Add another restriction for SAVE_IPSETS=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -1137,16 +1137,31 @@ show_a_macro() {
     cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
+spd_filter() {
-{
+    #
-    awk \
+    # af   = Address Family (4 or 6)
-    'BEGIN            { skip=0; }; \
+    # afok = Address Family of entry matches af
-    /^src/            { skip=0; }; \
+    # p    = print the contents of A (entry is not empty)
-    /^src 0.0.0.0\/0/ { skip=1; }; \
+    # i    = Number of lines stored in A
-    /^src ::\/0/      { skip=1; }; \
+    #
-                      { if ( skip == 0 ) print; };'
+    awk -v af=$g_family \
+	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
+\
+	 /^src / { if (p) prnt( A, i );\
+		   afok = 1;\
+		   p	= 0;\
+		   i	= 0;\
+		   if ( af == 4 )\
+		       { if ( /:/ )  afok = 0; }\
+		   else\
+		       { if ( /\./ ) afok = 0; }\
+		 };\
+		 { if ( afok ) A[i++] = $0; };\
+	 /tmpl/	 { p = afok; };\
+\
+	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1174,8 @@ heading() {
 
 show_ipsec() {
     heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
+
     heading "PFKEY SAD"
     $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -2770,7 +2786,7 @@ determine_capabilities() {
     GOTO_TARGET=
     LOGMARK_TARGET=
     IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
     ULOG_TARGET=
     NFLOG_TARGET=
     PERSISTENT_SNAT=
@@ -3138,7 +3154,7 @@ determine_capabilities() {
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
     qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
@@ -3727,7 +3743,7 @@ ipcalc_command() {
 
     valid_address $address || fatal_error "Invalid IP address: $address"
     [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
     local modulename
     modulename=$1
+    shift
+    local moduleoptions
+    moduleoptions=$*
     local modulefile
     local suffix
 
     if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		shift
+		case $moduleloader in
-
+		    insmod)
-		for suffix in $MODULE_SUFFIX ; do
+			for directory in $moduledirectories; do
-		    for directory in $moduledirectories; do
+			    for modulefile in $directory/${modulename}.*; do
-			modulefile=$directory/${modulename}.${suffix}
+				if [ -f $modulefile ]; then
-
+				    insmod $modulefile $moduleoptions
-			if [ -f $modulefile ]; then
+				    return
-			    case $moduleloader in
+				fi
-				insmod)
+			    done
-				    insmod $modulefile $*
+			done
-				    ;;
+			;;
-				*)
+		    *)
-				    modprobe $modulename $*
+			modprobe -q $modulename $moduleoptions
-				    ;;
+			;;
-			    esac
+		esac
-			    break 2
-			fi
-		    done
-		done
 	    fi
 	fi
     elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
+	case $moduleloader in
-
+	    insmod)
-	for suffix in $MODULE_SUFFIX ; do
+		for directory in $moduledirectories; do
-	    for directory in $moduledirectories; do
+		    for modulefile in $directory/${modulename}.*; do
-		modulefile=$directory/${modulename}.${suffix}
+			if [ -f $modulefile ]; then
-
+			    insmod $modulefile $moduleoptions
-		if [ -f $modulefile ]; then
+			    return
-		    case $moduleloader in
+			fi
-			insmod)
+		    done
-			    insmod $modulefile $*
+		done
-			    ;;
+		;;
-			*)
+	    *)
-			    modprobe $modulename $*
+		modprobe -q $modulename $moduleoptions
-			    ;;
+		;;
-		    esac
+	esac
-		    break 2
-		fi
-	    done
-	done
     fi
 }
 
@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
     fi
 
-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)

Shorewall-core/lib.core

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
 
-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108
 
 #
 # Fatal Error

Shorewall-core/lib.installer

@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/shorewall

@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
+#
+# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
+# options
+#
 PRODUCT=shorewall
 
 #

Shorewall-init/init.debian.sh

@@ -159,8 +159,9 @@ shorewall_stop () {
 
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
       else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
       fi
 

Shorewall-init/init.fedora.sh

@@ -66,6 +66,10 @@ start () {
 
     printf "Initializing \"Shorewall-based firewalls\": "
 
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
     for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
@@ -120,6 +124,15 @@ stop () {
     done
 
     if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
     else

Shorewall-init/init.openwrt.sh

@@ -126,7 +126,9 @@ stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 }

Shorewall-init/init.sh

@@ -116,7 +116,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 

Shorewall-init/init.suse.sh

@@ -126,7 +126,9 @@ shorewall_stop () {
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
       fi
   fi
 }

Shorewall-init/shorewall-init

@@ -104,7 +104,9 @@ shorewall_stop () {
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
 

Shorewall-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall/Actions/action.IfEvent

@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {
 
 $duration .= '--rttl ' if $command & $TTL_OPT;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
+    $action = 'ACCEPT';
+}
+
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
 

Shorewall/Actions/action.ResetEvent

@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {

Shorewall/Actions/action.SetEvent

@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {

Shorewall/Makefile-lite

@@ -1,82 +0,0 @@
-#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Chains.pm

@@ -1403,13 +1403,15 @@ sub compatible( $$ ) {
     }
     #
     # Don't combine chains where each specifies
-    #    -m policy
+    #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
     # and the other specifies
     #    --dport or --sport or -m multiport
     #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    my ( $p1, $p2 );
+
+    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -3273,8 +3275,10 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
@@ -3671,7 +3675,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -7065,6 +7069,8 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
     my ( $logical, $protect, $provider ) = @_;
 
