Correct -p check for the conntrack utility's availability

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50105
+SHOREWALL_CAPVERSION=50106
 
 if [ -z "$g_basedir" ]; then
     #
@@ -2804,6 +2804,7 @@ determine_capabilities() {
     CPU_FANOUT=
     NETMAP_TARGET=
     NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2827,9 +2828,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
     if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
     fi
 
     chain=fooX$$
@@ -3299,9 +3302,11 @@ report_capabilities_unsorted() {
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3417,6 +3422,7 @@ report_capabilities_unsorted1() {
     report_capability1 CPU_FANOUT
     report_capability1 NETMAP_TARGET
     report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER

Shorewall/Macros/macro.RDP

@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
+PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389

Shorewall/Perl/Shorewall/Chains.pm

@@ -1345,8 +1345,6 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
-
-	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1929,7 +1927,7 @@ sub delete_reference( $$ ) {
 
     assert( $toref );
 
-    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
 }
 
 #
@@ -2067,7 +2065,7 @@ sub adjust_reference_counts( $$$ ) {
     my ($toref, $name1, $name2) = @_;
 
     if ( $toref ) {
-	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
 	$toref->{references}{$name2}++;
     }
 }
@@ -3900,6 +3898,15 @@ sub optimize_level8( $$$ ) {
 		    }
 
 		    $combined{ $chainref1->{name} } = $chainref->{name};
+		    #
+		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
+		    # the policy attributes in the combined chain
+		    #
+		    if ( $chainref->{policychain} ) {
+			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
+		    } elsif ( $chainref1->{policychain} ) {
+			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
+		    }
 		}
 	    }
 	}
@@ -4826,7 +4833,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -5033,7 +5040,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -6318,7 +6325,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -6399,7 +6406,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -7522,6 +7529,11 @@ sub isolate_dest_interface( $$$$ ) {
 
 	    $rule .= "-d $variable ";
 	}
+    } elsif ( $dest =~ /^\$/ ) {
+	#
+	# Runtime address variable
+	#
+	$dnets  = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8902,9 +8914,15 @@ sub create_netfilter_load( $ ) {
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
 
     emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-	  '    option="--counters"',
-	  '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
+
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
+    } else {
+	emit( '    option="--counters"' );
+    }
+
+    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8912,7 +8930,11 @@ sub create_netfilter_load( $ ) {
 
     push_indent;
 
-    emit 'option=';
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
+    } else {
+	emit 'option=';
+    }
 
     save_progress_message "Preparing $utility input...";
 
@@ -9327,7 +9349,11 @@ sub create_stop_load( $ ) {
 
     enter_cmd_mode;
 
-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
+    } else {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    }
 
     emit( '',
 	  'progress_message2 "Running $command..."',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -209,6 +209,8 @@ sub generate_script_2() {
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
     emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
+    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
 
     emit 'TEMPFILE=';
 

Shorewall/Perl/Shorewall/Config.pm

@@ -414,7 +414,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                  NETMAP_TARGET   => 'NETMAP Target',
                  NFLOG_SIZE      => '--nflog-size support',
-
+		 RESTORE_WAIT_OPTION
+				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -752,7 +753,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.1.5-RC1",
-		    CAPVERSION              => 50105 ,
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -1046,6 +1047,7 @@ sub initialize( $;$$) {
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
+	       RESTORE_WAIT_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -4318,7 +4320,7 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'ko ko.gz ko.xz o o.gz o.xz gz xz' unless $config{MODULE_SUFFIX};
 
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 
@@ -4948,6 +4950,10 @@ sub Cpu_Fanout() {
     have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 
+sub Restore_Wait_Option() {
+    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -5028,6 +5034,7 @@ our %detect_capability =
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
+      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
       RPFILTER_MATCH => \&RPFilter_Match,
       SANE_HELPER => \&SANE_Helper,
       SANE0_HELPER => \&SANE0_Helper,
@@ -5195,6 +5202,8 @@ sub determine_capabilities() {
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
+	$capabilities{RESTORE_WAIT_OPTION}
+				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -6061,7 +6070,6 @@ sub get_configuration( $$$$ ) {
     #
     # get_capabilities requires that the true settings of these options be established
     #
-    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
     if ( ! $export && $> == 0 ) {
@@ -6833,6 +6841,12 @@ sub get_configuration( $$$$ ) {
 	}
     }
 
