IPv6 Samples use logical interface names

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/manpages/shorewall.xml

@@ -3187,14 +3187,15 @@
     shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
     shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
     shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
-    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
-    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
-    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
-    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
+    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/Actions/action.TCPFlags

@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
+$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0

Shorewall/Macros/macro.IPMI

@@ -15,6 +15,7 @@ PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS

Shorewall/Perl/Shorewall/Config.pm

@@ -30,6 +30,84 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
+#   A significant portion of this module is dedicated to the preprocessor:
+#
+#	process_compiler_directive() - processes compiler directives
+#
+#	embedded_shell() - handles embedded shell scripting
+#
+#	embedded_perl() - handles embedded perl scripting
+#
+#	read_a_line() - Reads the next configuration file record to
+#			be passed to the function processing the file.
+#
+#	    - Detects compiler directives and passes then to
+#	      process_compiler_directive() for handling.
+#
+#	    - Handles line continuation
+#
+#	    - Invokes a callback when the first (concatinated) non-directive
+#	      record is read from a file.
+#
+#	    - Conditionally expands variables.
+#
+#	    - Conditionally detects embedded Shell and Perl and passes them
+#	      off to embedded_shell() and embedded_perl() respectively.
+#
+#	    - Conditionally detects and handles [?}INCLUDE directives.
+#
+#	    - Conditionally detects and handles ?SECTION directives.
+#	      File processing functions can supply a callback to be
+#	      called during this processing.
+#
+#   File processing routines may need to open a second (third, fourth, ...)
+#   file while processing the main file (macro and/or action files). Two
+#   functions are provided to make that possible:
+#
+#      push_open() - open a file while leaving the current file open.
+#
+#      pop_open() - close the current file, and make the previous
+#		    file (if any) the current one.
+#
+#   Because this module expands variables, it must be aware of action
+#   parameters.
+#
+#	push_action_params() - populates the %actparams hash and
+#			       returns a reference to the previous
+#			       contents of that hash. The caller is
+#			       expected to store those contents locally.
+#
+#	pop_action_params()  - Restores the %actparams hash from
+#			       the reference returned by
+#			       push_action_params().
+#
+#   The following routines are provided for INLINE PERL within
+#   action bodies:
+#
+#	default_action_params() - called to fill in omitted
+#				  arguments when a DEFAULTS
+#				  line is encountered.
+#
+#	get_action_params() - returns an array of arguments.
+#
+#	setup_audit_action() - helper for A_* actions.
+#
+#	get_action_logging() - returns log level and tag
+#			       from the action's invocation.
+#
+#	get_action_chain_name() - returns chain name.
+#
+#	set_action_name_to_caller() - replace chain name
+#				      with that of invoking
+#				      chain for logging purposes.
+#
+#	set_action_disposition() - set the current action
+#				   disposition for logging purposes.
+#
+#	get_action_disposition() - get the current action disposition.
+#
+#	set_action_param() - set the value of an argument.
+#
 package Shorewall::Config;
 
 use strict;

Shorewall/Perl/Shorewall/Misc.pm

@@ -2448,7 +2448,7 @@ sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
     my @match;
-    my $chainref = $filter_table->{FORWARD};
+    my $chainref = $mangle_table->{FORWARD};
 
     if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {

Shorewall/Perl/Shorewall/Providers.pm

@@ -125,7 +125,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask   = in_hex( $globals{PROVIDER_MASK} );
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -512,6 +512,9 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
     } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
+
+	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
+
 	validate_address $gateway, 0;
 
 	if ( defined $mac ) {
@@ -689,7 +692,6 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
-
     }
 
     unless ( $loose || $pseudo ) {
@@ -1697,7 +1699,7 @@ sub process_providers( $ ) {
     }
 
     if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
 
 	my $fn = open_file( 'route_rules' );
 
@@ -1936,7 +1938,6 @@ sub setup_providers() {
 
 	emit "fi\n";
     }
-
 }
 
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -1641,7 +1641,7 @@ sub merge_inline_source_dest( $$ ) {
 		    return join( ':', $invocation, $body );
 		}
 	    } else {
-		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+|/;
+		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+/;
 
 		if ( $invocation =~ /:\[|:\+/ ) {
 		    $invocation =~ s/:.*//;
@@ -1751,6 +1751,14 @@ sub process_action(\$\$$) {
 	fatal_error "Action $action may not be used in the mangle file"  if $chainref->{table} eq 'mangle';
     }
 
+    if ( $type & NAT_TABLE ) {
+	fatal_error "Action $action may only be used in the snat file" unless $chainref->{table} eq 'nat';
+    } else {
+	fatal_error "Action $action may not be used in the snat file"  if $chainref->{table} eq 'nat';
+    }
+
+    $param = $1 if $param =~ /^.*\|(.*)$/; #Strip interface name off of the parameters
+
     my $actionfile = $actionref->{file};
 
     progress_message2 "$doing $actionfile for chain $chainref->{name}...";
@@ -1939,7 +1947,7 @@ sub process_action(\$\$$) {
 
 	    for my $proto (split_list( $protos, 'Protocol' ) ) {
 		process_snat1( $chainref,
-			       $action,
+			       $nolog ? $action : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $action ),
 			       $source,
 			       $dest,
 			       $proto,
@@ -2066,9 +2074,9 @@ sub process_actions() {
 		unless ( $type & INLINE ) {
 		    $type = INLINE if $opts & INLINE_OPT;
 		}
-	    }
 