+    $provider = '' unless defined $provider;
+
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
     my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7078,9 +7084,9 @@ sub get_interface_gateway ( $;$$ ) {
     }
 
     if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
     } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
     }
 
@@ -8457,6 +8463,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
 
@@ -8472,6 +8479,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8983,6 +8991,10 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9087,6 +9099,11 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9324,6 +9341,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -268,7 +268,8 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
     }
 
@@ -691,6 +692,7 @@ sub compiler {
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
     #
+    #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
     get_configuration( $export , $update , $annotate , $inline );
@@ -795,13 +797,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
     }
 
-    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_script;
-    #
     # Validate the TC files so that the providers will know what interfaces have TC
     #
     my $tcinterfaces = process_tc;

Shorewall/Perl/Shorewall/Config.pm

@@ -36,11 +36,13 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
+use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
+use Errno qw(:POSIX);
 
 our @ISA = qw(Exporter);
 #
@@ -315,7 +317,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -648,6 +650,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
+                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -752,7 +755,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.5-RC1",
+		    VERSION                 => "5.1.8-Beta1",
 		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -848,7 +851,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
-	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -1008,7 +1010,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1992,6 +1994,7 @@ sub find_file($)
     for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
+	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
     }
 
     "$config_path[0]$filename";
@@ -2574,7 +2577,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
     } else {
 	$ifstack = @ifstack;
 	'';
@@ -4287,7 +4290,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
 
     my $modulesdir = $config{MODULESDIR};
 
@@ -4320,25 +4323,20 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'ko ko.gz ko.xz o o.gz o.xz gz xz' unless $config{MODULE_SUFFIX};
+      MODULE:
-
-	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
-
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
+		if ( $moduleloader =~ /modprobe$/ ) {
-		    for my $suffix ( @suffixes ) {
+		    system( "modprobe -q $module $arguments" );
-			my $modulefile = "$directory/$module.$suffix";
+		    $loadedmodules{ $module } = 1;
-			if ( -f $modulefile ) {
+		} else {
-			    if ( $moduleloader eq 'insmod' ) {
+		    for my $directory ( @moduledirectories ) {
-				system ("insmod $modulefile $arguments" );
+			for my $modulefile ( <$directory/$module.*> ) {
-			    } else {
+			    system ("insmod $modulefile $arguments" );
-				system( "modprobe $module $arguments" );
-			    }
-
 			    $loadedmodules{ $module } = 1;
+			    next MODULE;
 			}
 		    }
 		}
@@ -6255,7 +6253,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
     }
 
-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
     default_yes_no 'ADD_SNAT_ALIASES'           , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';

Shorewall/Perl/Shorewall/Misc.pm

@@ -667,6 +667,7 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
     add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {

Shorewall/Perl/Shorewall/Providers.pm

@@ -502,7 +502,7 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
@@ -602,6 +602,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
+		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -847,7 +848,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
 
@@ -863,7 +864,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
@@ -873,24 +874,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "find_interface_addresses $physical | while read address; do",
-		emit  ( "    qt \$IP -$family rule del from \$address" );
+			"    qt \$IP -$family rule del from \$address",
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
+	}
 
-	    if ( @{$providerref->{persistent_routes}} ) {
+	if ( @{$providerref->{persistent_routes}} ) {
-		emit '';
+	    emit '';
-		emit $_ for @{$providers{$table}->{persistent_routes}};
+	    emit $_ for @{$providers{$table}->{persistent_routes}};
-	    }
+	}
 
-	    if ( @{$providerref->{persistent_rules}} ) {
+	if ( @{$providerref->{persistent_rules}} ) {
-		emit '';
+	    emit '';
-		emit $_ for @{$providers{$table}->{persistent_rules}};
+	    emit $_ for @{$providers{$table}->{persistent_rules}};
-	    }
 	}
 
 	pop_indent;
@@ -898,7 +899,6 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
-
 	pop_indent;
 
 	emit( "}\n" );
@@ -924,7 +924,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
     }
@@ -956,7 +956,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
 
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -985,7 +985,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
     }
 
     if ( $balance ) {
@@ -997,14 +997,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 
+	emit( 'g_fallback=Yes' ) if $persistent;
+
 	$metrics = 1;
     }
 
@@ -1026,12 +1028,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1092,6 +1095,17 @@ CEOF
 	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );
 
+	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
+	    emit  ( '#',
+		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
+		    '#',
+		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
+		    '    true',
+		    'done',
+		    ''
+		);
+	}
+
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1241,9 +1255,9 @@ CEOF
 	    );
 
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
 	}
 
 	pop_indent;
@@ -1344,7 +1358,7 @@ sub add_an_rtrule1( $$$$$ ) {
 
     $priority = "pref $priority";
 
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
     push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
 
     if ( $persistent ) {
@@ -1442,22 +1456,22 @@ sub add_a_route( ) {
 
     if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
     } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
     }
 
@@ -1580,7 +1594,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1607,7 +1621,7 @@ sub finish_providers() {
 	}
 
 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1635,7 +1649,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
     } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
+	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
+	      '#',
+	      "delete_default_routes $default",
 	      ''
 	    );
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -216,6 +216,10 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
+#
+# Remembers NAT-oriented columns from top-level action invocations
+#
+our %nat_columns;
 
 #
 # Action/Inline options
@@ -384,6 +388,8 @@ sub initialize( $ ) {
 	                  );
     }
 
+    %nat_columns = ( dest => '-', proto => '-', ports => '-' );
+
     ############################################################################
     # Initialize variables moved from the Tc module in Shorewall 5.0.7         #
     ############################################################################
@@ -391,7 +397,7 @@ sub initialize( $ ) {
     %tcdevices = ();
     %tcclasses = ();
     $sticky    = 0;
-    $divertref = 0;    
+    $divertref = 0;
 }
 
