Correct handling of dbl=src_dst in interface OPTIONS

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,9 +335,8 @@ for f in lib.* ; do
 done
 
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
 fi
 
 #

Shorewall-core/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50106
+SHOREWALL_CAPVERSION=50200
 
 if [ -z "$g_basedir" ]; then
     #
@@ -47,6 +47,10 @@ startup_error() {
     exit 1
 }
 
+only_root() {
+    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
+}
+
 #
 # Display a chain if it exists
 #
@@ -83,6 +87,8 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
+    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
+
     case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -411,9 +417,9 @@ resolve_arptables() {
 savesets() {
     local supported
 
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
 }
 
 #
@@ -422,9 +428,9 @@ savesets() {
 savesets1() {
     local supported
 
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 
 #
@@ -435,9 +441,9 @@ do_save() {
     local arptables
     status=0
 
-    if [ -f ${VARDIR}/firewall ]; then
+    if [ -f $g_firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    cp -f $g_firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -449,7 +455,7 @@ do_save() {
 	    status=1
 	fi
     else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	echo "   ERROR: $g_firewall does not exist" >&2
 	status=1
     fi
 
@@ -634,7 +640,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
+		ip -6 -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -647,7 +653,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | grep -vF cache | sort_routes
+	    ip -6 -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1185,6 +1191,32 @@ show_ipsec_command() {
     show_ipsec
 }
 
+show_saves_command() {
+    local f
+    local fn
+    local mtime
+
+    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
+    echo "Saved snapshots are:"
+    echo
+
+    for f in ${VARDIR}/*-iptables; do
+	case $f in
+	    *\**)
+	        ;;
+	    *)
+		fn=$(basename $f)
+		fn=${fn%-iptables}
+		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
+    done
+
+    echo
+}
+
 #
 # Show Command Executor
 #
@@ -1203,6 +1235,7 @@ show_command() {
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
+	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1297,37 +1330,47 @@ show_command() {
 
     [ -n "$g_debugging" ] && set -x
 
+    COMMAND="$COMMAND $1"
+
     case "$1" in
 	connections)
+	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 
+	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
+	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1351,6 +1394,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1387,33 +1431,50 @@ show_command() {
 	    fi
 	    ;;
 	chain)
+	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
+        rc)
+            shift
+	    [ $# -gt 1 ] && too_many_arguments $2
+            if [ -n "$1" -a -d "$1" ]; then
+                cat $1/shorewallrc
+            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
+                cat $g_basedir/shorewallrc
+            else
+                fatal_error "Can not determine the location of the shorewallrc file."
+            fi
+            ;;
 	policies)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
+	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1423,6 +1484,7 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1430,14 +1492,18 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
+	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1448,8 +1514,13 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
+	saves)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    show_saves_command
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1496,6 +1567,8 @@ show_command() {
 		    ;;
 	    esac
 
+	    only_root
+
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1813,7 +1886,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1927,41 +2000,6 @@ show_proc() # $1 = name of a file
     [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 
-read_yesno_with_timeout() {
-    local timeout
-    timeout=${1:-60}
-
-    case $timeout in
-	*s)
-	    ;;
-	*m)
-	    timeout=$((${timeout%m} * 60))
-	    ;;
-	*h)
-	    timeout=$((${timeout%h} * 3600))
-	    ;;
-    esac
-
-    read -t $timeout yn 2> /dev/null
-    if [ $? -eq 2 ]
-    then
-	# read doesn't support timeout
-	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
-	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
-	return $?
-    else
-	# read supports timeout
-	case "$yn" in
-	    y|Y)
-		return 0
-		;;
-	    *)
-		return 1
-		;;
-	esac
-    fi
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2545,109 +2583,114 @@ hits_command() {
     fi
 }
 
+#
+# Issue an error message and terminate if the firewall isn't started
+#
+require_started() {
+    if ! product_is_started; then
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
+}
+
 #
 # 'allow' command executor
 #
 allow_command() {
 