-	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
+		fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
+	    }
 
 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -2077,6 +2085,9 @@ sub process_actions() {
 			next;
 		    }
 
+		    delete $actions{$action};
+		    delete $targets{$action};
+		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -4589,6 +4600,52 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	TCPMSS     => {
+	    defaultchain   => FORWARD,
+	    allowedchains  => FORWARD | POSTROUTING,
+	    minparams      => 0,
+	    maxparams      => 2,
+	    function       => sub () {
+		if ( $proto eq '-' ) {
+		    $proto = TCP;
+		} else {
+		    fatal_error 'TCPMSS only valid with TCP' unless $proto eq '6' || $proto eq 'tcp';
+		}
+
+		$target   = 'TCPMSS ';
+		$matches .= '--tcp-flags SYN,RST SYN ';
+
+		if ( supplied $params ) {
+		    my ( $mss, $ipsec ) = split /,/, $params;
+
+		    if ( supplied $mss ) {
+			if ( $mss eq 'pmtu' ) {
+			    $target .= '--clamp-mss-to-pmtu';
+			} else {
+			    my $num = numeric_value $mss;
+			    fatal_error "Invalid MSS ($mss)" unless defined $num && $num >= 500 && $num < 65534;
+			    $target .= "--set-mss $num";
+			}
+		    } else {
+			$target .= '--clamp-mss-to-pmtu';
+		    }
+		    if ( supplied $ipsec && $ipsec ne 'all' ) {
+			if ( $ipsec eq '-' || $ipsec eq 'none' ) {
+			    $matches .= '-m policy --pol none --dir out ';
+			} elsif ( $ipsec eq 'ipsec' ) {
+			    $matches .= '-m policy --pol ipsec --dir out ';
+			} else {
+			    fatal_error "Invalid ipsec parameter ($ipsec)";
+			}
+
+			require_capability 'POLICY_MATCH', "The $ipsec ipsec option", 's';
+		    }
+		} else {
+		    $target .= '--clamp-mss-to-pmtu';
+		}
+	    },
+	},
+
 	TOS        => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -4612,8 +4669,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $port, $ip, $bad );
 
 		if ( $params ) {
-		    ( $port, $ip, $bad ) = split_list $params, 'Parameter';
-		    fatal_error "Invalid TPROXY specification( TPROXY($params) )" if defined $bad;
+		    ( $port, $ip ) = split /,/, $params, 2;
 		}
 
 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
@@ -5205,18 +5261,23 @@ sub process_mangle_rule( $ ) {
     }
 }
 
-sub process_snat_inline( $$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat_inline( $$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
+    my ( $level,
+	 $tag )    = split( ':', $loglevel, 2 );
     my $oldparms   = push_action_params( $inline,
 					 $chainref,
 					 $params,
-					  'none',
-					 '' ,
+					 supplied $level ? $level : 'none',
+					 defined  $tag   ? $tag   : '' ,
 					 $chainref->{name} );
 
-    my $inlinefile = $actions{$inline}{file};
-    my $matches    = fetch_inline_matches;
+    my $actionref    = $actions{$inline};
+    my $inlinefile   = $actionref->{file};
+    my $options      = $actionref->{options};
+    my $nolog        = $options & NOLOG_OPT;
+    my $matches      = fetch_inline_matches;
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -5250,6 +5311,8 @@ sub process_snat_inline( $$$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	$maction = merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $maction ) unless $nolog;
+
 	$msource = $source if $msource eq '-';
 
 	if ( $mdest eq '-' ) {
@@ -5294,7 +5357,7 @@ sub process_snat_inline( $$$$$$$$$$$$$ ) {
 # Process a record in the snat file
 #
 sub process_snat1( $$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $inchain;
     my $inaction;
@@ -5311,6 +5374,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     my $actiontype;
     my $interfaces;
     my $normalized_action;
+    my ( $action, $loglevel ) = split_action( $origaction );
+    my $logaction;
+    my $param;
 
     if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5319,6 +5385,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
 	$add_snat_aliases = '';
+	$logaction  = 'MASQ';
     } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5327,13 +5394,16 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$options   .= ':persistent' if $addresses =~ s/:persistent//;
 	$options   .= ':random'     if $addresses =~ s/:random//;
 	$options   =~ s/^://;
+	$logaction = 'SNAT';
     } elsif ( $action =~ /^CONTINUE(\+)?$/ ) {
 	$add_snat_aliases = 0;
 	$actiontype = $builtin_target{$target = 'RETURN'};
 	$pre_nat    = $1;
+	$logaction = 'RETURN';
     } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
 	$add_snat_aliases = '';
+	$logaction  = 'MASQ';
     } else {
 	( $target , $params ) = get_target_param1( $action );
 
@@ -5341,11 +5411,24 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	$actiontype = ( $targets{$target} || 0 );
 