+    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
+	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
+    } else {
+	$config{MUTEX_TIMEOUT} = 60;
+    }
+
     add_variables %config;
 
     while ( my ($var, $val ) = each %renamed ) {

Shorewall/Perl/Shorewall/Nat.pm

@@ -941,7 +941,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
+	    my @servers;
+
+	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
+		$server = record_runtime_address( $1, $2 );
+		$server =~ s/ $//;
+		@servers = ( $server );
+	    } else {
+		@servers = validate_address $server, 1;
+	    }
+
 	    $server = join ',', @servers;
 	}
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -1088,7 +1088,10 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
+	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
+	    );
+
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1233,7 +1236,9 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
+	    );
 
 	if ( $pseudo ) {
 	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );

Shorewall/Perl/Shorewall/Zones.pm

@@ -92,7 +92,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-                    get_interface_origin
+		    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -114,31 +114,31 @@ our $VERSION = 'MODULEVERSION';
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        complex =>    0|1
-#                        super   =>    0|1
-#                        options =>    { in_out  => < policy match string >
-#                                        in      => < policy match string >
-#                                        out     => < policy match string >
-#                                      }
-#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
-#                        children =>   [ <children> ]
-#                        interfaces => { <interfaces1> => 1, ... }
-#                        bridge =>     <bridge>
-#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#                                                                  options => { <option1> => <value1>
-#                                                                               ...
-#                                                                             }
-#                                                                  hosts   => [ <net1> , <net2> , ... ]
-#                                                                  exclusions => [ <net1>, <net2>, ... ]
-#                                                                  origin   => <where defined>
-#                                                                }
-#                                                <interface2> => ...
-#                                              }
-#                                            ]
-#                       }
-#             <zone2> => ...
-#           }
+#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
+#			 complex =>    0|1
+#			 super	 =>    0|1
+#			 options =>    { in_out	 => < policy match string >
+#					 in	 => < policy match string >
+#					 out	 => < policy match string >
+#				       }
+#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
+#			 children =>   [ <children> ]
+#			 interfaces => { <interfaces1> => 1, ... }
+#			 bridge =>     <bridge>
+#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#								   options => { <option1> => <value1>
+#										...
+#									      }
+#								   hosts   => [ <net1> , <net2> , ... ]
+#								   exclusions => [ <net1>, <net2>, ... ]
+#								   origin   => <where defined>
+#								 }
+#						 <interface2> => ...
+#					       }
+#					     ]
+#			}
+#	      <zone2> => ...
+#	    }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -160,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name        => <name of interface>
-#                                     root        => <name without trailing '+'>
-#                                     options     => { port => undef|1
-#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
-#                                                      ...
-#                                                    }
-#                                     zone        => <zone name>
-#                                     multizone   => undef|1   #More than one zone interfaces through this interface
-#                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
-#                                     ports       => <number of port on this bridge>
-#                                     ipsec       => undef|1 # Has an ipsec host group
-#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#                                     number      => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
-#                                     base        => <shell variable base representing this interface>
-#                                     wildcard    => undef|1 # Wildcard Name
-#                                     zones       => { zone1 => 1, ... }
-#                                     origin      => <where defined>
-#                                   }
-#                 }
+#     %interfaces { <interface1> => { name	  => <name of interface>
+#				      root	  => <name without trailing '+'>
+#				      options	  => { port => undef|1
+#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
+#						       ...
+#						     }
+#				      zone	  => <zone name>
+#				      multizone	  => undef|1   #More than one zone interfaces through this interface
+#				      nets	  => <number of nets in interface/hosts records referring to this interface>
+#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
+#				      ports	  => <number of port on this bridge>
+#				      ipsec	  => undef|1 # Has an ipsec host group
+#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#				      number	  => <ordinal position in the interfaces file>
+#				      physical	  => <physical interface name>
+#				      base	  => <shell variable base representing this interface>
+#				      wildcard	  => undef|1 # Wildcard Name
+#				      zones	  => { zone1 => 1, ... }
+#				      origin	  => <where defined>
+#				    }
+#		  }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -701,6 +701,40 @@ sub haveipseczones() {
     0;
 }
 