 #
@@ -1652,6 +1658,19 @@ sub merge_inline_source_dest( $$ ) {
     $body || '';
 }
 
+#
+# This one is used by perl_action_helper()
+#
+sub merge_action_column( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( supplied( $body ) && $body ne '-' ) {
+	$body;
+    } else {
+	$invocation;
+    }
+}
+
 sub merge_macro_column( $$ ) {
     my ( $body, $invocation ) = @_;
 
@@ -2510,6 +2529,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $exceptionrule = '';
     my $usergenerated;
     my $prerule = '';
+    my %save_nat_columns = %nat_columns;
+    my $generated = 0;
     #
     # Subroutine for handling MARK and CONNMARK.
     #
@@ -2591,32 +2612,30 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
 
-	my $generated = process_macro( $basictarget,
+	$generated = process_macro( $basictarget,
-				       $chainref,
+				    $chainref,
-				       $rule . $raw_matches,
+				    $rule . $raw_matches,
-				       $matches1,
+				    $matches1,
-				       $target,
+				    $target,
-				       $current_param,
+				    $current_param,
-				       $source,
+				    $source,
-				       $dest,
+				    $dest,
-				       $proto,
+				    $proto,
-				       $ports,
+				    $ports,
-				       $sports,
+				    $sports,
-				       $origdest,
+				    $origdest,
-				       $ratelimit,
+				    $ratelimit,
-				       $user,
+				    $user,
-				       $mark,
+				    $mark,
-				       $connlimit,
+				    $connlimit,
-				       $time,
+				    $time,
-				       $headers,
+				    $headers,
-				       $condition,
+				    $condition,
-				       $helper,
+				    $helper,
-				       $wildcard );
+				    $wildcard );
 
 	$macro_nest_level--;
-
+	goto EXIT;
-	return $generated;
-
     } elsif ( $actiontype & NFQ ) {
 	$action = handle_nfqueue( $param,
 				  1 # Allow 'bypass'
@@ -2688,6 +2707,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
+
 		  if ( $dest eq '-' ) {
 		      if ( $family == F_IPV4 ) {
 			  $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -2816,6 +2836,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
     }
+
     #
     # Isolate and validate source and destination zones
     #
@@ -2909,7 +2930,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} & BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		return 0 if $wildcard;
+		goto EXIT if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -2924,7 +2945,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $policy = $chainref->{policy};
 
 	if ( $policy eq 'NONE' ) {
-	    return 0 if $wildcard;
+	    goto EXIT if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -2933,9 +2954,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		return 0 if $target eq "${policy}:${loglevel}";
+		goto EXIT if $target eq "${policy}:${loglevel}";
 	    } else {
-		return 0 if $basictarget eq $policy;
+		goto EXIT if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -2980,6 +3001,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Save NAT-oriented column contents
+	#
+	@nat_columns{'dest', 'proto', 'ports' } = ( $dest,
+						    $proto eq '-' ? $nat_columns{proto} : $proto,
+						    $ports eq '-' ? $nat_columns{ports} : $ports );
+	#
+	# Push the current column array onto the column stack
+	#
+        my @savecolumns = @columns;
+	#
+	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper. We
+	# only need the NAT-oriented columns
+	#
+	@columns = ( undef , undef, $dest, $proto, $ports);
 	#
 	# Handle 'section' option
 	#
@@ -3023,6 +3059,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$action = $basictarget; # Remove params, if any, from $action.
+
+	@columns = @savecolumns;
     } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule() recursively for each rule in the action body
@@ -3039,34 +3077,34 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	$actionresult = 0;
 
-	my $generated = process_inline( $basictarget,
+	$generated = process_inline( $basictarget,
-					$chainref,
+				     $chainref,
-					$prerule . $rule,
+				     $prerule . $rule,
-					$matches1 . $raw_matches,
+				     $matches1 . $raw_matches,
-					$loglevel,
+				     $loglevel,
-					$target,
+				     $target,
-					$param,
+				     $param,
-					$source,
+				     $source,
-					$dest,
+				     $dest,
-					$proto,
+				     $proto,
-					$ports,
+				     $ports,
-					$sports,
+				     $sports,
-					$origdest,
+				     $origdest,
-					$ratelimit,
+				     $ratelimit,
-					$user,
+				     $user,
-					$mark,
+				     $mark,
-					$connlimit,
+				     $connlimit,
-					$time,
+				     $time,
-					$headers,
+				     $headers,
-					$condition,
+				     $condition,
-					$helper,
+				     $helper,
-					$wildcard ) || $actionresult;
+				     $wildcard ) || $actionresult;
 
 	( $actionresult, @columns ) = @$savecolumns;;
 
 	$macro_nest_level--;
 
-	return $generated;
+	goto EXIT;
     }
     #
     # Generate Fixed part of the rule
@@ -3252,7 +3290,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
-    return 1;
+    $generated = 1;
+
+  EXIT:
+    {
+      %nat_columns = %save_nat_columns;
+    }
+
+    return $generated;
 }
 