-	fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
+	if ( $actiontype & LOGRULE ) {
+	    $logaction = 'LOG';
+	    if ( $target eq 'LOG' ) {
+		fatal_error 'LOG requires a log level' unless supplied $loglevel;
+	    } else {
+		$target   = "$target($params)";
+		validate_level( $action );
+		$loglevel = supplied $loglevel ? join( ':', $target, $loglevel ) : $target;
+		$target   = 'LOG';
+	    }
+	} else {
+	    fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
+	    $logaction = '';
+	}
     }
 
     if ( $inchain = defined $chainref ) {
-	( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
+	( $inaction, undef,undef,undef,$param ) = split( /:/, $normalized_action = $chainref->{action}) if $chainref->{action};
 	fatal_error q('+' is not allowed within an action body) if $pre_nat;
     }
     #
@@ -5353,6 +5436,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     #
     if ( $inaction ) {
 	$destnets = $dest;
+	assert( $param =~ /^(.*)\|/ );
+	$interfaces=$1;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
 	    $add_snat_aliases = 0;
@@ -5594,6 +5679,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    process_snat_inline( $target,
 				 $chainref,
 				 $params,
+				 $loglevel,
 				 $source,
 				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
 				 $proto,
@@ -5611,7 +5697,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
 		#
-		my $normalized_target = normalize_action( $target, "none:$interface", $params );
+		my $normalized_target = normalize_action( $target, "$loglevel", "$interface|$params" );
 		fatal_error( "Action $target invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$target};
 
 		my $ref = use_action( 'nat', $normalized_target );
@@ -5621,9 +5707,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    # First reference to this tuple - process_action may modify both $normalized_target and $ref!!!
 		    #
 		    process_action( $normalized_target, $ref, $chainref->{name} );
-		    #
-		    # Capture the name of the action chain
-		    #
 		} else {
 		    #
 		    # We've seen this tuple before
@@ -5632,6 +5715,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		}
 
 		$target = $ref->{name};
+
+		if ( $actions{$target}{options} & LOGJUMP_OPT ) {
+		    $logaction = $target;
+		} else {
+		    $loglevel = '';
+		}
 	    } else {
 		for my $option ( split_list2( $options , 'option' ) ) {
 		    if ( $option eq 'random' ) {
@@ -5660,8 +5749,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			 $destnets ,
 			 $origdest ,
 			 $target ,
-			 '' ,
-			 '' ,
+			 $loglevel ,
+			 $logaction ,
 			 $exceptionrule ,
 			 '' )
 		unless unreachable_warning( 0, $chainref );

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2

Shorewall/Samples/three-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
-ACCEPT		eth2		-
-ACCEPT		-		eth2
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
+ACCEPT		DMZ_IF		-
+ACCEPT		-		DMZ_IF
 

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1

Shorewall/Samples/two-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF

Shorewall/actions.std

@@ -21,7 +21,11 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+?if __ADDRTYPE
+Broadcast    inline,audit	# Handles Broadcast/Anycast
+?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
+?endif
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
@@ -40,7 +44,11 @@ IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
+?if __ADDRTYPE
+Multicast    inline,audit	# Handles Multicast
+?else
 Multicast    noinline,audit	# Handles Multicast
+?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
 rejNotSyn    noinline		# Silently Reject Non-syn TCP packets

Shorewall/install.sh

@@ -213,6 +213,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=suse
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ] ; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -264,6 +266,9 @@ case "$HOST" in
     archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing OpenWRT-specific configuration..."
+	;;
     linux)
 	;;
     *)

Shorewall/lib.cli-std

@@ -211,30 +211,35 @@ get_config() {
 	LOG_VERBOSITY=-1
     fi
 
-    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
+    if [ -z "${g_export}${g_test}" ]; then
+	if [ -n "$SHOREWALL_SHELL" ]; then
+	    if [ ! -x "$SHOREWALL_SHELL" ]; then
+		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+		SHOREWALL_SHELL=/bin/sh
+	    fi
 	fi
-    fi
 
-    if [ -n "$IP" ]; then
-	case "$IP" in
-	    */*)
-		if [ ! -x "$IP" ] ; then
-		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IP 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    fatal_error "Can't find $IP executable"
-		fi
-		IP=$prog
-		;;
-	esac
+	if [ -n "$IP" ]; then
+	    case "$IP" in
+		*/*)
+		    if [ ! -x "$IP" ] ; then
+			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    prog="$(mywhich $IP 2> /dev/null)"
+		    if [ -z "$prog" ] ; then
+			fatal_error "Can't find $IP executable"
+		    fi
+		    IP=$prog
+		    ;;
+	    esac
+	else
+	    IP='ip'
+	fi
     else
-	IP='ip'
+	[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
+	[ -n "$IP" ]              || IP='ip'
     fi
 
     case $VERBOSITY in
@@ -770,6 +775,10 @@ check_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -854,6 +863,10 @@ update_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -1527,6 +1540,8 @@ remote_reload_command() # $* = original arguments less the command.
 	litedir="${VARDIR}-lite"
     fi
 
+    g_export=Yes
+
     if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
@@ -1566,8 +1581,6 @@ remote_reload_command() # $* = original arguments less the command.
 
     file=$(resolve_file $g_shorewalldir/firewall)
 
-    g_export=Yes
-
     program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR

Shorewall/manpages/shorewall-accounting.xml

@@ -791,11 +791,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="/Accounting.html">http://www.shorewall.net/Accounting.html
-    </ulink></para>
-
-    <para><ulink
-    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+    url="shorewall-logging.htm">shorewall-logging(5)</ulink></para>
 
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

Shorewall/manpages/shorewall-blrules.xml

@@ -167,7 +167,7 @@
               <listitem>
                 <para>queues matching packets to a back end logging daemon via
                 a netlink socket then continues to the next rule. See <ulink
-                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -258,7 +258,7 @@
           <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
           (must be in upper case) as a log level.This will log to the NFLOG
           target for routing to a separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+          url="shorewall-logging.html">shorewall-logging.htm</ulink>).</para>
 