+#
+# Returns 1 if the two interfaces passed are related
+#
+sub interface_match( $$ ) {
+    my ( $piface, $ciface ) = @_;
+
+    return 1 if $piface eq $ciface;
+
+    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
+
+    return 1 if $piface eq $cifaceref->{bridge};
+    return 1 if $ciface eq $pifaceref->{bridge};
+
+    if ( $minroot ) {
+	if ( $piface =~ /\+$/ ) {
+	    my $root    = $pifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $ciface ) >= $rlength ) {
+		return 1 if $ciface eq $root;
+		chop $ciface;
+	    }
+	} elsif ( $ciface =~ /\+$/ ) {
+	    my $root    = $cifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $piface ) >= $rlength ) {
+		return 1 if $piface eq $root;
+		chop $piface;
+	    }
+	}
+    }
+
+    0;
+}
+
 #
 # Report about zones.
 #
@@ -738,7 +772,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -747,6 +781,17 @@ sub zone_report()
 	    }
 	}
 
+      PARENT:
+	for my $p ( @{$zoneref->{parents}} ) {
+	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
+		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
+		    next PARENT if interface_match( $pi, $ci );
+		}
+	    }
+
+	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
+	}
+
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1575,9 +1620,7 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
-	    chop $iface;
-
+	while ( length $iface >= $minroot ) {
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1599,6 +1642,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
+
+	    chop $iface;
 	}
     }
 

Shorewall/Perl/lib.runtime

@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
             conntrack -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"

Shorewall/configfiles/disabled

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/disabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully disabled using the 'disable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall/configfiles/enabled

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/enabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully enabled using the 'enable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall/configfiles/shorewall.conf

@@ -205,7 +205,7 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 
 MULTICAST=No
 

Shorewall/install.sh

@@ -616,8 +616,14 @@ run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 if [ -f ${DESTDIR}${CONFDIR}/$PRODUCT/params ]; then
     chmod 0644 ${DESTDIR}${CONFDIR}/$PRODUCT/params
 else
-    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
-    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
+    case "$SPARSE" in
+	[Vv]ery)
+	;;
+	*)
+	    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
+	    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
+	    ;;
+    esac
 fi
 
 if [ $PRODUCT = shorewall ]; then
@@ -693,10 +699,16 @@ fi
 run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
-if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
-    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
-    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
-fi
+case "$SPARSE" in
+    [Vv]ery)
+    ;;
+    *)
+	if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+	    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+	    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
+	fi
+	;;
+esac
 
 #
 # Install the Mangle file

Shorewall/manpages/shorewall-interfaces.xml

@@ -104,9 +104,7 @@ loc     eth2            -</programlisting>
           <para>You may use wildcards here by specifying a prefix followed by
           the plus sign ("+"). For example, if you want to make an entry that
           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, … Please note that the '+' means '<emphasis
-          role="bold">one</emphasis> or more additional characters' so 'ppp'
-          does not match 'ppp+'.</para>
+          ppp1, ppp2, …</para>
 
           <para>When using Shorewall versions before 4.1.4, care must be
           exercised when using wildcards where there is another zone that uses

Shorewall/manpages/shorewall-providers.xml

@@ -214,7 +214,14 @@
                 BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                 unless the <option>fallback</option>, <option>loose</option>,
                 <option>load</option> or <option>tproxy</option> option is
-                specified.</para>
+                specified.I</para>
+
+                <caution>
+                  <para>In IPV6, the <option>balance</option> option does not
+                  cause balanced default routes to be created; it rather
+                  causes a sequence of default routes with different metrics
+                  to be created. </para>
+                </caution>
               </listitem>
             </varlistentry>
 