 
@@ -3406,27 +3451,60 @@ sub perl_action_helper($$;$$) {
 				 '',                              # CurrentParam
 				 @columns );
     } else {
-	$result = process_rule( $chainref,
+	if ( ( $targets{$target} || 0 ) & NATRULE ) {
-				$matches,
+	    $result = process_rule( $chainref,
-				$matches1,
+				    $matches,
-				merge_target( $actions{$action}, $target ),
+				    $matches1,
-				'',                               # Current Param
+				    merge_target( $actions{$action}, $target ),
-				'-',                              # Source
+				    '',                               # Current Param
-				'-',                              # Dest
+				    '-',                              # Source
-				'-',                              # Proto
+				    merge_action_column(              # Dest
-				'-',                              # Port(s)
+					$columns[2],			      
-				'-',                              # Source Port(s)
+					$nat_columns{dest}
-				'-',                              # Original Dest
+				    ),
-				'-',                              # Rate Limit
+				    merge_action_column(              #Proto
-				'-',                              # User
+					$columns[3],
-				'-',                              # Mark
+					$nat_columns{proto}
-				'-',                              # Connlimit
+				    ),
-				'-',                              # Time
+				    merge_action_column(              #Ports
-				'-',                              # Headers,
+					$columns[4],
-				'-',                              # condition,
+					$nat_columns{ports}),
-				'-',                              # helper,
+				    '-',                              # Source Port(s)
-				0,                                # Wildcard
+				    '-',                              # Original Dest
-			      );
+				    '-',                              # Rate Limit
+				    '-',                              # User
+				    '-',                              # Mark
+				    '-',                              # Connlimit
+				    '-',                              # Time
+				    '-',                              # Headers,
+				    '-',                              # condition,
+				    '-',                              # helper,
+				    0,                                # Wildcard
+		);
+	} else {
+	    $result = process_rule( $chainref,
+				    $matches,
+				    $matches1,
+				    merge_target( $actions{$action}, $target ),
+				    '',                               # Current Param
+				    '-',                              # Source
+				    '-',                              # Dest
+				    '-',                              # Proto
+				    '-',                              # Port(s)
+				    '-',                              # Source Port(s)
+				    '-',                              # Original Dest
+				    '-',                              # Rate Limit
+				    '-',                              # User
+				    '-',                              # Mark
+				    '-',                              # Connlimit
+				    '-',                              # Time
+				    '-',                              # Headers,
+				    '-',                              # condition,
+				    '-',                              # helper,
+				    0,                                # Wildcard
+		);
+	}
+
 	allow_optimize( $chainref );
     }
     #
@@ -3492,7 +3570,8 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
-				  );
+		                  );
+
 	    allow_optimize( $chainref );
 	}
 	#
@@ -4063,10 +4142,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		expand_rule( $chainref,
 			     $restriction,
 			     $prerule ,
+			     do_proto( $proto, $ports, $sports ) .
 			     $match .
 			     do_user( $user ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
+			     do_test( $testval, $mask ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
 			     do_length( $length ) .
 			     do_tos( $tos ) .
 			     do_connbytes( $connbytes ) .
@@ -4074,6 +4153,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
+			     do_time( $time ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
@@ -5286,7 +5366,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
     $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
     done
 } 
 
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
     local interface
     interface=$1
@@ -912,6 +912,8 @@ detect_gateway() # $1 = interface
     # Maybe there's a default route through this gateway already
     #
     [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+
+    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #

Shorewall/Perl/prog.footer

@@ -78,11 +78,13 @@ reload_command() {
     detect_configuration
     define_firewall
     status=$?
-    if [ -n "$SUBSYSLOCK" ]; then
- 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-    fi
 
-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
+	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	progress_message3 "done."
+    else
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    fi
 }
 
 ################################################################################
@@ -127,8 +129,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockeringress=
 g_dockernetwork=
 g_forcereload=
+g_fallback=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -418,9 +422,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
+	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
+	    disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    COMMAND=enable
+	    detect_configuration $1
+	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0

Shorewall/Samples/Universal/shorewall.conf

@@ -205,8 +205,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/Samples/one-interface/shorewall.conf

@@ -216,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -213,8 +213,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -216,8 +216,6 @@ MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/actions.std

@@ -25,7 +25,7 @@ Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts    inline		# Silently Drop Broadcast
+dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets

Shorewall/configfiles/shorewall.conf

@@ -205,8 +205,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No
 
 MUTEX_TIMEOUT=60

Shorewall/lib.cli-std

@@ -1556,10 +1556,10 @@ remote_reload_command() # $* = original arguments less the command.
 
 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
     fi

Shorewall/manpages/shorewall-modules.xml

@@ -51,7 +51,7 @@
 
     <para>The <replaceable>modulename</replaceable> names a kernel module
     (without suffix). Shorewall will search for modules based on your
-    MODULESDIR and MODULE_SUFFIX settings in <ulink
+    MODULESDIR setting in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
     <replaceable>moduleoption</replaceable>s are passed to modprobe (if
     installed) or to insmod.</para>

Shorewall/manpages/shorewall-providers.xml

@@ -220,7 +220,7 @@
                   <para>In IPV6, the <option>balance</option> option does not
                   cause balanced default routes to be created; it rather
                   causes a sequence of default routes with different metrics
-                  to be created. </para>
+                  to be created.</para>
                 </caution>
               </listitem>
             </varlistentry>
@@ -438,6 +438,14 @@
                   <command>enable</command> and <command>reenable</command>
                   commands can reenable the provider.</para>
                 </note>
+
+                <important>
+                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
+                  recommended when the <option>persistent</option> option is
+                  used, as restoring default routes to the main routing table
+                  can prevent link status monitors such as foolsm from
+                  correctly detecting non-working providers.</para>
+                </important>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-snat.xml

@@ -78,7 +78,7 @@
               role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
+              role="bold">detect</emphasis>)</term>
 