+    local allowed
+    local which
+    which='-s'
+    local range
+    range='--src-range'
+    local dynexists
+
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && missing_argument
 
-    if product_is_started ; then
-	local allowed
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-	local dynexists
-
-	if [ -n "$g_blacklistipset" ]; then
-
-	    case ${IPSET:=ipset} in
-		*/*)
-		    if [ ! -x "$IPSET" ]; then
-			fatal_error "IPSET=$IPSET does not exist or is not executable"
-		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		    ;;
-	    esac
-	fi
-
-	if chain_exists dynamic; then
-	    dynexists=Yes
-	elif [ -z "$g_blacklistipset" ]; then
-	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-	fi
-
-	[ -n "$g_nolock" ] || mutex_on
-
-	while [ $# -gt 1 ]; do
-	    shift
-
-	    allowed=''
-
-	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
-		*-*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-		*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic $which $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-	    esac
-
-	    if [ -n "$allowed" ]; then
-		progress_message2 "$1 Allowed"
-	    else
-		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
-	    fi
-	done
-
-	[ -n "$g_nolock" ] || mutex_off
-    else
-	error_message "ERROR: $g_product is not started"
-	exit 2
+    if [ -n "$g_blacklistipset" ]; then
+	case ${IPSET:=ipset} in
+	    */*)
+		if [ ! -x "$IPSET" ]; then
+		    fatal_error "IPSET=$IPSET does not exist or is not executable"
+		fi
+		;;
+	    *)
+		IPSET="$(mywhich $IPSET)"
+		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		;;
+	esac
     fi
+
+    if chain_exists dynamic; then
+	dynexists=Yes
+    elif [ -z "$g_blacklistipset" ]; then
+	require_started
+	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+    fi
+
+    [ -n "$g_nolock" ] || mutex_on
+
+    while [ $# -gt 1 ]; do
+	shift
+
+	allowed=''
+
+	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		continue
+		;;
+	    *-*)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	    *)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			qt $g_tool -D dynamic $which $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	esac
+
+	if [ -n "$allowed" ]; then
+	    progress_message2 "$1 Allowed"
+	else
+	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	fi
+    done
+
+    [ -n "$g_nolock" ] || mutex_off
 }
 
 #
@@ -2767,7 +2810,6 @@ determine_capabilities() {
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
-    USEPKTTYPE=
     KLUDGEFREE=
     MARK=
     XMARK=
@@ -2863,6 +2905,7 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
+	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3113,7 +3156,6 @@ determine_capabilities() {
 	fi
     fi
 
-    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3227,7 +3269,6 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
     fi
-    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
     report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
     report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
     report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3237,8 +3278,8 @@ report_capabilities_unsorted() {
     [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
+    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
     if [ -n "$IPSET_MATCH" ]; then
-	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3331,6 +3372,7 @@ report_capabilities_unsorted() {
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
+    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3343,8 +3385,6 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
     fi
 
-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
 }
 
 report_capabilities_unsorted1() {
@@ -3361,7 +3401,6 @@ report_capabilities_unsorted1() {
     report_capability1 CONNTRACK_MATCH
     report_capability1 NEW_CONNTRACK_MATCH
     report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
     report_capability1 PHYSDEV_BRIDGE
@@ -3439,6 +3478,7 @@ report_capabilities_unsorted1() {
     report_capability1 NETMAP_TARGET
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
+    report_capability1 NAT_INPUT_CHAIN
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3781,7 +3821,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3924,7 +3964,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4078,15 +4118,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
 
-	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	if [ -x $g_firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it ${VARDIR}/firewall $g_debugging start
+		run_it $g_firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "${VARDIR}/firewall is missing or is not executable"
+	    error_message "$g_firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4215,11 +4255,11 @@ restart_command() {
 