@@ -337,6 +344,14 @@
                 <para>Prior to Shorewall 4.4.24, the option is ignored with a
                 warning message if USE_DEFAULT_RT=Yes in
                 <filename>shorewall.conf</filename>.</para>
+
+                <caution>
+                  <para>In IPV6, specifying the <option>fallback</option>
+                  option on multiple providers does not cause balanced
+                  fallback routes to be created; it rather causes a sequence
+                  of fallback routes with different metrics to be
+                  created.</para>
+                </caution>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -406,8 +406,9 @@
         <listitem>
           <para>Formerly named AUTO_COMMENT. If set, if there is not a current
           comment when a macro is invoked, the behavior is as if the first
-          line of the macro file was "COMMENT &lt;macro name&gt;". The
-          AUTO_COMMENT option has a default value of 'Yes'.</para>
+          line of the macro file was "COMMENT &lt;macro name&gt;". If not
+          specified, the AUTO_COMMENT option has a default value of
+          'Yes'.</para>
         </listitem>
       </varlistentry>
 
@@ -473,7 +474,7 @@
           command, then the compilation step is skipped and the compiled
           script that executed the last <command>start</command>, <emphasis
           role="bold">reload</emphasis> or <command>restart</command> command
-          is used. The default is AUTOMAKE=No.</para>
+          is used. If not specified, the default is AUTOMAKE=No.</para>
 
           <para>The setting of the AUTOMAKE option is ignored if the
           <command>start</command>, <emphasis role="bold">reload</emphasis> or
@@ -2212,8 +2213,9 @@ LOG:info:,bar                        net                    fw</programlisting>
             </listitem>
           </itemizedlist>
 
-          <para>The default value is zero which disables all
-          optimizations.</para>
+          <para>In versions prior to 5.1.0, the default value is zero which
+          disables all optimizations. Beginning with Shorewall 5.1.0, the
+          default value is All which enables all optimizations.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/shorewall6-lite.service

@@ -8,6 +8,7 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
+After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

Shorewall6-lite/shorewall6-lite.service.debian

@@ -7,6 +7,7 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
+After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

Shorewall6/configfiles/disabled

@@ -0,0 +1,12 @@
+#
+# Shorewall6 -- /etc/shorewall6/disabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully disabled using the 'disable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall6/configfiles/enabled

@@ -0,0 +1,12 @@
+#
+# Shorewall6 -- /etc/shorewall6/enabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully enabled using the 'enable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall6/configfiles/shorewall6.conf

@@ -190,7 +190,7 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 
 MUTEX_TIMEOUT=60
 

Shorewall6/shorewall6.service

@@ -7,6 +7,7 @@
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
+After=shorewall.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

Shorewall6/shorewall6.service.debian

@@ -8,6 +8,7 @@
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
+After=shorewall.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

docs/Events.xml

@@ -475,10 +475,8 @@ root@gateway:~# </programlisting>
     <section>
       <title>Automatic Blacklisting</title>
 
-      <para>This example is taken from <ulink
-      url="http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/">this
-      article</ulink> which explains the nice benefits of this approach. This
-      example is for ssh, but it can be adapted for any application.</para>
+      <para>This example is for ssh, but it can be adapted for any
+      application.</para>
 
       <para>The name SSH has been changed to SSHLIMIT so as not to override
       the Shorewall macro of the same name.</para>

docs/FAQ.xml

@@ -776,12 +776,7 @@ SNAT(<emphasis role="bold">130.151.100.69</emphasis>)    192.168.1.0/24  eth1:19
 
           <para>That rule (and the second one in the previous bullet) only
           works of course if you have a static external IP address. If you
-          have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename>.</para>
-
-          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
-
-          <para>and make your DNAT rule:</para>
+          have a dynamic IP address then make your DNAT rule:</para>
 
           <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST
 
@@ -793,34 +788,17 @@ SNAT(<emphasis role="bold">130.151.100.69</emphasis>)    192.168.1.0/24  eth1:19
 ?SECTION NEW
 
 DNAT            loc             loc:192.168.1.5 tcp     www     -       <emphasis
-              role="bold">$ETH0_IP</emphasis></programlisting>
+              role="bold">&amp;eth0</emphasis></programlisting>
 