               <listitem>
                 <para>If you specify an address here, matching packets will
@@ -673,7 +673,7 @@
           address changed to 206.124.146.177.</para>
 
           <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
+        SNAT(206.124.146.177)   -               eth0:+myset[dst]</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-zones.xml

@@ -107,7 +107,7 @@
                 <simplelist>
                   <member>2 + 6 + 2*M + 1 = 29</member>
 
-                  <member>2M = 29 - 2 + 6 + 1 = 20</member>
+                  <member>2M = 29 - 2 - 6 - 1 = 20</member>
 
                   <member>M = 10</member>
                 </simplelist>

Shorewall/manpages/shorewall.conf.xml

@@ -1892,18 +1892,6 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
-        role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
-        role="bold">"</emphasis>]</term>
-
-        <listitem>
-          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          o.gz o.xz gz xz".</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis

Shorewall6-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall6/Makefile-lite

@@ -1,82 +0,0 @@
-#     Shorewall6 Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall6-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall6 compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall6-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall6-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -191,8 +191,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

Shorewall6/configfiles/shorewall6.conf

@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX="ko ko.xz"
-
 MUTEX_TIMEOUT=60
 
 OPTIMIZE=All

docs/SharedConfig.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
-  <!--$Id$-->
+  <!--mangle$Id$-->
 
   <articleinfo>
     <title>Shared Shorewall and Shorewall6 Configuration</title>
@@ -72,44 +72,76 @@
 
     <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
 
-    <programlisting>root@gateway:/etc# ls -l shorewall shorewall6
+    <programlisting>oot@gateway:~# ls -l /etc/shorewall/
-shorewall:
+total 92
-total 88
+-rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
--rw-r--r-- 1 root root  201 Mar 19 08:43 action.Mirrors
 -rw-r--r-- 1 root root  109 Jun 29 15:13 actions
--rw-r--r-- 1 root root  655 Jun 29 15:13 conntrack
+-rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
--rw-r--r-- 1 root root  107 Jul  1 10:40 hosts
+-rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
 -rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
 -rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
+-rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
 -rw-r--r-- 1 root root  497 Jul  1 10:42 mangle
--rw-r--r-- 1 root root    7 Jul  6 09:24 masq
 -rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
--rw-r--r-- 1 root root 2650 Jul  2 08:05 params
+-rw-r--r-- 1 root root 2687 Oct 15 14:20 params
--rw-r--r-- 1 root root  645 Jun 28 10:04 policy
+-rw-r--r-- 1 root root 2688 Oct 15 15:10 #params#
--rw-r--r-- 1 root root 1828 Jul  1 15:43 providers
+-rw-r--r-- 1 root root  738 Oct 15 12:16 policy
--rw-r--r-- 1 root root  398 Mar 18 20:18 proxyarp
+-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
--rw-r--r-- 1 root root  702 Jul  1 10:42 rtrules
+-rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
--rw-r--r-- 1 root root 6214 Jul  2 08:45 rules
+-rw-r--r-- 1 root root  730 Oct 10 12:59 rtrules
-lrwxrwxrwx 1 root root   29 Jul  6 12:42 shorewall6.conf -&gt; ../shorewall6/shorewall6.conf
+-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
--rw-r--r-- 1 root root 5571 Jun 25 18:09 shorewall.conf
+-rw-r--r-- 1 root root 5521 Oct 13 13:16 shorewall.conf
--rw-r--r-- 1 root root 1084 Jul  1 10:42 snat
+-rw-r--r-- 1 root root 1084 Oct 14 11:48 snat
 -rw-r--r-- 1 root root  181 Jun 29 15:12 started
--rw-r--r-- 1 root root  437 Jun 28 10:45 tunnels
+-rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
--rw-r--r-- 1 root root  928 Jun 29 08:25 zones
+-rw-r--r-- 1 root root  941 Oct 15 11:27 zones
-
+root@gateway:~# ls -l /etc/shorewall6/
-shorewall6:
+total 8
-total 12
--rw------- 1 root root  954 Jul  6 12:48 conntrack
 lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
 lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
--rw-r--r-- 1 root root 5328 Jul  6 12:45 shorewall6.conf
+-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
-root@gateway:/etc# </programlisting>
+root@gateway:~# 
+</programlisting>
 
     <para>The various configuration files are described in the sections that
     follow. Note that in all cases, these files use the <ulink
     url="/configuration_file_basics.htm#Pairs">alternate format for column
     specification</ulink>.</para>
 
+    <section>
+      <title>/usr/share/shorewall/shorewallrc</title>
+
+      <para>The key setting here is SPARSE=Very</para>
+
+      <programlisting>#
+# Created by Shorewall Core version 5.0.12-RC1 configure.pl - Sep 25 2016 09:30:55
+# rc file: shorewallrc.debian.systemd
+#
+HOST=debian
+PREFIX=/usr
+SHAREDIR=${PREFIX}/share
+LIBEXECDIR=${PREFIX}/share
+PERLLIBDIR=${PREFIX}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${PREFIX}/share/man
+INITDIR=
+INITSOURCE=init.debian.sh
+INITFILE=
+AUXINITSOURCE=
+AUXINITFILE=
+SERVICEDIR=/lib/systemd/system
+SERVICEFILE=$PRODUCT.service.debian
+SYSCONFFILE=default.debian
+SYSCONFDIR=/etc/default
+SPARSE=Very
+ANNOTATED=
+VARLIB=/var/lib
+VARDIR=${VARLIB}/$PRODUCT
+DEFAULT_PAGER=/usr/bin/less
+</programlisting>
+    </section>
+
     <section>
       <title>shorewall.conf and shorewall6.conf</title>
 