           <para>Actions specifying logging may be followed by a log tag (a
           string of alphanumeric characters) which is appended to the string

Shorewall/manpages/shorewall-logging.xml

@@ -0,0 +1,385 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-logging</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>logging</refname>
+
+    <refpurpose>Shorewall logging</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command><replaceable>action</replaceable>:<replaceable>level</replaceable></command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>NFLOG(<replaceable>nflog-parameters</replaceable>)</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>ULOG(<replaceable>ulog-parameters</replaceable>)</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The disposition of packets entering a Shorewall firewall is
+    determined by one of a number of Shorewall facilities. Only some of these
+    facilities permit logging.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The packet is part of an established connection. While the
+        packet can be logged using LOG rules in the ESTABLISHED section of
+        <ulink
+        url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
+        is not recommended because of the large amount of information that may
+        be logged.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet represents a connection request that is related to an
+        established connection (such as a <ulink url="FTP.html">data
+        connection associated with an FTP control connection</ulink>). These
+        packets may be logged using LOG rules in the RELATED section of <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet is rejected because of an option in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) or <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
+        These packets can be logged by setting the appropriate logging-related
+        option in <ulink
+        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet matches a rule in <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5). By
+        including a syslog level (see below) in the ACTION column of a rule
+        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
+        22</quote>), the connection attempt will be logged at that
+        level.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet doesn't match a rule so it is handled by a policy
+        defined in <ulink
+        url="manpages/shorewall-policy.html">shorewall-policy(5)</ulink>.
+        These may be logged by specifying a syslog level in the LOG LEVEL
+        column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
+        role="bold">info</emphasis></quote>).</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
+  <refsect1>
+    <title>Default Logging</title>
+
+    <para>By default, Shorewall directs Netfilter to log using syslog (8).
+    Syslog classifies log messages by a <emphasis>facility</emphasis> and a
+    <emphasis>priority</emphasis> (using the notation
+    <emphasis>facility.priority</emphasis>).</para>
+
+    <para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
+    daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
+    <emphasis>local0</emphasis> through <emphasis>local7.</emphasis></para>
+
+    <para>Throughout the Shorewall documentation, the term
+    <emphasis>level</emphasis> rather than <emphasis>priority is used,
+    </emphasis>since <emphasis>level</emphasis> is the term used by Netfilter.
+    The syslog documentation uses the term
+    <emphasis>priority</emphasis>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Syslog Levels</title>
+
+    <para>Syslog levels are a method of describing to syslog (8) the
+    importance of a message. A number of Shorewall parameters have a syslog
+    level as their value.</para>
+
+    <para>Valid levels are:</para>
+
+    <simplelist>
+      <member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
+      messages)</member>
+
+      <member>6 - <emphasis role="bold">info</emphasis>
+      (Informational)</member>
+
+      <member>5 - <emphasis role="bold">notice</emphasis> (Normal but
+      significant Condition)</member>
+
+      <member>4 - <emphasis role="bold">warning</emphasis> (Warning
+      Condition)</member>
+
+      <member>3 - <emphasis role="bold">err</emphasis> (Error
+      Condition)</member>
+
+      <member>2 - <emphasis role="bold">crit</emphasis> (Critical
+      Conditions)</member>
+
+      <member>1 - <emphasis role="bold">alert</emphasis> (must be handled
+      immediately)</member>
+
+      <member>0 - <emphasis role="bold">emerg</emphasis> (System is
+      unusable)</member>
+    </simplelist>
+
+    <para>For most Shorewall logging, a level of 6 (info) is appropriate.
+    Shorewall log messages are generated by Netfilter and are logged using the
+    <emphasis>kern</emphasis> facility and the level that you specify. If you
+    are unsure of the level to choose, 6 (info) is a safe bet. You may specify
+    levels by name or by number.</para>
+
+    <para>Beginning with Shorewall 4.5.5, the <replaceable>level</replaceable>
+    name or number may be optionally followed by a comma-separated list of one
+    or more<replaceable> log options</replaceable>. The list is enclosed in
+    parentheses. Log options cause additional information to be included in
+    each log message.</para>
+
+    <para>Valid log options are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ip_options</emphasis></term>
+
+        <listitem>
+          <para>Log messages will include the option settings from the IP
+          header.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">macdecode</emphasis></term>
+
+        <listitem>
+          <para>Decode the MAC address and protocol.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">tcp_sequence</emphasis></term>
+
+        <listitem>
+          <para>Include TCP sequence numbers.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">tcp_options</emphasis></term>
+
+        <listitem>
+          <para>Include options from the TCP header.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">uid</emphasis></term>
+
+        <listitem>
+          <para>Include the UID of the sending program; only valid for packets
+          originating on the firewall itself.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Example: <emphasis
+    role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
+
+    <para>Syslogd writes log messages to files (typically in <filename
+    class="directory">/var/log/</filename>*) based on their facility and
+    level. The mapping of these facility/level pairs to log files is done in
+    /etc/syslog.conf (5). If you make changes to this file, you must restart
+    syslogd before the changes can take effect.</para>
+
+    <para>Syslog may also write to your system console. See <ulink
+    url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
+    Shorewall messages written to the console.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
+
+    <para>There are a couple of limitations to syslogd-based logging:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>If you give, for example, kern.info its own log destination then
+        that destination will also receive all kernel messages of levels 5
+        (notice) through 0 (emerg).</para>
+      </listitem>
+
+      <listitem>
+        <para>All kernel.info messages will go to that destination and not
+        just those from Netfilter.</para>
+      </listitem>
+
+      <listitem>
+        <para>Netfilter (Shorewall) messages show up in
+        <command>dmesg</command>.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>If your kernel has NFLOG target support (and most vendor-supplied
+    kernels do), you may also specify a log level of NFLOG (must be all caps).
+    When NFLOG is used, Shorewall will direct Netfilter to log the related
+    messages via the NFLOG target which will send them to a process called
+    <quote>ulogd</quote>. The ulogd program is included in most
+    distributions.</para>
+
+    <note>
+      <para>The NFLOG logging mechanism is <emphasis
+      role="underline">completely separate</emphasis> from syslog. Once you
+      switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
+      have absolutely no effect on your Shorewall logging (except for
+      Shorewall status messages which still go to syslog).</para>
+    </note>
+
+    <para>You will need to change all instances of log levels (usually
+    <quote>info</quote>) in your Shorewall configuration files to
+    <quote>NFLOG</quote> - this includes entries in the policy, rules and
+    shorewall.conf files. If you initially installed using Shorewall 5.1.2 or
+    later, you can simply change the setting of LOG_LEVEL in
+    shorewall.conf.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Understanding the Contents of Shorewall Log Messages</title>
+
+    <para>For general information on the contents of Netfilter log messages,
+    see <ulink
+    url="http://logi.cc/en/2010/07/netfilter-log-format/">http://logi.cc/en/2010/07/netfilter-log-format/</ulink>.</para>
+
+    <para>For Shorewall-specific information, see <ulink
+    url="/FAQ.htm#faq17">FAQ #17</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Customizing the Content of Shorewall Log Messages</title>
+
+    <para>In a Shorewall logging rule, the log level can be followed by a
+    <firstterm>log tag</firstterm> as in "DROP:NFLOG:junk". The generated log
+    message will include "<emphasis>chain-name</emphasis> junk DROP".</para>
+
+    <para>By setting the LOGTAGONLY option to Yes in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+    disposition ('DROP' in the above example) will be omitted. Consider the
+    following rule:</para>
+
+    <programlisting>#ACTION                                    SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+    <para>This rule generates the following warning at compile time:</para>
+
+    <simplelist>
+      <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
+      /etc/shorewall/rules (line 212)</member>
+    </simplelist>
+
+    <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
+    ".</para>
+
+    <para>Now consider this similar rule:</para>
+
+    <programlisting>#ACTION                                              SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+    <para>With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
+    "Shorewall:IPv6:tunneling:"</para>
+
+    <para>See the <ulink url="shorewall.conf.html">shorewall[6].conf man
+    page</ulink> for further information about how LOGTAGONLY=Yes can be
+    used.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Log Backends</title>
+
+    <para>Netfilter logging allows configuration of multiple backends. Logging
+    backends provide the The low-level forward of log messages. There are
+    currently three backends:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>LOG (ipt_LOG and ip6t_LOG).</term>
+
+        <listitem>
+          <para>Normal kernel-based logging to a syslog daemon.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ULOG (ipt_ULOG)</term>
+
+        <listitem>
+          <para>ULOG logging as described ablve. Only available for
+          IPv4.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>netlink (nfnetlink_log)</term>
+
+        <listitem>
+          <para>The logging backend behind NFLOG, defined above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The currently-available and currently-selected IPv4 and IPv6
+    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
+
+    <programlisting>cat /proc/net/netfilter/nf_log
+ 0 NONE (nfnetlink_log)
+ 1 NONE (nfnetlink_log)
+ 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
+ 3 NONE (nfnetlink_log)
+ 4 NONE (nfnetlink_log)
+ 5 NONE (nfnetlink_log)
+ 6 NONE (nfnetlink_log)
+ 7 NONE (nfnetlink_log)
+ 8 NONE (nfnetlink_log)
+ 9 NONE (nfnetlink_log)
+10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
+11 NONE (nfnetlink_log)
+12 NONE (nfnetlink_log)</programlisting>
+
+    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
+    is 2 and AF_INET6 is 10).</para>
+
+    <para>The name immediately following the number is the currently-selected
+    backend, and the ones in parantheses are the ones that are available. You
+    can change the currently selected backend by echoing it's name into
+    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
+
+    <para>Example - change the IPv4 backend to LOG:</para>
+
+    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
+
+    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
+    the LOG_BACKEND option in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+
+    <para><ulink
+    url="/shorewall_logging.htm">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-mangle.xml