           <para>Using this technique, you will want to configure your
-          DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
-          time that you get a new IP address.</para>
+          DHCP/PPPoE/PPTP/… client to automatically reload Shorewall each time
+          that you get a new IP address.</para>
 
           <note>
             <para>If your local interface is a bridge, see <link
             linkend="faq2e">FAQ 2e</link> for additional configuration
             steps.</para>
           </note>
-
-          <note>
-            <para>For optional interfaces, use the function <emphasis
-            role="bold">find_first_interface_address_if_any()</emphasis>
-            rather than <emphasis
-            role="bold">find_first_interface_address()</emphasis>. The former
-            will return 0.0.0.0 if the interface has no configured IP address;
-            the latter terminates the calling program.</para>
-          </note>
-
-          <note id="Call">
-            <para>If you run Shorewall-lite on your firewall, you must use the
-            following in the firewall's configuration directory
-            <filename>params</filename> file:</para>
-
-            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
-          </note>
         </listitem>
       </itemizedlist>
 
@@ -928,14 +906,8 @@ MASQUERADE     192.168.1.0/24  eth2:192.168.1.2    tcp     www</programlisting>
 
 <emphasis role="bold">DNAT            loc             dmz:192.168.2.4 tcp     80      -       206.124.146.176</emphasis></programlisting>
 
-        <para>If your external IP address is dynamic, then you must do the
-        following:</para>
-
-        <para>In <filename>/etc/shorewall/params</filename>:</para>
-
-        <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command> </programlisting>
-
-        <para>and make your DNAT rule:</para>
+        <para>If your external IP address is dynamic, then you must make your
+        DNAT rule:</para>
 
         <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST
 
@@ -947,7 +919,7 @@ MASQUERADE     192.168.1.0/24  eth2:192.168.1.2    tcp     www</programlisting>
 ?SECTION NEW
 
 DNAT            loc             dmz:192.168.2.4 tcp     80      -       <emphasis
-            role="bold">$ETH0_IP</emphasis></programlisting>
+            role="bold">&amp;eth0</emphasis></programlisting>
 
         <warning>
           <para>With dynamic IP addresses, you probably don't want to use
@@ -956,21 +928,6 @@ DNAT            loc             dmz:192.168.2.4 tcp     80      -       <emphasi
           save</command> and <command>shorewall[-lite]
           restore</command></ulink>.</para>
         </warning>
-
-        <note>
-          <para>For optional interfaces, use the function <emphasis
-          role="bold">find_first_interface_address_if_any()</emphasis> rather
-          than <emphasis
-          role="bold">find_first_interface_address()</emphasis>. The former
-          will return 0.0.0.0 if the interface has no configured IP address;
-          the latter terminates the calling program.</para>
-        </note>
-
-        <note>
-          <para>If you use Shorewall-lite, then you need to configure the
-          params file in the firewall's configuration directory as described
-          <link linkend="Call">above</link>.</para>
-        </note>
       </section>
 
       <section id="faq2c">

docs/Install.xml

@@ -387,7 +387,7 @@
 
             <listitem>
               <para>Directory where the Shorewall Perl modules are installed.
-              Then will be installed in this directory under the sub-directory
+              They will be installed in this directory under the sub-directory
               Shorewall. Default is distribution-specific.</para>
             </listitem>
           </varlistentry>
@@ -597,7 +597,7 @@
           ...</member>
         </simplelist>
 
-        <para>The possible values for option are the same as those shone above
+        <para>The possible values for option are the same as those shown above
         in the shorewallrc file. They may be specified in either upper or
         lower case and may optionally be prefixed by '--'. To facilitate use
         with the rpm %configure script, the following options are
@@ -634,7 +634,7 @@
           </varlistentry>
         </variablelist>
 