@@ -117,15 +149,11 @@ root@gateway:/etc# </programlisting>
       address families. The key setting is CONFIG_PATH in
       shorewall6.conf:</para>
 
-      <programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>
+      <programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall6:${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>
 
       <para><filename>/etc/shorewall6/</filename> is only used for processing
       the <filename>params</filename> and <filename>shorewall6.conf</filename>
-      files. <filename>/etc/shorewall6/conntrack</filename> is installed when
+      files.</para>
-      SPARSE=Yes, but is not used.</para>
-
-      <para>The /etc/shorewall/shorewall6.conf symbolic link is required once
-      the above CONFIG_PATH setting is in effect.</para>
 
       <section>
         <title>shorewall.conf</title>
@@ -134,6 +162,13 @@ root@gateway:/etc# </programlisting>
         follows:</para>
 
         <programlisting>###############################################################################
+#
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
@@ -230,7 +265,7 @@ DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=No
 HELPERS="ftp,irc"
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
@@ -244,8 +279,7 @@ MACLIST_TTL=60
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MINIUPNPD=Yes
+MINIUPNPD=No
-MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=unreachable
@@ -267,13 +301,13 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
-USE_NFLOG_SIZE=No
+USE_NFLOG_SIZE=Yes
 USE_PHYSICAL_NAMES=Yes
 USE_RT_NAMES=Yes
 VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
-ZERO_MARKS=Yes
+ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -304,6 +338,14 @@ ZONE_BITS=0
         <para>The contents of /etc/shorewall6/shorewall6.conf are:</para>
 
         <programlisting>###############################################################################
+#
+#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
@@ -343,7 +385,7 @@ UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH="${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
 IP6TABLES=
 IP=
@@ -378,7 +420,7 @@ ACCOUNTING=Yes
 ACCOUNTING_TABLE=mangle
 ADMINISABSENTMINDED=Yes
 AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
+AUTOHELPERS=No
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
@@ -393,8 +435,8 @@ DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=No
-HELPERS=
+HELPERS=ftp
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
@@ -406,8 +448,7 @@ MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
-MINIUPNPD=Yes
+MINIUPNPD=No
-MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
@@ -415,7 +456,7 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=No
 RESTART=restart
-RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_DEFAULT_ROUTE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=Shared
@@ -424,10 +465,10 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
-USE_NFLOG_SIZE=No
+USE_NFLOG_SIZE=Yes
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
-VERBOSE_MESSAGES=Yes
+VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
@@ -485,11 +526,12 @@ if [ $g_family = 4 ]; then
     LISTS=70.90.191.124	   # IP address of lists.shorewall.net (MX)
     MAIL=70.90.191.122	   # IP address of mail.shorewall.net  (IMAPS)
     SERVER=70.90.191.125   # IP address of www.shorewall.org
-    PROXY=Yes		   # Use TPROXY for local web access
+    PROXY=		   # Use TPROXY for local web access
     ALL=0.0.0.0/0	   # Entire address space
     LOC_ADDR=172.20.1.253  # IP address of the local LAN interface
     FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
     FAST_MARK=0x20000	   # Multi-ISP mark setting for IF_FAST
+    IPSECMSS=1460
     #
     # Interface Options
     #
@@ -508,11 +550,12 @@ else
     LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
     MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
     SERVER=[2001:470:b:227::43]		      # IP address of www.shorewall.org   (HTTP, FTP and RSYNC)
-    PROXY=
+    PROXY=3				      # Use TPROXY for local web access
     ALL=[::]/0				      # Entire address space
-    LOC_ADDR=[2601:601:8b00:bf0::1]	      # IP address of the local LAN interface
+    LOC_ADDR=[2601:601:a000:16f0::1]	      # IP address of the local LAN interface
     FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
     FAST_MARK=0x100			      # Multi-ISP mark setting for IF_FAST
+    IPSECMSS=1440
     #
     # Interface Options
     #
@@ -521,8 +564,7 @@ else
     LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
     DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
     IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
-fi
+fi</programlisting>
-</programlisting>
     </section>
 
     <section>
@@ -530,17 +572,20 @@ fi
 
       <para>Here is the /etc/shorewall/zones file:</para>
 
-      <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
+      <programlisting>###############################################################################
+#ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
+
 #
 # By using the 'ip' type, both Shorewall and Shorewall6 can share this file
 #
+
 fw	{ TYPE=firewall }
 net	{ TYPE=ip }
 loc	{ TYPE=ip }
 dmz	{ TYPE=ip }
 apps	{ TYPE=ip }
-vpn1	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp }
+vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
 </programlisting>
     </section>
 
@@ -551,6 +596,8 @@ vpn1	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp }
       /etc/shorewall/params:</para>
 
       <programlisting>#
+# The two address families use different production interfaces and different 
+#
 # LOC_IF is the local LAN for both families
 # FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from the local lan for both families
 # PROD_IF is the interface used by shorewall.org servers
@@ -563,7 +610,8 @@ loc  { INTERFACE=LOC_IF,  OPTIONS=$LOC_OPTIONS }
 net  { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
 net  { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
 dmz  { INTERFACE=DMZ_IF,  OPTIONS=$DMZ_OPTIONS }
-apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
+apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
+</programlisting>
     </section>
 
     <section>
@@ -572,9 +620,9 @@ apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
       <para>/etc/shorewall/hosts is used to define the vpn zone:</para>
 