     [ -n "$g_nolock" ] || mutex_on
 
-    if [ -x ${VARDIR}/firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+    if [ -x $g_firewall ]; then
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
     else
-	error_message "${VARDIR}/firewall is missing or is not executable"
+	error_message "$g_firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
@@ -4229,10 +4269,10 @@ restart_command() {
 }
 
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	run_it $g_firewall $g_debugging $@
     else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
     fi
 }
 
@@ -4290,7 +4330,6 @@ usage() # $1 = exit status
 
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
 
     if [ -n "$g_lite" ]; then
@@ -4300,9 +4339,11 @@ usage() # $1 = exit status
     fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4345,7 +4386,9 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] rc"
     echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] saves"
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
@@ -4394,7 +4437,6 @@ shorewall_cli() {
     g_use_verbosity=
     g_debug=
     g_export=
-    g_refreshchains=:none:
     g_confess=
     g_update=
     g_annotate=
@@ -4413,6 +4455,7 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
+    g_havemutex=
 
     VERBOSE=
     VERBOSITY=1
@@ -4585,12 +4628,14 @@ shorewall_cli() {
 
     case "$COMMAND" in
 	start)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4598,6 +4643,7 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
+	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4606,19 +4652,22 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
+	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it ${VARDIR}/firewall $g_debugging $@
+		run_it $g_firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
+	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4627,6 +4676,7 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4636,18 +4686,20 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
+	    only_root
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
+	    only_root
 	    get_config Yes No Yes
     	    shift
     	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
+	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4658,53 +4710,63 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
+	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
+	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
+	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
+	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
+	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
+	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4721,11 +4783,13 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
+	    only_root
 	    get_config
 	    shift
 	    restore_command $@
             ;;
 	call)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4763,17 +4827,20 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
+	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
+	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1

Shorewall-core/lib.common

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
 #     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
@@ -754,7 +754,7 @@ mutex_on()
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
 
 	lockd=$(dirname $LOCKFILE)
 
@@ -762,7 +762,7 @@ mutex_on()
 
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -775,12 +775,14 @@ mutex_on()
 
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
-            chmod u=r ${lockf}
+	    lock ${lockf}
+	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
+	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -790,10 +792,15 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
+		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
+
+	if [ -n "$g_havemutex" ]; then
+	    trap mutex_off EXIT
+	fi
     fi
 }
 
@@ -802,7 +809,10 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
+    if [ -n "$g_havemutex" ]; then
+	eval $g_havemutex
+	g_havemutex=
+	trap '' exit
+    fi
 }
 

Shorewall-core/lib.core

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.installer

@@ -1,6 +1,5 @@
 #
-#
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,6 +1,5 @@
 #
-#
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/manpages/shorewall.xml

@@ -405,20 +405,6 @@
       <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>options</arg>
-
-      <arg
-      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
-      <replaceable>directory</replaceable> </arg><arg
-      rep="repeat"><replaceable>chain</replaceable></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -459,6 +445,54 @@
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getcaps</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-R</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getrc</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -813,7 +847,7 @@
 