@@ -674,6 +674,43 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">TCPMSS</emphasis>([<replaceable>mss</replaceable>[,<replaceable>ipsec</replaceable>]])</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. This target only applies to
+                TCP traffic and alters the MSS value in SYN packets. It may be
+                used in the FOWARD and POSTROUTING chains; the default is
+                FORWARD.</para>
+
+                <para>The <replaceable>mss</replaceable> parameter may be
+                either <option>pmtu</option> or an integer in the range
+                500:65533. The value <option>pmtu</option> automatically
+                clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
+                IPv6). This may not function as desired where asymmetric
+                routes with differing path MTU exist — the kernel uses the
+                path MTU which it would use to send packets from itself to the
+                source and destination IP addresses. Prior to Linux 2.6.25,
+                only the path MTU to the destination IP address was considered
+                by this option; subsequent kernels also consider the path MTU
+                to the source IP address. If an integer is given, the MSS
+                option is set to the specified value. If the MSS of the packet
+                is already lower than <replaceable>mss</replaceable>, it will
+                not be increased (from Linux 2.6.25 onwards) to avoid more
+                problems with hosts relying on a proper MSS. If
+                <replaceable>mss</replaceable> is omitted,
+                <option>pmtu</option> is assumed.</para>
+
+                <para>The <replaceable>ipsec</replaceable> parameter
+                determines whether the rule applies to IPSEC traffic
+                (<option>ipsec</option> is passed), non-IPSEC traffic
+                (<option>none</option> is passed) or both
+                (<option>all</option> is passed). If omitted,
+                <option>all</option> is assumed.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</term>
@@ -710,7 +747,7 @@ Normal-Service       =&gt; 0x00</programlisting>
 
             <varlistentry>
               <term><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</term>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<replaceable>address</replaceable>]])</term>
 
               <listitem>
                 <para>Transparently redirects a packet without altering the IP

Shorewall/manpages/shorewall-policy.xml

@@ -279,8 +279,8 @@
           separate log through use of ulogd (<ulink
           url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
 
-          <para>For a description of log levels, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          <para>For a description of logging, see <ulink
+          url="/shorewall_logging.html">shorewall-logging(5)</ulink>.</para>
 
           <para>If you don't want to log but need to specify the following
           column, place "-" here.</para>

Shorewall/manpages/shorewall-rules.xml

@@ -67,7 +67,7 @@
           this section.</para>
 
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE</para>
 
           <para>There is an implicit ACCEPT rule inserted at the end of this
           section.</para>
@@ -82,7 +82,7 @@
           section.</para>
 
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the RELATED_DISPOSITION (<ulink
@@ -98,7 +98,7 @@
           processed by rules in this section.</para>
 
           <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the INVALID_DISPOSITION (<ulink
@@ -114,7 +114,7 @@
           processed by rules in this section.</para>
 
           <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para>
 
           <para>There is an implicit rule added at the end of this section
           that invokes the UNTRACKED_DISPOSITION (<ulink
@@ -908,7 +908,7 @@
                 <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
                 packets to a back end logging daemon via a netlink socket then
                 continues to the next rule. See <ulink
-                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
 
                 <para>Similar to<emphasis role="bold">
                 LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
@@ -956,7 +956,7 @@
           (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
           upper case) as a log level.This will log to the ULOG or NFLOG target
           for routing to a separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+          url="shorewall-logging.html">shorewall-logging(5)</ulink>).</para>
 
           <para>Actions specifying logging may be followed by a log tag (a
           string of alphanumeric characters) which is appended to the string
@@ -2636,15 +2636,15 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="shorewall-logging.html">shorewall-logging(5)</ulink></para>
+
     <para><ulink
     url="/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
 
     <para><ulink
     url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
 
-    <para><ulink
-    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
-
     <para>shorewall(8)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-snat.xml

@@ -52,12 +52,52 @@
         <term><emphasis role="bold">ACTION</emphasis></term>
 
         <listitem>
-          <para>Defines the type of rule to generate. Choices are:</para>
+          <para>Defines the type of rule to generate. Beginning with Shorewall
+          5.1.9, with the exception of NFLOG and ULOG, the action may be
+          followed by a colon (":") and a <replaceable>log level</replaceable>
+          (see <ulink
+          url="shorewall-logging.html">shorewall-logging(5)</ulink>).</para>
+
+          <para>Choices for ACTION are:</para>
 
           <variablelist>
             <varlistentry>
               <term><emphasis
-              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
+              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)][:<replaceable>level</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>action</replaceable> is an action
+                declared in <ulink
+                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
+                with the <option>nat</option> option. See <ulink
+                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
+                further information.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">CONTINUE</emphasis>[+]:<replaceable>level</replaceable></term>
+
+              <listitem>
+                <para>Causes matching packets to be exempted from any
+                following rules in the file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. Simply log the packet and
+                continue with the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])][:<replaceable>level</replaceable>]</term>
 
               <listitem>
                 <para>Causes matching outgoing packages to have their source
@@ -73,12 +113,52 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. Queues matching packets to a
+                back end logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
+
+                <para>The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>NFLOG is similar to<emphasis role="bold">
+                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
               role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>)</term>
+              role="bold">detect</emphasis>)[:<replaceable>level</replaceable>]</term>
 
               <listitem>
                 <para>If you specify an address here, matching packets will
@@ -132,26 +212,21 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
-
-              <listitem>
-                <para>Causes matching packets to be exempted from any
-                following rules in the file.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
-              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
+              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
 
               <listitem>
-                <para>where <replaceable>action</replaceable> is an action
-                declared in <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
-                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
-                further information.</para>
+                <para>IPv4 only. Added in Shorewall 5.1.9. Queues matching
+                packets to a back end logging daemon via a netlink socket then
+                continues to the next rule. See <ulink
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
+
+                <para>Similar to<emphasis role="bold">
+                LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall.conf.xml

@@ -1566,10 +1566,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
           If not assigned or if assigned an empty value, /var/log/messages is
           assumed. For further information, see <ulink
-          url="/manpages/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
-          Beginning with Shorewall 5.0.10.1, you may specify
-          <option>systemd</option> to use <command>journelctl -r</command> to
-          read the log.</para>
+          url="shorewall-logging.html">shorewall-logging(8)</ulink>. Beginning
+          with Shorewall 5.0.10.1, you may specify <option>systemd</option> to
+          use <command>journelctl -r</command> to read the log.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 5 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Shorewall6 - Sample Interfaces File for one-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags
+net     NET_IF          tcpflags,physical=eth0

Shorewall6/Samples6/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014by the Shorewall Team
+# Shorewall6 - Sample Interfaces File for three-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1,sourceroute=0
-loc     eth1            tcpflags,forward=1
-dmz     eth2            tcpflags,forward=1
+net     NET_IF          tcpflags,forward=1,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,forward=1,physical=eth1
+dmz     DMZ_IF          tcpflags,forward=1,physical=eth2

Shorewall6/Samples6/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Shorewall6 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,7 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
-ACCEPT		eth2		-
-ACCEPT		-		eth2
-
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
+ACCEPT		DMZ_IF		-
+ACCEPT		-		DMZ_IF

Shorewall6/Samples6/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Shorewall6 - Sample Interfaces File for two-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1,sourceroute=0
-loc     eth1            tcpflags,forward=1
+net     NET_IF          tcpflags,forward=1,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,forward=1,physical=eth1

Shorewall6/Samples6/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Shorewall6 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF

docs/Documentation_Index.xml

@@ -162,8 +162,7 @@
             <entry><ulink url="traffic_shaping.htm">Bandwidth
             Control</ulink></entry>
 
-            <entry>Manpages (<ulink url="Manpages.html">IPv4</ulink>) (<ulink
-            url="Manpages6.html">IPv6</ulink>)</entry>
+            <entry><ulink url="Manpages.html">Manpages</ulink></entry>
 
             <entry><ulink
             url="starting_and_stopping_shorewall.htm">Starting/stopping the

docs/Manpages.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2007-2015</year>
+      <year>2007-2017</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -83,6 +83,9 @@
         Describes how to specify set names in Shorewall configuration
         files.</member>
 
+        <member><ulink url="manpages/shorewall-logging.html">logging</ulink> -
+        Provides an overview of Shorewall packet logging facilities</member>
+
         <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
         Define MAC verification.</member>
 
@@ -115,7 +118,11 @@
         routing tables, usually for multiple Internet links.</member>
 
         <member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
-        - Define Proxy ARP.</member>
+        - Define Proxy ARP (IPv4)</member>
+
+        <member><ulink
+        url="manpages6/shorewall-proxyndp.html">proxyndp</ulink> - Define
+        Proxy NDP (IPv6)</member>
 
         <member><ulink url="manpages/shorewall-rtrules.html">rtrules</ulink> -
         Define routing rules.</member>
@@ -157,10 +164,18 @@
         url="manpages/shorewall.conf.html">shorewall.conf</ulink> - Specify
         values for global Shorewall options.</member>
 
+        <member><ulink
+        url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
+        values for global Shorewall6 options.</member>
+
         <member><ulink
         url="manpages/shorewall-lite.conf.html">shorewall-lite.conf</ulink> -
         Specify values for global Shorewall Lite options.</member>
 
+        <member><ulink
+        url="manpages6/shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>
+        - Specify values for global Shorewall6 Lite options.</member>
+
         <member><ulink url="manpages/shorewall-vardir.html">vardir</ulink> -
         Redefine the directory where Shorewall keeps its state
         information.</member>
@@ -182,16 +197,8 @@
     <blockquote>
       <simplelist>
         <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
-        /sbin/shorewall command syntax and semantics.</member>
-
-        <member><ulink
-        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
-        package that allows for automatic start/stop of other Shorewall
-        products based on network events.</member>
-
-        <member><ulink
-        url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
-        /sbin/shorewall-lite command syntax and semantics.</member>
+        /sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and
+        /sbin/shorewall6-line command syntax and semantics.</member>
       </simplelist>
     </blockquote>
   </section>

docs/SharedConfig.xml

@@ -65,6 +65,10 @@
     mail exchanger, and an IMAPS mail access server. The second bridge (br1)
     provides access to a container running irssi under screen, allowing
     constant access to and monitoring of IRC channels.</para>
+
+    <para>Here is a diagram of this installation:</para>
+
+    <graphic fileref="images/Network2017.png"/>
   </section>
 
