tcp \↵
 smtp,www,pop3,imap  #Services running on the firewall</programlisting>
 
-      <para>In certain cases, leading white space is ignored in continuation
+    <para>In certain cases, leading white space is ignored in continuation
-      lines:</para>
+    lines:</para>
 
-      <itemizedlist>
+    <orderedlist>
-        <listitem>
+      <listitem>
-          <para>The continued line ends with a colon (":")</para>
+        <para>The continued line ends with a colon (":")</para>
-        </listitem>
+      </listitem>
 
-        <listitem>
+      <listitem>
-          <para>The continued line ends with a comma (",")</para>
+        <para>The continued line ends with a comma (",")</para>
-        </listitem>
+      </listitem>
-      </itemizedlist>
+    </orderedlist>
 
-      <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
+    <important>
+      <para>What follows does NOT apply to <ulink
+      url="manpages/shorewall-params.html">shorewall-params(5)</ulink> and
+      <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+    </important>
 
-      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
+    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
+
+    <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
 ACCEPT      net:\
             206.124.146.177,\
             206.124.146.178,\
             206.124.146.180\
                             dmz             tcp             873</programlisting>
 
-      <para>The leading white space on the first through third continuation
+    <para>The leading white space on the first through third continuation
-      lines is ignored so the SOURCE column effectively contains
+    lines is ignored so the SOURCE column effectively contains
-      "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
+    "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
-      continuation line does not end with a comma or colon, the leading white
+    continuation line does not end with a comma or colon, the leading white
-      space in the last line is not ignored.</para>
+    space in the last line is not ignored.</para>
-    </example>
 
     <important>
       <para>A trailing backslash is not ignored in a comment. So the continued
@@ -2273,6 +2275,18 @@ SSH(ACCEPT)    net:$MYIP      $FW
     <command>restart</command>, <command>reload</command>,
     <command>refresh</command>, or one of the <command>safe</command>-*
     commands.</para>
+
+    <para>See the VERBOSE_MESSAGES option in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> for
+    additional information.</para>
+
+    <para>In Shorewall 5.1.4, the behavior of ?ERROR, ?WARNING and ?INFO was
+    changed when they appear in an action file. Rather than reporting the
+    action filename and line number, the generated message reports where the
+    action was invoked. For example, the GlusterFS message above was changed
+    to:</para>
+
+    <programlisting>   ERROR: Invalid value (2000) for the GlusterFS Bricks argument /etc/shorewall/rules (line 45)</programlisting>
   </section>
 
   <section id="Embedded">

docs/ipsets.xml

@@ -26,6 +26,8 @@
 
       <year>2015</year>
 
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -54,7 +56,12 @@
     <ulink url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
     if they are not available in your current distribution. Instructions for
     installing xtables-addons may be found in the <ulink
-    url="Dynamic.html">Dynamic Zones article</ulink>.</para>
+    url="Dynamic.html">Dynamic Zones article</ulink>.
+    Note that xtables-addons might not be required
+    with the 'ipset' package provided by your distribution.
+    See also the section <ulink url="configuration_file_basics.htm#capabilities">capabilities</ulink>
+    in the <ulink url="configuration_file_basics.htm">configuration file basics article</ulink>
+    and the <ulink url="Shorewall-Lite.html#Shorecap">Shorecap program</ulink>.</para>
 
     <para>Ipset allows you to create one or more named sets of addresses then
     use those sets to define Netfilter/iptables rules. Possible uses of ipsets