-        <para>Note that %configure may dsgenerate option/value pairs that are
+        <para>Note that %configure may generate option/value pairs that are
         incompatible with the <command>configure</command> script. The current
         %configure macro is:</para>
 

docs/SharedConfig.xml

@@ -43,6 +43,12 @@
     While Shorewall also separates the address families in this way, it is
     possible for Shorewall and Shorewall6 to share almost all of the
     configuration files. This article gives an example.</para>
+
+    <caution>
+      <para>What is shown here currently works best with Debian and
+      derivatives, or when the tarball installer is used and the SPARSE option
+      is enabled when running configure[.pl].</para>
+    </caution>
   </section>
 
   <section>
@@ -66,14 +72,38 @@
 
     <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
 
-    <programlisting>root@gateway:/etc# ls shorewall shorewall6
+    <programlisting>root@gateway:/etc# ls -l shorewall shorewall6
 shorewall:
-action.Mirrors	conntrack  interfaces  mangle	params	providers  rtrules  shorewall.conf  started  zones
-actions		hosts	   isusable    mirrors	policy	proxyarp   rules    snat	    tunnels
+total 88
+-rw-r--r-- 1 root root  201 Mar 19 08:43 action.Mirrors
+-rw-r--r-- 1 root root  109 Jun 29 15:13 actions
+-rw-r--r-- 1 root root  655 Jun 29 15:13 conntrack
+-rw-r--r-- 1 root root  107 Jul  1 10:40 hosts
+-rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
+-rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
+-rw-r--r-- 1 root root  497 Jul  1 10:42 mangle
+-rw-r--r-- 1 root root    7 Jul  6 09:24 masq
+-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
+-rw-r--r-- 1 root root 2650 Jul  2 08:05 params
+-rw-r--r-- 1 root root  645 Jun 28 10:04 policy
+-rw-r--r-- 1 root root 1828 Jul  1 15:43 providers
+-rw-r--r-- 1 root root  398 Mar 18 20:18 proxyarp
+-rw-r--r-- 1 root root  702 Jul  1 10:42 rtrules
+-rw-r--r-- 1 root root 6214 Jul  2 08:45 rules
+lrwxrwxrwx 1 root root   29 Jul  6 12:42 shorewall6.conf -&gt; ../shorewall6/shorewall6.conf
+-rw-r--r-- 1 root root 5571 Jun 25 18:09 shorewall.conf
+-rw-r--r-- 1 root root 1084 Jul  1 10:42 snat
+-rw-r--r-- 1 root root  181 Jun 29 15:12 started
+-rw-r--r-- 1 root root  437 Jun 28 10:45 tunnels
+-rw-r--r-- 1 root root  928 Jun 29 08:25 zones
 
 shorewall6:
-shorewall6.conf
-root@gateway:/etc#</programlisting>
+total 12
+-rw------- 1 root root  954 Jul  6 12:48 conntrack
+lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
+lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
+-rw-r--r-- 1 root root 5328 Jul  6 12:45 shorewall6.conf
+root@gateway:/etc# </programlisting>
 
     <para>The various configuration files are described in the sections that
     follow. Note that in all cases, these files use the <ulink
@@ -87,11 +117,15 @@ root@gateway:/etc#</programlisting>
       address families. The key setting is CONFIG_PATH in
       shorewall6.conf:</para>
 
-      <programlisting>CONFIG_PATH="${CONFDIR}/shorewall6:<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"A</programlisting>
+      <programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>
 
-      <para>Any Shorewall6 configuration file not found in
-      /etc/shorewall/shorewall6/ will be searched for in
-      /etc/shorewall/.</para>
+      <para><filename>/etc/shorewall6/</filename> is only used for processing
+      the <filename>params</filename> and <filename>shorewall6.conf</filename>
+      files. <filename>/etc/shorewall6/conntrack</filename> is installed when
+      SPARSE=Yes, but is not used.</para>
+
+      <para>The /etc/shorewall/shorewall6.conf symbolic link is required once
+      the above CONFIG_PATH setting is in effect.</para>
 
       <section>
         <title>shorewall.conf</title>
@@ -309,7 +343,7 @@ UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
 IP6TABLES=
 IP=
@@ -427,12 +461,12 @@ ZONE_BITS=0
 