   <section>
@@ -72,26 +76,26 @@
 
     <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
 
-    <programlisting>oot@gateway:~# ls -l /etc/shorewall/
+    <programlisting>root@gateway:~# ls -l /etc/shorewall/
 total 92
 -rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
--rw-r--r-- 1 root root  109 Jun 29 15:13 actions
+-rw-r--r-- 1 root root  109 Oct 20 09:18 actions
 -rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
 -rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
 -rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
 -rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
 -rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
--rw-r--r-- 1 root root  497 Jul  1 10:42 mangle
+-rw-r--r-- 1 root root  559 Oct 19 12:56 mangle
 -rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
 -rw-r--r-- 1 root root 2687 Oct 15 14:20 params
--rw-r--r-- 1 root root 2688 Oct 15 15:10 #params#
 -rw-r--r-- 1 root root  738 Oct 15 12:16 policy
 -rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
 -rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
--rw-r--r-- 1 root root  730 Oct 10 12:59 rtrules
+-rw-r--r-- 1 root root  738 Nov  8 09:34 routes
+-rw-r--r-- 1 root root  729 Nov  7 12:52 rtrules
 -rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
--rw-r--r-- 1 root root 5521 Oct 13 13:16 shorewall.conf
--rw-r--r-- 1 root root 1084 Oct 14 11:48 snat
+-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
+-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
 -rw-r--r-- 1 root root  181 Jun 29 15:12 started
 -rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
 -rw-r--r-- 1 root root  941 Oct 15 11:27 zones
@@ -731,12 +735,29 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
     { SOURCE=&amp;FAST_IF,	              	  	   PROVIDER=IPv6Beta, PRIORITY=1000! }
     { SOURCE=br0,	     		  	   PROVIDER=ComcastB, PRIORITY=11000 }
 ?else
-    { SOURCE=2601:601:a000:1600::/124		   PROVIDER=IPv6Beta, PRIORITY=1000! }
-    { SOURCE=2001:470:B:227::/64,         	   PROVIDER=HE,	      PRIORITY=11000 }
+    { SOURCE=2601:601:a000:1600::/64		   PROVIDER=IPv6Beta, PRIORITY=1000! }
+    { SOURCE=2001:470:B:227::/64,         	   PROVIDER=HE,	      PRIORITY=1000! }
     { SOURCE=2601:601:a000:16f0::/60	  	   PROVIDER=IPv6Beta, PRIORITY=11000 }
 ?endif</programlisting>
     </section>
 
+    <section>
+      <title>routes</title>
+
+      <para>This file is used only for IPv6:</para>
+
+      <programlisting>#PROVIDER		DEST			GATEWAY		DEVICE	OPTIONS
+?if __IPV6
+    #
+    # In my version of FOOLSM (1.0.10), the 'sourceip' option doesn't work.
+    # As a result, routing rules that specify the source IPv6 address are
+    # not effective in routing the 'ping' request packets out of FAST_IF.
+    # The following route solves that problem.
+    #
+    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
+?endif</programlisting>
+    </section>
+
     <section>
       <title>actions</title>
 

docs/shorewall_logging.xml

@@ -248,7 +248,7 @@
       <para>If your kernel has NFLOG target support (and most vendor-supplied
       kernels do), you may also specify a log level of NFLOG (must be all
       caps). When NFLOG is used, Shorewall will direct Netfilter to log the
-      related messages via the ULOG target which will send them to a process
+      related messages via the NFLOG target which will send them to a process
       called <quote>ulogd</quote>. The ulogd program is included in most
       distributions and is also available from <ulink
       url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>.
@@ -258,7 +258,7 @@
       <note>
         <para>The NFLOG logging mechanism is <emphasis
         role="underline">completely separate</emphasis> from syslog. Once you
-        switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
+        switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
         have absolutely no effect on your Shorewall logging (except for
         Shorewall status messages which still go to syslog).</para>
       </note>

docs/standalone.xml

@@ -360,14 +360,6 @@ root@lists:~# </programlisting>
     are there, you may wish to review the list of options that are specified
     for the interface. Some hints:</para>
 
-    <tip>
-      <para>If your external interface is <filename
-      class="devicefile">ppp0</filename> or <filename
-      class="devicefile">ippp0</filename>, you can replace the
-      <quote>detect</quote> in the second column with <quote>-</quote> (minus
-      the quotes).</para>
-    </tip>
-
     <tip>
       <para>If your external interface is <filename
       class="devicefile">ppp0</filename> or <filename

docs/three-interface.xml

@@ -485,20 +485,17 @@ root@lists:~# </programlisting>
     are there, you may wish to review the list of options that are specified
     for the interfaces. Some hints:</para>
 
-    <tip>
-      <para>If your external interface is <filename
-      class="devicefile">ppp0</filename> or <filename
-      class="devicefile">ippp0</filename>, you can replace the
-      <quote>detect</quote> in the second column with <quote>-</quote>
-      (without the quotes).</para>
-    </tip>
-
     <tip>
       <para>If your external interface is <filename
       class="devicefile">ppp0</filename> or <filename
       class="devicefile">ippp0</filename> or if you have a static IP address,
       you can remove <quote>dhcp</quote> from the option list.</para>
     </tip>
+
+    <para>Prior to Shorewall 5.1.9, it is also required to change the snat and
+    stoppedrules file, to replace <filename>eth0</filename> with the name of
+    your external interface and <filename>eth1</filename> with the name of
+    your local interface.</para>
   </section>
 
   <section id="Addresses">

docs/two-interface.xml

@@ -442,12 +442,6 @@ root@lists:~# </programlisting>
     class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
     file accordingly. While you are there, you may wish to review the list of
     options that are specified for the interfaces. Some hints:<tip>
-        <para>If your external interface is <filename
-        class="devicefile">ppp0</filename> or <filename
-        class="devicefile">ippp0</filename>, you can replace the
-        <varname>detect</varname> in the second column with a <quote>-</quote>
-        (minus the quotes).</para>
-      </tip><tip>
         <para>If your external interface is <filename
         class="devicefile">ppp0</filename> or <filename
         class="devicefile">ippp0</filename> or if you have a static
@@ -459,6 +453,10 @@ root@lists:~# </programlisting>
         add the <varname>routeback</varname> option to the option
         list.</emphasis></para>
       </tip></para>
+
+    <para>Prior to Shorewall 5.1.9, you will also need to modify the snat and
+    stopped rules file, replacing eth1 with the name of your internal
+    interface.</para>
   </section>
 
   <section id="Addresses">