       <programlisting>#ZONE		HOSTS				OPTIONS
-vpn1 { HOSTS=PROD_IF:$ALL }
+vpn { HOSTS=PROD_IF:$ALL }
-vpn1 { HOSTS=FAST_IF:$ALL }
+vpn { HOSTS=FAST_IF:$ALL }
-vpn1 { HOSTS=LOC_IF:$ALL }
+vpn { HOSTS=LOC_IF:$ALL }
 </programlisting>
     </section>
 
@@ -583,17 +631,22 @@ vpn1 { HOSTS=LOC_IF:$ALL }
 
       <para>The same set of policies apply to both address families:</para>
 
-      <programlisting>#SOURCE         DEST            POLICY					LOGLEVEL		RATE
+      <programlisting>#SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
-$FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
+
-$FW { DEST=all, POLICY=ACCEPT }
+$FW	     { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-loc { DEST=net, POLICY=ACCEPT }
+$FW	     { DEST=all,	 POLICY=ACCEPT }
-loc,vpn1,apps { DEST=loc,vpn1,apps POLICY=ACCEPT }
+
-loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
+loc	     { DEST=net,	 POLICY=ACCEPT }
-net { DEST=net, POLICY=NONE }
+loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
-net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+loc	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+
-dmz { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
+net	     { DEST=net,	 POLICY=NONE }
-all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
+net	     { DEST=fw,		 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+net	     { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+
+dmz	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+
+all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 </programlisting>
     </section>
 
@@ -631,7 +684,7 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
     # FAST_IF is primary, PROD_IF is fallback
     #
     ?info Compiling with FALLBACK
-    IPv6Fast	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent }
+    IPv6Beta	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
     ?if __IPV4
 	ComcastB    { NUMBER=4, MARK=0x10000,	 INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
     ?else    
@@ -641,19 +694,19 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
     # Statistically balance traffic between FAST_IF and PROD_IF
     ?info Compiling with STATISTICAL
     ?if __IPV4
-    	IPv6Fast    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
+    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
     ?else
 	HE	    { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,                        OPTIONS=track,load=0.33333333,persistent }
     ?endif
 ?else
     ?INFO Compiling with BALANCE
-    IPv6Fast	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
+    IPv6Beta	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
     ?if __IPV4
 	ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
     ?else
-        ?warning No BALANCE IPv6 configuration - using FALLBACK  
+        ?warning No BALANCE IPv6 configuration
 	HE	 { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,			     OPTIONS=fallback,persistent }
-    ?endif
+    ?endif    
 ?endif
 
 Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
@@ -670,19 +723,18 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
 
 #
 # This file ensures that the DMZ is routed out of the IF_PROD interface
-# and that the IPv6 subnets delegated by the Fast router are routed out
+# and that the IPv6 subnets delegated by the Beta router are routed out
 # of the IF_FAST interface.
 #
 ?if __IPV4
-    { SOURCE=70.90.191.121,70.90.191.123, PROVIDER=ComcastB, PRIORITY=1000! }
+    { SOURCE=70.90.191.121,70.90.191.123,10.1.10.1 PROVIDER=ComcastB, PRIORITY=1000! }
-    { SOURCE=&amp;FAST_IF,	              	  PROVIDER=IPv6Fast, PRIORITY=1000! }
+    { SOURCE=&amp;FAST_IF,	              	  	   PROVIDER=IPv6Beta, PRIORITY=1000! }
-    { SOURCE=br0,	     		  PROVIDER=ComcastB, PRIORITY=11000 }
+    { SOURCE=br0,	     		  	   PROVIDER=ComcastB, PRIORITY=11000 }
 ?else
-    { SOURCE=2001:470:A:227::/64,         PROVIDER=HE,	     PRIORITY=1000! }
+    { SOURCE=2601:601:a000:1600::/124		   PROVIDER=IPv6Beta, PRIORITY=1000! }
-    { SOURCE=2001:470:B:227::/64,         PROVIDER=HE,	     PRIORITY=11000 }
+    { SOURCE=2001:470:B:227::/64,         	   PROVIDER=HE,	      PRIORITY=11000 }
-    { SOURCE=2601:601:8b00:bf0::/60	  PROVIDER=IPv6Fast, PRIORITY=11000 }
+    { SOURCE=2601:601:a000:16f0::/60	  	   PROVIDER=IPv6Beta, PRIORITY=11000 }
-?endif
+?endif</programlisting>
-</programlisting>
     </section>
 
     <section>
@@ -705,6 +757,20 @@ $1	$MIRRORS
 </programlisting>
     </section>
 
+    <section>
+      <title>Macros</title>
+
+      <para>/etc/shorewall/macro.FTP:</para>
+
+      <programlisting>###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+PARAM	-	-	tcp	21
+</programlisting>
+
+      <para>This is just the normal Shorewall FTP macro without the helper
+      logic -- we take care of that in the conntrack file below.</para>
+    </section>
+
     <section>
       <title>conntrack</title>
 
@@ -749,6 +815,8 @@ Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
 ACCEPT		{ SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp,  DPORT=61001:62000,  helper=ftp }
 ACCEPT		{ SOURCE=dmz, DEST=all,		PROTO=tcp,  helper=ftp }
 ACCEPT		{ SOURCE=all, DEST=net,		PROTO=tcp,  helper=ftp }
+ACCEPT		{ SOURCE=$FW, DEST=loc,		PROTO=tcp,  helper=ftp }
+ACCEPT		{ SOURCE=loc, DEST=$FW,		PROTO=tcp,  helper=ftp }
 ACCEPT		{ SOURCE=all, DEST=all,		PROTO=icmp }
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 ACCEPT		{ SOURCE=dmz, DEST=dmz }
@@ -773,8 +841,8 @@ CONTINUE	  { SOURCE=$FW, DEST=all }
 ######################################################################################################
 # Stop certain outgoing traffic to the net
 #
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn1,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
+REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn1,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
+REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
 
 REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
 REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
@@ -795,7 +863,7 @@ REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ######################################################################################################
 # Ping
 #
-Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn1, DEST=$FW,loc,dmz,vpn1 }
+Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
 Ping(ACCEPT)	  { SOURCE=all,              DEST=net }
 ######################################################################################################
 # SSH
@@ -809,7 +877,7 @@ SSH(DNAT-)	  { SOURCE=net,              DEST=172.20.2.44, PROTO=tcp, DPORT=ssh,
 ######################################################################################################
 # DNS
 #
-DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn1,apps, DEST=$FW }
+DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
 DNS(ACCEPT)	  { SOURCE=$FW, DEST=net }
 ######################################################################################################
 # Traceroute
@@ -825,27 +893,31 @@ SMTP(REJECT)	   { SOURCE=dmz:$LISTS, DEST=net }
 IMAPS(ACCEPT)  	   { SOURCE=all, DEST=dmz:$MAIL }
 Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
 SMTPS(ACCEPT) 	   { SOURCE=all, DEST=dmz:$LISTS }
-IMAP(ACCEPT)	   { SOURCE=loc,vpn1, DEST=net }
+IMAP(ACCEPT)	   { SOURCE=loc,vpn, DEST=net }
 ######################################################################################################
 # NTP
 #
 NTP(ACCEPT)	   { SOURCE=all, DEST=net }
-NTP(ACCEPT)	   { SOURCE=loc,vpn1,dmz,apps DEST=$FW }
+NTP(ACCEPT)	   { SOURCE=loc,vpn,dmz,apps DEST=$FW }
+######################################################################################################
+# Squid
+ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } 
 ######################################################################################################
 # HTTP/HTTPS
 #
-Web(ACCEPT)	   { SOURCE=loc,vpn1 DEST=$FW }
+Web(ACCEPT)	   { SOURCE=loc,vpn DEST=$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=proxy }
 Web(DROP)	   { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
-HTTP(ACCEPT)	   { SOURCE=net,loc,vpn1,apps,$FW DEST=dmz:$SERVER,$LISTS }
+HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
-HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn1,apps,$FW DEST=dmz:$LISTS,$MAIL }
+HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
 Web(ACCEPT)	   { SOURCE=dmz,apps DEST=net,$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=root }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=teastep }
+Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=_apt }
 ######################################################################################################
 # FTP
 #
-FTP(ACCEPT)	   { SOURCE=loc,vpn1,apps DEST=net }
+FTP(ACCEPT)	   { SOURCE=loc,vpn,apps DEST=net }
 FTP(ACCEPT)	   { SOURCE=dmz,          DEST=net }
 FTP(ACCEPT)	   { SOURCE=$FW,          DEST=net, USER=root }
 FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
@@ -866,11 +938,11 @@ Whois(ACCEPT)	   { SOURCE=all, DEST=net }
 # SMB
 #
 SMBBI(ACCEPT)	    { SOURCE=loc, DEST=$FW }
-SMBBI(ACCEPT)	    { SOURCE=vpn1, DEST=$FW }
+SMBBI(ACCEPT)	    { SOURCE=vpn, DEST=$FW }
 ######################################################################################################
 # IRC
 #
-IRC(ACCEPT)	    { SOURCE=loc,vpn1,apps:IRC_IF, DEST=net }
+IRC(ACCEPT)	    { SOURCE=loc,vpn,apps:IRC_IF, DEST=net }
 ######################################################################################################
 # Rsync
 #
@@ -913,7 +985,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
       <programlisting>#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 
 ?if __IPV4
-    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/24, DEST=FAST_IF }
+    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
     MASQUERADE 		{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
     SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
     SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
@@ -931,8 +1003,8 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
       <para>Both address families define IPSEC tunnels:</para>
 
       <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
-ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn1 }
+ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
-ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn1 }
+ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
 </programlisting>
     </section>
 

docs/ipsets.xml

@@ -56,12 +56,13 @@
     <ulink url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
     if they are not available in your current distribution. Instructions for
     installing xtables-addons may be found in the <ulink
-    url="Dynamic.html">Dynamic Zones article</ulink>.
+    url="Dynamic.html">Dynamic Zones article</ulink>. Note that xtables-addons
-    Note that xtables-addons might not be required
+    might not be required with the 'ipset' package provided by your
-    with the 'ipset' package provided by your distribution.
+    distribution. See also the section <ulink
-    See also the section <ulink url="configuration_file_basics.htm#capabilities">capabilities</ulink>
+    url="configuration_file_basics.htm#capabilities">capabilities</ulink> in
-    in the <ulink url="configuration_file_basics.htm">configuration file basics article</ulink>
+    the <ulink url="configuration_file_basics.htm">configuration file basics
-    and the <ulink url="Shorewall-Lite.html#Shorecap">Shorecap program</ulink>.</para>
+    article</ulink> and the <ulink url="Shorewall-Lite.html#Shorecap">Shorecap
+    program</ulink>.</para>
 
     <para>Ipset allows you to create one or more named sets of addresses then
     use those sets to define Netfilter/iptables rules. Possible uses of ipsets
@@ -151,6 +152,11 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
         url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
       </listitem>
 
+      <listitem>
+        <para>You must have at least one entry in the other configuration
+        files that uses an ipset.</para>
+      </listitem>
+
       <listitem>
         <para>You cannot use an ipset in <ulink
         url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink>