Correct typo in Chains.pm

&g_dockeringress -> $g_dockeringress

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50105
+SHOREWALL_CAPVERSION=50106
 
 if [ -z "$g_basedir" ]; then
     #
@@ -2804,6 +2804,7 @@ determine_capabilities() {
     CPU_FANOUT=
     NETMAP_TARGET=
     NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2827,9 +2828,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
     if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
     fi
 
     chain=fooX$$
@@ -3299,9 +3302,11 @@ report_capabilities_unsorted() {
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3417,6 +3422,7 @@ report_capabilities_unsorted1() {
     report_capability1 CPU_FANOUT
     report_capability1 NETMAP_TARGET
     report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3721,7 +3727,7 @@ ipcalc_command() {
 
     valid_address $address || fatal_error "Invalid IP address: $address"
     [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm

Shorewall-core/lib.common

@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
     local modulename
     modulename=$1
+    shift
+    local moduleoptions
+    moduleoptions=$*
     local modulefile
     local suffix
 
     if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		shift
-
-		for suffix in $MODULE_SUFFIX ; do
-		    for directory in $moduledirectories; do
-			modulefile=$directory/${modulename}.${suffix}
-
-			if [ -f $modulefile ]; then
 		case $moduleloader in
 		    insmod)
-				    insmod $modulefile $*
+			for directory in $moduledirectories; do
-				    ;;
+			    for modulefile in $directory/${modulename}.*; do
-				*)
+				if [ -f $modulefile ]; then
-				    modprobe $modulename $*
+				    insmod $modulefile $moduleoptions
-				    ;;
+				    return
-			    esac
-			    break 2
 				fi
 			    done
 			done
+			;;
+		    *)
+			modprobe -q $modulename $moduleoptions
+			;;
+		esac
 	    fi
 	fi
     elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
 	case $moduleloader in
 	    insmod)
-			    insmod $modulefile $*
+		for directory in $moduledirectories; do
-			    ;;
+		    for modulefile in $directory/${modulename}.*; do
-			*)
+			if [ -f $modulefile ]; then
-			    modprobe $modulename $*
+			    insmod $modulefile $moduleoptions
-			    ;;
+			    return
-		    esac
-		    break 2
 			fi
 		    done
 		done
+		;;
+	    *)
+		modprobe -q $modulename $moduleoptions
+		;;
+	esac
     fi
 }
 
@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)

Shorewall-init/init.debian.sh

@@ -159,8 +159,9 @@ shorewall_stop () {
 
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
       else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
       fi
 

Shorewall-init/init.fedora.sh

@@ -66,6 +66,10 @@ start () {
 
     printf "Initializing \"Shorewall-based firewalls\": "
 
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
     for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
@@ -120,6 +124,15 @@ stop () {
     done
 
     if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
     else

Shorewall-init/init.openwrt.sh

@@ -126,7 +126,9 @@ stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 }

Shorewall-init/init.sh

@@ -116,7 +116,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 

Shorewall-init/init.suse.sh

@@ -126,7 +126,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 }

Shorewall-init/shorewall-init

@@ -104,7 +104,9 @@ shorewall_stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 

Shorewall-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall/Actions/action.IfEvent

@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {
 
 $duration .= '--rttl ' if $command & $TTL_OPT;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
+    $action = 'ACCEPT';
+}
+
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
 

Shorewall/Actions/action.ResetEvent

@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {

Shorewall/Actions/action.SetEvent

@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {

Shorewall/Macros/macro.RDP

@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
+PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389

Shorewall/Perl/Shorewall/Chains.pm

@@ -1345,8 +1345,6 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
-
-	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1929,7 +1927,7 @@ sub delete_reference( $$ ) {
 
     assert( $toref );
 
-    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
 }
 
 #
@@ -2067,7 +2065,7 @@ sub adjust_reference_counts( $$$ ) {
     my ($toref, $name1, $name2) = @_;
 
     if ( $toref ) {
-	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
 	$toref->{references}{$name2}++;
     }
 }
@@ -3275,8 +3273,10 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
@@ -3900,6 +3900,15 @@ sub optimize_level8( $$$ ) {
 		    }
 
 		    $combined{ $chainref1->{name} } = $chainref->{name};
+		    #
+		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
+		    # the policy attributes in the combined chain
+		    #
+		    if ( $chainref->{policychain} ) {
+			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
+		    } elsif ( $chainref1->{policychain} ) {
+			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
+		    }
 		}
 	    }
 	}
@@ -4826,7 +4835,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -5033,7 +5042,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -6318,7 +6327,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -6399,7 +6408,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -7058,6 +7067,8 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
     my ( $logical, $protect, $provider ) = @_;
 
+    $provider = '' unless defined $provider;
+
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
     my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7071,9 +7082,9 @@ sub get_interface_gateway ( $;$$ ) {
     }
 
     if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
     } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
@@ -7522,6 +7533,11 @@ sub isolate_dest_interface( $$$$ ) {
 
 	    $rule .= "-d $variable ";
 	}
+    } elsif ( $dest =~ /^\$/ ) {
+	#
+	# Runtime address variable
+	#
+	$dnets  = $dest;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8445,6 +8461,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
 
@@ -8460,6 +8477,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8902,9 +8920,15 @@ sub create_netfilter_load( $ ) {
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
 
     emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
-	  '    option="--counters"',
+
-	  '',
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
+    } else {
+	emit( '    option="--counters"' );
+    }
+
+    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8912,7 +8936,11 @@ sub create_netfilter_load( $ ) {
 
     push_indent;
 
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
+    } else {
 	emit 'option=';
+    }
 
     save_progress_message "Preparing $utility input...";
 
@@ -8961,6 +8989,10 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9065,6 +9097,11 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9302,6 +9339,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9327,7 +9368,11 @@ sub create_stop_load( $ ) {
 
     enter_cmd_mode;
 
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
+    } else {
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    }
 
     emit( '',
 	  'progress_message2 "Running $command..."',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -209,6 +209,8 @@ sub generate_script_2() {
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
     emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
+    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -266,7 +268,8 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
     }
 

Shorewall/Perl/Shorewall/Config.pm

@@ -36,6 +36,7 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
+use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
@@ -315,7 +316,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -414,7 +415,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                  NETMAP_TARGET   => 'NETMAP Target',
                  NFLOG_SIZE      => '--nflog-size support',
-
+		 RESTORE_WAIT_OPTION
+				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -647,6 +649,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
+                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -752,7 +755,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.1.5-RC1",
-		    CAPVERSION              => 50105 ,
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -847,7 +850,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
-	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -1046,6 +1048,7 @@ sub initialize( $;$$) {
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
+	       RESTORE_WAIT_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -4285,7 +4288,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
 
     my $modulesdir = $config{MODULESDIR};
 
@@ -4318,25 +4321,20 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+      MODULE:
-
-	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
-
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
+		if ( $moduleloader =~ /modprobe$/ ) {
-		    for my $suffix ( @suffixes ) {
+		    system( "modprobe -q $module $arguments" );
-			my $modulefile = "$directory/$module.$suffix";
-			if ( -f $modulefile ) {
-			    if ( $moduleloader eq 'insmod' ) {
-				system ("insmod $modulefile $arguments" );
-			    } else {
-				system( "modprobe $module $arguments" );
-			    }
-
 		    $loadedmodules{ $module } = 1;
+		} else {
+		    for my $directory ( @moduledirectories ) {
+			for my $modulefile ( <$directory/$module.*> ) {
+			    system ("insmod $modulefile $arguments" );
+			    $loadedmodules{ $module } = 1;
+			    next MODULE;
 			}
 		    }
 		}
@@ -4948,6 +4946,10 @@ sub Cpu_Fanout() {
     have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 
+sub Restore_Wait_Option() {
+    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AMANDA_HELPER => \&Amanda_Helper,
@@ -5028,6 +5030,7 @@ our %detect_capability =
       REALM_MATCH => \&Realm_Match,
       REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
+      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
       RPFILTER_MATCH => \&RPFilter_Match,
       SANE_HELPER => \&SANE_Helper,
       SANE0_HELPER => \&SANE0_Helper,
@@ -5195,6 +5198,8 @@ sub determine_capabilities() {
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
+	$capabilities{RESTORE_WAIT_OPTION}
+				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -6061,7 +6066,6 @@ sub get_configuration( $$$$ ) {
     #
     # get_capabilities requires that the true settings of these options be established
     #
-    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
     if ( ! $export && $> == 0 ) {
@@ -6247,7 +6251,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
     }
 
-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
     default_yes_no 'ADD_SNAT_ALIASES'           , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6833,6 +6837,12 @@ sub get_configuration( $$$$ ) {
 	}
     }
 
+    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
+	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
+    } else {
+	$config{MUTEX_TIMEOUT} = 60;
+    }
+
     add_variables %config;
 
     while ( my ($var, $val ) = each %renamed ) {

Shorewall/Perl/Shorewall/Misc.pm

@@ -667,6 +667,7 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
     add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {

Shorewall/Perl/Shorewall/Nat.pm

@@ -941,7 +941,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
+	    my @servers;
+
+	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
+		$server = record_runtime_address( $1, $2 );
+		$server =~ s/ $//;
+		@servers = ( $server );
+	    } else {
+		@servers = validate_address $server, 1;
+	    }
+
 	    $server = join ',', @servers;
 	}
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -502,7 +502,7 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
@@ -1089,7 +1089,7 @@ CEOF
 	}
 
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      'run_enabled_exit'
+	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );
 
 	emit_started_message( '', 2, $pseudo, $table, $number );
@@ -1237,7 +1237,7 @@ CEOF
 	}
 
 	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      'run_disabled_exit'
+	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
 	    );
 
 	if ( $pseudo ) {

Shorewall/Perl/Shorewall/Rules.pm

@@ -216,6 +216,10 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
+#
+# Remembers NAT-oriented columns from top-level action invocations
+#
+our %nat_columns;
 
 #
 # Action/Inline options
@@ -384,6 +388,8 @@ sub initialize( $ ) {
 	                  );
     }
 
+    %nat_columns = ( dest => '-', proto => '-', ports => '-' );
+
     ############################################################################
     # Initialize variables moved from the Tc module in Shorewall 5.0.7         #
     ############################################################################
@@ -1652,6 +1658,19 @@ sub merge_inline_source_dest( $$ ) {
     $body || '';
 }
 
+#
+# This one is used by perl_action_helper()
+#
+sub merge_action_column( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( supplied( $body ) && $body ne '-' ) {
+	$body;
+    } else {
+	$invocation;
+    }
+}
+
 sub merge_macro_column( $$ ) {
     my ( $body, $invocation ) = @_;
 
@@ -2510,6 +2529,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $exceptionrule = '';
     my $usergenerated;
     my $prerule = '';
+    my %save_nat_columns = %nat_columns;
+    my $generated = 0;
     #
     # Subroutine for handling MARK and CONNMARK.
     #
@@ -2591,7 +2612,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
 
-	my $generated = process_macro( $basictarget,
+	$generated = process_macro( $basictarget,
 				    $chainref,
 				    $rule . $raw_matches,
 				    $matches1,
@@ -2614,9 +2635,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 				    $wildcard );
 
 	$macro_nest_level--;
-
+	goto EXIT;
-	return $generated;
-
     } elsif ( $actiontype & NFQ ) {
 	$action = handle_nfqueue( $param,
 				  1 # Allow 'bypass'
@@ -2688,6 +2707,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
+
 		  if ( $dest eq '-' ) {
 		      if ( $family == F_IPV4 ) {
 			  $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -2816,6 +2836,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
     }
+
     #
     # Isolate and validate source and destination zones
     #
@@ -2909,7 +2930,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} & BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		return 0 if $wildcard;
+		goto EXIT if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -2924,7 +2945,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $policy = $chainref->{policy};
 
 	if ( $policy eq 'NONE' ) {
-	    return 0 if $wildcard;
+	    goto EXIT if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -2933,9 +2954,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		return 0 if $target eq "${policy}:${loglevel}";
+		goto EXIT if $target eq "${policy}:${loglevel}";
 	    } else {
-		return 0 if $basictarget eq $policy;
+		goto EXIT if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -2980,6 +3001,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Save NAT-oriented column contents
+	#
+	@nat_columns{'dest', 'proto', 'ports' } = ( $dest,
+						    $proto eq '-' ? $nat_columns{proto} : $proto,
+						    $ports eq '-' ? $nat_columns{ports} : $ports );
+	#
+	# Push the current column array onto the column stack
+	#
+        my @savecolumns = @columns;
+	#
+	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper. We
+	# only need the NAT-oriented columns
+	#
+	@columns = ( undef , undef, $dest, $proto, $ports);
 	#
 	# Handle 'section' option
 	#
@@ -3023,6 +3059,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$action = $basictarget; # Remove params, if any, from $action.
+
+	@columns = @savecolumns;
     } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule() recursively for each rule in the action body
@@ -3039,7 +3077,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$actionresult = 0;
 
-	my $generated = process_inline( $basictarget,
+	$generated = process_inline( $basictarget,
 				     $chainref,
 				     $prerule . $rule,
 				     $matches1 . $raw_matches,
@@ -3066,7 +3104,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$macro_nest_level--;
 
-	return $generated;
+	goto EXIT;
     }
     #
     # Generate Fixed part of the rule
@@ -3252,7 +3290,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
-    return 1;
+    $generated = 1;
+
+  EXIT:
+    {
+      %nat_columns = %save_nat_columns;
+    }
+
+    return $generated;
 }
 
 
@@ -3405,6 +3450,37 @@ sub perl_action_helper($$;$$) {
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
+    } else {
+	if ( ( $targets{$target} || 0 ) & NATRULE ) {
+	    $result = process_rule( $chainref,
+				    $matches,
+				    $matches1,
+				    merge_target( $actions{$action}, $target ),
+				    '',                               # Current Param
+				    '-',                              # Source
+				    merge_action_column(              # Dest
+					$columns[2],			      
+					$nat_columns{dest}
+				    ),
+				    merge_action_column(              #Proto
+					$columns[3],
+					$nat_columns{proto}
+				    ),
+				    merge_action_column(              #Ports
+					$columns[4],
+					$nat_columns{ports}),
+				    '-',                              # Source Port(s)
+				    '-',                              # Original Dest
+				    '-',                              # Rate Limit
+				    '-',                              # User
+				    '-',                              # Mark
+				    '-',                              # Connlimit
+				    '-',                              # Time
+				    '-',                              # Headers,
+				    '-',                              # condition,
+				    '-',                              # helper,
+				    0,                                # Wildcard
+		);
 	} else {
 	    $result = process_rule( $chainref,
 				    $matches,
@@ -3427,6 +3503,8 @@ sub perl_action_helper($$;$$) {
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		);
+	}
+
 	allow_optimize( $chainref );
     }
     #
@@ -3493,6 +3571,7 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		                  );
+
 	    allow_optimize( $chainref );
 	}
 	#
@@ -5286,7 +5365,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {

Shorewall/Perl/Shorewall/Zones.pm

@@ -701,6 +701,40 @@ sub haveipseczones() {
     0;
 }
 
+#
+# Returns 1 if the two interfaces passed are related
+#
+sub interface_match( $$ ) {
+    my ( $piface, $ciface ) = @_;
+
+    return 1 if $piface eq $ciface;
+
+    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
+
+    return 1 if $piface eq $cifaceref->{bridge};
+    return 1 if $ciface eq $pifaceref->{bridge};
+
+    if ( $minroot ) {
+	if ( $piface =~ /\+$/ ) {
+	    my $root    = $pifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $ciface ) >= $rlength ) {
+		return 1 if $ciface eq $root;
+		chop $ciface;
+	    }
+	} elsif ( $ciface =~ /\+$/ ) {
+	    my $root    = $cifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $piface ) >= $rlength ) {
+		return 1 if $piface eq $root;
+		chop $piface;
+	    }
+	}
+    }
+
+    0;
+}
+
 #
 # Report about zones.
 #
@@ -738,7 +772,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -747,6 +781,17 @@ sub zone_report()
 	    }
 	}
 
+      PARENT:
+	for my $p ( @{$zoneref->{parents}} ) {
+	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
+		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
+		    next PARENT if interface_match( $pi, $ci );
+		}
+	    }
+
+	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
+	}
+
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1575,9 +1620,7 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
+	while ( length $iface >= $minroot ) {
-	    chop $iface;
-
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1599,6 +1642,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
+
+	    chop $iface;
 	}
     }
 

Shorewall/Perl/lib.runtime

@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
             conntrack -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
     local interface
     interface=$1
@@ -912,6 +912,8 @@ detect_gateway() # $1 = interface
     # Maybe there's a default route through this gateway already
     #
     [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+
+    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #

Shorewall/Samples/Universal/shorewall.conf

@@ -205,8 +205,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/Samples/one-interface/shorewall.conf

@@ -216,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -213,8 +213,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -216,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/configfiles/disabled

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/disabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully disabled using the 'disable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall/configfiles/enabled

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/enabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully enabled using the 'enable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall/configfiles/shorewall.conf

@@ -205,8 +205,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX=ko
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/lib.cli-std

@@ -1556,10 +1556,10 @@ remote_reload_command() # $* = original arguments less the command.
 
 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
     fi

Shorewall/manpages/shorewall-interfaces.xml

@@ -104,9 +104,7 @@ loc     eth2            -</programlisting>
           <para>You may use wildcards here by specifying a prefix followed by
           the plus sign ("+"). For example, if you want to make an entry that
           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, … Please note that the '+' means '<emphasis
+          ppp1, ppp2, …</para>
-          role="bold">one</emphasis> or more additional characters' so 'ppp'
-          does not match 'ppp+'.</para>
 
           <para>When using Shorewall versions before 4.1.4, care must be
           exercised when using wildcards where there is another zone that uses

Shorewall/manpages/shorewall-modules.xml

@@ -51,7 +51,7 @@
 
     <para>The <replaceable>modulename</replaceable> names a kernel module
     (without suffix). Shorewall will search for modules based on your
-    MODULESDIR and MODULE_SUFFIX settings in <ulink
+    MODULESDIR setting in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
     <replaceable>moduleoption</replaceable>s are passed to modprobe (if
     installed) or to insmod.</para>

Shorewall/manpages/shorewall-providers.xml

@@ -214,7 +214,14 @@
                 BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                 unless the <option>fallback</option>, <option>loose</option>,
                 <option>load</option> or <option>tproxy</option> option is
-                specified.</para>
+                specified.I</para>
+
+                <caution>
+                  <para>In IPV6, the <option>balance</option> option does not
+                  cause balanced default routes to be created; it rather
+                  causes a sequence of default routes with different metrics
+                  to be created. </para>
+                </caution>
               </listitem>
             </varlistentry>
 
@@ -337,6 +344,14 @@
                 <para>Prior to Shorewall 4.4.24, the option is ignored with a
                 warning message if USE_DEFAULT_RT=Yes in
                 <filename>shorewall.conf</filename>.</para>
+
+                <caution>
+                  <para>In IPV6, specifying the <option>fallback</option>
+                  option on multiple providers does not cause balanced
+                  fallback routes to be created; it rather causes a sequence
+                  of fallback routes with different metrics to be
+                  created.</para>
+                </caution>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-snat.xml

@@ -673,7 +673,7 @@
           address changed to 206.124.146.177.</para>
 
           <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
+        SNAT(206.124.146.177)   -               eth0:+myset[dst]</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -406,8 +406,9 @@
         <listitem>
           <para>Formerly named AUTO_COMMENT. If set, if there is not a current
           comment when a macro is invoked, the behavior is as if the first
-          line of the macro file was "COMMENT &lt;macro name&gt;". The
+          line of the macro file was "COMMENT &lt;macro name&gt;". If not
-          AUTO_COMMENT option has a default value of 'Yes'.</para>
+          specified, the AUTO_COMMENT option has a default value of
+          'Yes'.</para>
         </listitem>
       </varlistentry>
 
@@ -473,7 +474,7 @@
           command, then the compilation step is skipped and the compiled
           script that executed the last <command>start</command>, <emphasis
           role="bold">reload</emphasis> or <command>restart</command> command
-          is used. The default is AUTOMAKE=No.</para>
+          is used. If not specified, the default is AUTOMAKE=No.</para>
 
           <para>The setting of the AUTOMAKE option is ignored if the
           <command>start</command>, <emphasis role="bold">reload</emphasis> or
@@ -1891,18 +1892,6 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
-        role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
-        role="bold">"</emphasis>]</term>
-
-        <listitem>
-          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          o.gz o.xz gz xz".</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
@@ -2212,8 +2201,9 @@ LOG:info:,bar                        net                    fw</programlisting>
             </listitem>
           </itemizedlist>
 
-          <para>The default value is zero which disables all
+          <para>In versions prior to 5.1.0, the default value is zero which
-          optimizations.</para>
+          disables all optimizations. Beginning with Shorewall 5.1.0, the
+          default value is All which enables all optimizations.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall6-lite/shorewall6-lite.service

@@ -8,6 +8,7 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
+After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

Shorewall6-lite/shorewall6-lite.service.debian

@@ -7,6 +7,7 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
+After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -191,8 +191,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/configfiles/disabled

@@ -0,0 +1,12 @@
+#
+# Shorewall6 -- /etc/shorewall6/disabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully disabled using the 'disable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall6/configfiles/enabled

@@ -0,0 +1,12 @@
+#
+# Shorewall6 -- /etc/shorewall6/enabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully enabled using the 'enable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any

Shorewall6/configfiles/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX=ko
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/shorewall6.service

@@ -7,6 +7,7 @@
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
+After=shorewall.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

Shorewall6/shorewall6.service.debian

@@ -8,6 +8,7 @@
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
+After=shorewall.service
 Conflicts=ip6tables.service firewalld.service
 
 [Service]

docs/Shorewall-init.xml

@@ -147,7 +147,7 @@
 
     <para>To integrate with NetworkManager and ifup/ifdown, additional steps
     are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM.</para>
+    link status monitor like FOOLSM.</para>
 
     <orderedlist numeration="loweralpha">
       <listitem>

docs/Shorewall_Squid_Usage.xml

@@ -426,7 +426,8 @@ Tproxy    1        -        -           lo        -            tproxy</programli
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
 
-    <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
+    <para>Corresponding <filename>/etc/shorewall/tcrules</filename>
+    are:</para>
 
     <programlisting>#MARK           SOURCE      DEST        PROTO      DPORT       SPORT
 DIVERT          eth0        0.0.0.0/0   tcp        -           80

docs/Shorewall_and_Aliased_Interfaces.xml

@@ -253,7 +253,7 @@ eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</program
       <filename>/etc/shorewall/snat</filename> is:</para>
 
       <programlisting>#ACTION                              SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.178-206.24.146.80)  192.168.1.0/24  eth0</programlisting>
+SNAT(206.124.146.178-206.24.146.180)  192.168.1.0/24  eth0</programlisting>
 
       <para>The above would create three IP addresses:</para>
 

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2016</year>
+      <year>2001-2017</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -583,9 +583,9 @@ ACCEPT      net:\
           </row>
 
           <row>
-            <entry>conntrack (formerly notrack)</entry>
+            <entry>conntrack</entry>
 
-            <entry>source,dest,proto,dport,sport,user,switch</entry>
+            <entry>action,source,dest,proto,dport,sport,user,switch</entry>
           </row>
 
           <row>

docs/shorewall_extension_scripts.xml

@@ -234,6 +234,18 @@ cat -</programlisting>
         can be used to augment or replace functions in the standard CLI
         libraries.</para>
       </listitem>
+
+      <listitem>
+        <para><filename>enabled</filename> -- Added in Shorewall 5.1.6.
+        Invoked when an optional interface or provider is successfully enabled
+        using the <command>enable</command> command.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>disabled</filename> -- Added in Shorewall 5.1.6.
+        Invoked when an optional interface or provider is successfully
+        disabled using the <command>disable</command> command.</para>
+      </listitem>
     </itemizedlist>
 
     <para><emphasis role="bold">If your version of Shorewall doesn't have the
@@ -274,6 +286,18 @@ cat -</programlisting>
             <entry/>
           </row>
 
+          <row>
+            <entry>disable</entry>
+
+            <entry>disable</entry>
+          </row>
+
+          <row>
+            <entry>enable</entry>
+
+            <entry>enable</entry>
+          </row>
+
           <row>
             <entry>init</entry>
 
@@ -446,20 +470,14 @@ cat -</programlisting>
         <itemizedlist>
           <listitem>
             <para>CONFDIR - The configuration directory. Will be <filename
-            class="directory">/etc/shorewall</filename>, <filename
+            class="directory">/etc/</filename>.
-            class="directory">/etc/shorewall6/</filename>, <filename
+	    The running product is defined in the g_product variable.</para>
-            class="directory">/etc/shorewall-lite</filename>, or <filename
-            class="directory">/etc/shorewall6-lite</filename> depending on
-            which product is running.</para>
           </listitem>
 
 	  <listitem>
 	    <para>SHAREDIR - The product shared directory. Will be <filename
-            class="directory">/usr/share/shorewall</filename>, <filename
+	    class="directory">/usr/share</filename>.
-            class="directory">/usr/share/shorewall6/</filename>, <filename
+	    The running product is defined in the g_product variable.</para>
-            class="directory">/usr/share/shorewall-lite</filename>, or
-            <filename class="directory">/usr/share/shorewall6-lite</filename>
-            depending on which product is running.</para>
           </listitem>
 
           <listitem>
@@ -508,25 +526,37 @@ cat -</programlisting>
               <row>
                 <entry>initdone</entry>
 
-                <entry>init</entry>
+                <entry>disable</entry>
               </row>
 
               <row>
                 <entry>maclog</entry>
 
-                <entry>isusable</entry>
+                <entry>enable</entry>
               </row>
 
               <row>
                 <entry>Per-chain (including those associated with
                 actions)</entry>
 
-                <entry>start</entry>
+                <entry>init</entry>
               </row>
 
               <row>
                 <entry>postcompile</entry>
 
+                <entry>isusable</entry>
+              </row>
+
+              <row>
+                <entry/>
+
+                <entry>start</entry>
+              </row>
+
+              <row>
+                <entry/>
+
                 <entry>started</entry>
               </row>
 
@@ -575,6 +605,44 @@ cat -</programlisting>
           </tgroup>
         </informaltable></para>
 
+      <para>The contents of each run-time script is placed in a shell
+      function, so you can declare local variables and can use the
+      <command>return</command> command. The functions generated from the
+      <filename>enable</filename> and <filename>disable</filename> scripts are
+      passed three arguments:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>$1</term>
+
+          <listitem>
+            <para>Physical name of the interface that was enabled or
+            disabled.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>$2</term>
+
+          <listitem>
+            <para>Logical name of the interface.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>$3</term>
+
+          <listitem>
+            <para>Name of the Provider, if any, associated with the
+            interface.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para>As described above, the function generated from the
+      <filename>isusable</filename> script is passed a single argument that
+      names a network interface.</para>
+
       <para>With the exception of postcompile, compile-time extension scripts
       are executed using the Perl 'eval `cat
       &lt;<emphasis>file</emphasis>&gt;`' mechanism. Be sure that each script