       <para>Because addresses and interfaces are different between the two
       address families, they cannot be hard-coded in the configuration files.
-      /etc/shorewall/params is used to set shell variables whose contents will
-      vary between Shorewall and Shorewall6. In the params file and in
-      run-time extension files, the shell variable <emphasis
-      role="bold">g_family</emphasis> can be used to determine which address
-      family to use; if IPv4, then $g_family will expand to 4 and if IPv6,
-      $g_family will expand to 6.</para>
+      <filename>/etc/shorewall/params</filename> is used to set shell
+      variables whose contents will vary between Shorewall and Shorewall6. In
+      the <filename>params</filename> file and in run-time extension files,
+      the shell variable <emphasis role="bold">g_family</emphasis> can be used
+      to determine which address family to use; if IPv4, then $g_family will
+      expand to 4 and if IPv6, $g_family will expand to 6.</para>
 
       <para>The contents of /etc/shorewall/params is as follows:</para>
 
@@ -474,7 +508,7 @@ else
     LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
     MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
     SERVER=[2001:470:b:227::43]		      # IP address of www.shorewall.org   (HTTP, FTP and RSYNC)
-    PROXY=Yes				      # Use TPROXY for local web access
+    PROXY=
     ALL=[::]/0				      # Entire address space
     LOC_ADDR=[2601:601:8b00:bf0::1]	      # IP address of the local LAN interface
     FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
@@ -646,7 +680,7 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
 ?else
     { SOURCE=2001:470:A:227::/64,         PROVIDER=HE,	     PRIORITY=1000! }
     { SOURCE=2001:470:B:227::/64,         PROVIDER=HE,	     PRIORITY=11000 }
-    { SOURCE=2601:601:8b00:bf0::/56	  PROVIDER=IPv6Fast, PRIORITY=11000 }
+    { SOURCE=2601:601:8b00:bf0::/60	  PROVIDER=IPv6Fast, PRIORITY=11000 }
 ?endif
 </programlisting>
     </section>
@@ -885,7 +919,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
     SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
     SNAT(172.20.1.253)  { SOURCE=172.20.3.0/24,	 	      DEST=LOC_IF:172.20.1.100 }
 ?else
-    SNAT(&amp;PROD_IF)	{ SOURCE=2601:601:8b00:bf0::56,                 DEST=PROD_IF }
+    SNAT(&amp;PROD_IF)	{ SOURCE=2601:601:8b00:bf0::/60,                DEST=PROD_IF }
     SNAT(&amp;FAST_IF)	{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
 ?endif
 </programlisting>

docs/Shorewall-init.xml

@@ -147,7 +147,7 @@
 
     <para>To integrate with NetworkManager and ifup/ifdown, additional steps
     are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM.</para>
+    link status monitor like FOOLSM.</para>
 
     <orderedlist numeration="loweralpha">
       <listitem>

docs/Shorewall_Squid_Usage.xml

@@ -426,7 +426,8 @@ Tproxy    1        -        -           lo        -            tproxy</programli
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
 
-    <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
+    <para>Corresponding <filename>/etc/shorewall/tcrules</filename>
+    are:</para>
 
     <programlisting>#MARK           SOURCE      DEST        PROTO      DPORT       SPORT
 DIVERT          eth0        0.0.0.0/0   tcp        -           80

docs/Shorewall_and_Aliased_Interfaces.xml

@@ -253,7 +253,7 @@ eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</program
       <filename>/etc/shorewall/snat</filename> is:</para>
 
       <programlisting>#ACTION                              SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.178-206.24.146.80)  192.168.1.0/24  eth0</programlisting>
+SNAT(206.124.146.178-206.24.146.180)  192.168.1.0/24  eth0</programlisting>
 
       <para>The above would create three IP addresses:</para>
 

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2016</year>
+      <year>2001-2017</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -583,9 +583,9 @@ ACCEPT      net:\
           </row>
 
           <row>
-            <entry>conntrack (formerly notrack)</entry>
+            <entry>conntrack</entry>
 
-            <entry>source,dest,proto,dport,sport,user,switch</entry>
+            <entry>action,source,dest,proto,dport,sport,user,switch</entry>
           </row>
 
           <row>

docs/shorewall_extension_scripts.xml

@@ -234,6 +234,18 @@ cat -</programlisting>
         can be used to augment or replace functions in the standard CLI
         libraries.</para>
       </listitem>
+
+      <listitem>
+        <para><filename>enabled</filename> -- Added in Shorewall 5.1.6.
+        Invoked when an optional interface or provider is successfully enabled
+        using the <command>enable</command> command.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>disabled</filename> -- Added in Shorewall 5.1.6.
+        Invoked when an optional interface or provider is successfully
+        disabled using the <command>disable</command> command.</para>
+      </listitem>
     </itemizedlist>
 
     <para><emphasis role="bold">If your version of Shorewall doesn't have the
@@ -274,6 +286,18 @@ cat -</programlisting>
             <entry/>
           </row>
 
+          <row>
+            <entry>disable</entry>
+
+            <entry>disable</entry>
+          </row>
+
+          <row>
+            <entry>enable</entry>
+
+            <entry>enable</entry>
+          </row>
+
           <row>
             <entry>init</entry>
 
@@ -446,20 +470,14 @@ cat -</programlisting>
         <itemizedlist>
           <listitem>
             <para>CONFDIR - The configuration directory. Will be <filename
-            class="directory">/etc/shorewall</filename>, <filename
-            class="directory">/etc/shorewall6/</filename>, <filename
-            class="directory">/etc/shorewall-lite</filename>, or <filename
-            class="directory">/etc/shorewall6-lite</filename> depending on
-            which product is running.</para>
+            class="directory">/etc/</filename>.
+	    The running product is defined in the g_product variable.</para>
           </listitem>
 
-          <listitem>
-            <para>SHAREDIR - The product shared directory. Will be <filename
-            class="directory">/usr/share/shorewall</filename>, <filename
-            class="directory">/usr/share/shorewall6/</filename>, <filename
-            class="directory">/usr/share/shorewall-lite</filename>, or
-            <filename class="directory">/usr/share/shorewall6-lite</filename>
-            depending on which product is running.</para>
+	  <listitem>
+	    <para>SHAREDIR - The product shared directory. Will be <filename
+	    class="directory">/usr/share</filename>.
+	    The running product is defined in the g_product variable.</para>
           </listitem>
 
           <listitem>
@@ -508,25 +526,37 @@ cat -</programlisting>
               <row>
                 <entry>initdone</entry>
 
-                <entry>init</entry>
+                <entry>disable</entry>
               </row>
 
               <row>
                 <entry>maclog</entry>
 
-                <entry>isusable</entry>
+                <entry>enable</entry>
               </row>
 
               <row>
                 <entry>Per-chain (including those associated with
                 actions)</entry>
 
-                <entry>start</entry>
+                <entry>init</entry>
               </row>
 
               <row>
                 <entry>postcompile</entry>
 
+                <entry>isusable</entry>
+              </row>
+
+              <row>
+                <entry/>
+
+                <entry>start</entry>
+              </row>
+
+              <row>
+                <entry/>
+
                 <entry>started</entry>
               </row>
 
@@ -575,6 +605,44 @@ cat -</programlisting>
           </tgroup>
         </informaltable></para>
 
+      <para>The contents of each run-time script is placed in a shell
+      function, so you can declare local variables and can use the
+      <command>return</command> command. The functions generated from the
+      <filename>enable</filename> and <filename>disable</filename> scripts are
+      passed three arguments:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>$1</term>
+
+          <listitem>
+            <para>Physical name of the interface that was enabled or
+            disabled.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>$2</term>
+
+          <listitem>
+            <para>Logical name of the interface.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>$3</term>
+
+          <listitem>
+            <para>Name of the Provider, if any, associated with the
+            interface.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para>As described above, the function generated from the
+      <filename>isusable</filename> script is passed a single argument that
+      names a network interface.</para>
+
       <para>With the exception of postcompile, compile-time extension scripts
       are executed using the Perl 'eval `cat
       &lt;<emphasis>file</emphasis>&gt;`' mechanism. Be sure that each script