       <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg choice="plain"><option>tc</option></arg>
+      <arg choice="plain"><option>saves</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1316,7 +1350,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1773,63 +1807,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
-        </option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
-
-        <listitem>
-          <para>Not available with Shorewall[6]-lite.</para>
-
-          <para>All steps performed by <command>restart</command> are
-          performed by <command>refresh</command> with the exception that
-          <command>refresh</command> only recreates the chains specified in
-          the command while <command>restart</command> recreates the entire
-          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
-          the static blacklisting chain <emphasis
-          role="bold">blacklst</emphasis> is assumed.</para>
-
-          <para>The listed chains are assumed to be in the filter table. You
-          can refresh chains in other tables by prefixing the chain name with
-          the table name followed by ":" (e.g., nat:net_dnat). Chain names
-          which follow are assumed to be in that table until the end of the
-          list or until an entry in the list names another table. Built-in
-          chains such as FORWARD may not be refreshed.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.5.3
-          causes Shorewall to avoid updating the routing table(s).</para>
-
-          <para>The <option>-d</option> option was added in Shorewall 4.5.3
-          causes the compiler to run under the Perl debugger.</para>
-
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
-          and causes a Perl stack trace to be included with each
-          compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <para>The <option>-D</option> option was added in Shorewall 4.5.3
-          and causes Shorewall to look in the given
-          <emphasis>directory</emphasis> first for configuration files.</para>
-
-          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
-
-          <para>The <emphasis role="bold">refresh</emphasis> command has
-          slightly different behavior. When no chain name is given to the
-          <emphasis role="bold">refresh</emphasis> command, the mangle table
-          is refreshed along with the blacklist chain (if any). This allows
-          you to modify <filename>/etc/shorewall/tcrules </filename>and
-          install the changes using <emphasis
-          role="bold">refresh</emphasis>.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">reject</emphasis><replaceable>
         address</replaceable></term>
@@ -1941,6 +1918,57 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">remote-getcaps</emphasis>
+        [-<option>R</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command executes <emphasis
+          role="bold">shorewall[6]-lite show capabilities -f &gt;
+          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
+          <replaceable>system</replaceable> via ssh then the generated file is
+          copied to <replaceable>directory</replaceable> on the local system.
+          If no <replaceable>directory</replaceable> is given, the current
+          working directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
+          shorewallrc file is also copied to
+          <replaceable>directory</replaceable>.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">remote-getrc</emphasis>
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
+          file from the remote <replaceable>system</replaceable> to
+          <replaceable>directory</replaceable> on the local system. If no
+          <replaceable>directory</replaceable> is given, the current working
+          directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
+          capabilities are also copied to
+          <replaceable>directory</replaceable>, as is done by the
+          <command>remote-getcaps</command> command.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -1992,9 +2020,9 @@
           role="bold">shorewall-lite save</emphasis> via ssh.</para>
 
           <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall-lite show capabilities -f
-          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
-          ssh then the generated file is copied to
+          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
+          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
+          via ssh then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -2005,13 +2033,6 @@
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2430,11 +2451,11 @@
         <replaceable>filename</replaceable> ]</term>
 
         <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
-          The state of the firewall is stored in
+          <para>Creates a snapshot of the currently running firewall. The
+          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
+          the firewall is stored in
           /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
-          role="bold">shorewall -f start</emphasis> commands. If
+          <emphasis role="bold">shorewall restore</emphasis> command. If
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2737,6 +2758,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">rc</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Displays the contents of
+                $SHAREDIR/shorewall/shorewallrc.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>[-<option>c</option>]<emphasis role="bold">
               routing</emphasis></term>
@@ -2762,6 +2792,20 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>saves</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
+                <command>save</command> command. Each snapshot is listed with
+                the date and time when it was taken. If there is a snapshot
+                with the name specified in the RESTOREFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
+                snapshot is listed as the <emphasis>default</emphasis>
+                snapshot for the <command>restore</command> command.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -2921,7 +2965,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-empty, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.sandbox

@@ -0,0 +1,28 @@
+#
+# Shorewall 5.2 rc file for installing into a Sandbox
+#
+BUILD=                                       # Default is to detect the build system
+HOST=linux
+INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
+PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
+PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
+CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
+SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
+MANDIR=		     			     # Leave empty
+INITDIR=				     # Leave empty				     				
+INITSOURCE=				     # Leave empty
+INITFILE=				     # Leave empty
+AUXINITSOURCE=				     # Leave empty
+AUXINITFILE=				     # Leave empty
+SERVICEDIR=				     # Leave empty
+SERVICEFILE=    			     # Leave empty
+SYSCONFFILE=				     # Leave empty
+SYSCONFDIR=				     # Leave empty			
+SPARSE=					     # Leave empty			
+ANNOTATED=				     # If non-empty, annotated configuration files are installed				
+VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
+VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
+DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
+SANDBOX=Yes				     # Indicates SANDBOX installation

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-init/init.debian.sh

@@ -73,12 +73,16 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
     else
-	return 0
+        if [ $PRODUCT = shorewall ]; then
+            ${SBINDIR}/shorewall compile
+        elif [ $PRODUCT = shorewall6 ]; then
+            ${SBINDIR}/shorewall -6 compile
+        else
+            return 1
+        fi
     fi
 }
 
@@ -108,16 +112,14 @@ shorewall_start () {
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-              #
-	      # Run in a sub-shell to avoid name collisions
-	      #
-	      (
-		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		      ${STATEDIR}/firewall ${OPTIONS} stop
-		  fi
-	      )
-	  fi
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
+	  )
       fi
   done
 
@@ -145,9 +147,7 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -44,12 +44,14 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 0
+	return 1
     fi
 }
 
@@ -75,15 +77,11 @@ start () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
-		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-		retval=${PIPESTATUS[0]}
-		[ $retval -ne 0 ] && break
-	    else
-		retval=6 #Product not configured
-		break
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ $retval -ne 0 ] && break
 	else
+	    retval=6 #Product not configured
 	    break
 	fi
     done
@@ -110,15 +108,11 @@ stop () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-		retval=${PIPESTATUS[0]}
-		[ $retval -ne 0 ] && break
-	    else
-		retval=6 #Product not configured
-		break
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ $retval -ne 0 ] && break
 	else
+	    retval=6 #Product not configured
 	    break
 	fi
     done

Shorewall-init/init.openwrt.sh

@@ -75,12 +75,14 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 0
+	return 1
     fi
 }
 
@@ -92,10 +94,8 @@ start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
       fi
   done
@@ -103,6 +103,8 @@ start () {
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
       ipset -R < "$SAVE_IPSETS"
   fi
+
+  return 0
 }
 
 boot () {
@@ -117,9 +119,7 @@ stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
     done
 
@@ -131,5 +131,7 @@ stop () {
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
+
+    return 0
 }
 

Shorewall-init/init.sh

@@ -69,10 +69,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
     else
-	return 0
+	return 1
     fi
 }
 
@@ -84,10 +86,8 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
       fi
   done
@@ -107,9 +107,7 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
       fi
   done
 

Shorewall-init/init.suse.sh

@@ -79,12 +79,14 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 0
+	return 6
     fi
 }
 
@@ -96,10 +98,8 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x $STATEDIR/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	  fi
       fi
   done
@@ -117,9 +117,7 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
       fi
   done
 

Shorewall-init/shorewall-init

@@ -33,12 +33,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
-    else
-	return 0
     fi
 }
 
@@ -67,16 +67,14 @@ shorewall_start () {
     printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		#
-		# Run in a sub-shell to avoid name collisions
-		#
-		(
-		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
-		    fi
-		)
-	    fi
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
 	fi
     done
 
@@ -95,9 +93,7 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
     done
 

Shorewall-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -1,9 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
-#
-# This action A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE		DEST	PROTO		DPORT
-
-AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -1,57 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Drop
-#
-# The audited default DROP common rules
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-Auth(A_DROP)
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Don't log broadcasts and multicasts
-#
-dropBcast(audit)
-dropMcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep

Shorewall/Actions/action.A_REJECT

@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+# Shorewall -- /usr/share/shorewall/action.A_REJECT
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_REJECT!

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_Reject.deprecated

@@ -1,54 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Reject
-#
-# The audited default REJECT action common rules
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Drop Broadcasts and multicasts so they don't clutter up the log
-# (these must *not* be rejected).
-#
-dropBcast(audit)
-dropMcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep

Shorewall/Actions/action.AllowICMPs

@@ -13,7 +13,6 @@ DEFAULTS ACCEPT
     @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
-
     @1	-		-	ipv6-icmp	destination-unreachable
     @1	-		-	ipv6-icmp	packet-too-big
     @1	-		-	ipv6-icmp	time-exceeded
@@ -38,7 +37,7 @@ DEFAULTS ACCEPT
     @1	-		-	ipv6-icmp	148	# Certificate path solicitation
     @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
     @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
     @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall/Actions/action.Broadcast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.DNSAmp

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Drop.deprecated

@@ -1,84 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Drop
-#
-# The former default DROP common rules. Use of this action is now deprecated
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing special
-#     with them.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Don't log broadcasts or multicasts
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,@1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)

Shorewall/Actions/action.Established

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.FIN

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -30,4 +30,4 @@
 
 DEFAULTS ACCEPT,-
 
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN

Shorewall/Actions/action.IfEvent

@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Actions/action.Invalid

@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Multicast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.New

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.NotSyn

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.RST

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Reject.deprecated

@@ -1,85 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Reject
-#
-# The former default REJECT action common rules. Use of this action is deprecated.
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing
-#     special with them.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,@1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)

Shorewall/Actions/action.Related

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Untracked

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.allowInvalid

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.dropInvalid

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Macros/macro.Apcupsd

@@ -1,9 +1,9 @@
 #
-# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+# Shorewall -- /usr/share/shorewall/macro.Apcupsd
 #
-# This macro deprecated by SNMPtrap.
+# This macro handles apcupsd traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-SNMPtrap
+PARAM	-	-	tcp	3551

Shorewall/Macros/macro.FreeIPA

@@ -0,0 +1,16 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.FreeIPA
+#
+# This macro handles FreeIPA server traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DNS
+HTTP
+HTTPS
+Kerberos
+Kpasswd
+LDAP
+LDAPS
+NTP

Shorewall/Macros/macro.IPFS-API

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001

Shorewall/Macros/macro.IPFS-gateway

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080

Shorewall/Macros/macro.IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Macros/macro.IPMI

@@ -11,13 +11,20 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	udp	623		# RMCP
+PARAM	-	-	tcp	8889		# WS-MAN
 HTTP
-HTTPS
-SNMP
-SSH						# Serial over Lan
 Telnet
+SNMP
+
+# TLS/secure ports
+PARAM	-	-	tcp	3520		# Remote Console (Redfish)
+PARAM	-	-	tcp	3669		# Virtual Media (Dell)
+PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
+PARAM	-	-	tcp	7582		# Remote Console (AMI)
+HTTPS
+SSH						# Serial over Lan

Shorewall/Macros/macro.Kpasswd

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Kpasswd
+#
+# This macro handles Kerberos "passwd" traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	464
+PARAM	-	-	udp	464

Shorewall/Macros/macro.RedisSecure

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisSecure
+#
+# This macro handles Redis Secure (SSL/TLS) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	6380

Shorewall/Macros/macro.Rwhois

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Rwhois
+#
+# This macro handles Remote Who Is (rwhois) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	4321

Shorewall/Macros/macro.SSDP

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.SSDP
+#
+# This macro handles SSDP (used by DLNA/UPnP) client traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	1900

Shorewall/Macros/macro.SSDPserver

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.SSDPserver
+#
+# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	1900
+PARAM	DEST	SOURCE	udp	-	1900

Shorewall/Perl/Shorewall/ARP.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -172,6 +172,12 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
+				       rules_log
+				       blacklist_log
+				       established_log
+				       related_log
+				       invalid_log
+				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -335,7 +341,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
 #                                               blacklistsection
-#                                                            => Chain was created by entries in the BLACKLIST section of the rules file
+#                                                            => Chain was created by entries in the blrules file
 #                                               action       => <action tuple that generated this chain>
 #                                               restricted   => Logical OR of restrictions of rules in this chain.
 #                                               restriction  => Restrictions on further rules in this chain.
@@ -361,13 +367,13 @@ our $VERSION = 'MODULEVERSION';
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
-#       'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
+#       'loglevel', 'synparams', 'synchain', 'audit', 'default' and 'origin' only apply to policy chains.
 ###########################################################################################################################################
 #
 # For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
 # joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
 # connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
-# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
+# explicit policy for the ordered pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
 # wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
 #
 # Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
@@ -397,7 +403,7 @@ our $VERSION = 'MODULEVERSION';
 #      MAC Recent      - <dev>_rec
 #      SNAT            - <dev>_snat
 #      ECN             - <dev>_ecn
-#      FORWARD Options - <dev>_fop
+#      INPUT Options   - <dev>_iop
 #      OUTPUT Options  - <dev>_oop
 #      FORWARD Options - <dev>_fop
 #
@@ -874,6 +880,9 @@ sub validate_port( $$ ) {
     fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 
+#
+# Port or port-pair separated by ':'. Either port may be omitted in the pair
+#
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
@@ -914,15 +923,15 @@ sub validate_portpair( $$ ) {
 
 }
 
+#
+# Port or port-pair separated by '-'. Neither port may be omitted in the pair
+#
 sub validate_portpair1( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
 
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
     my @ports = split /-/, $portpair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
@@ -1316,14 +1325,14 @@ sub pop_match( $$ ) {
 
 sub clone_irule( $ );
 
-sub format_rule( $$;$ ) {
-    my ( $chainref, $rulerefp, $suppresshdr ) = @_;
+sub format_rule( $$ ) {
+    my ( $chainref, $rulerefp ) = @_;
 
     return $rulerefp->{cmd} if exists $rulerefp->{cmd};
 
-    my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
+    my $rule = "-A $chainref->{name}";
     #
-    # The code the follows can be destructive of the rule so we clone it
+    # The code that follows can be destructive of the rule so we clone it
     #
     my $ruleref = $rulerefp->{complex} ? clone_irule( $rulerefp ) : $rulerefp;
     my $nfacct  = $rulerefp->{nfacct};
@@ -2263,6 +2272,56 @@ sub untracked_chain($$) {
     '&' . &rules_chain(@_);
 }
 
+#
+# Logname for chains between an ordered pair of zones
+#
+sub rules_log( $$ ) {
+    my $logchain = $config{LOG_ZONE};
+
+    if ( $logchain eq 'both' ) {
+	join "$config{ZONE2ZONE}", @_;
+    } elsif ( $logchain eq 'src' ) {
+	$_[0];
+    } else {
+	$_[1];
+    }
+}
+
+#
+# Log name of the blacklist chain between an ordered pair of zones
+#
+sub blacklist_log($$) {
+    &rules_log(@_) . '~';
+}
+
+#
+# Log name of the established chain between an ordered pair of zones
+#
+sub established_log($$) {
+    '^' . &rules_log(@_)
+}
+
+#
+# Log name of the related chain between an ordered pair of zones
+#
+sub related_log($$) {
+    '+' . &rules_log(@_);
+}
+
+#
+# Log name of the invalid chain between an ordered pair of zones
+#
+sub invalid_log($$) {
+    '_' . &rules_log(@_);
+}
+
+#
+# Name of the untracked chain between an ordered pair of zones
+#
+sub untracked_log($$) {
+    '&' . &rules_log(@_);
+}
+
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@@ -2298,8 +2357,6 @@ sub use_forward_chain($$) {
 
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
-
-    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # Use it if we already have jumps to it
     #
@@ -2374,8 +2431,6 @@ sub use_input_chain($$) {
     my ( $interface, $chainref ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
-
-    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # We must use the interfaces's chain if the interface is associated with multiple Zones
     #
@@ -2455,8 +2510,6 @@ sub use_output_chain($$) {
     my ( $interface, $chainref)  = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
-
-    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # We must use the interfaces's chain if the interface is associated with multiple Zones
     #
@@ -2588,13 +2641,14 @@ sub reserved_name( $ ) {
 #
 # Create a new chain and return a reference to it.
 #
-sub new_chain($$)
+sub new_chain($$;$)
 {
-    my ($table, $chain) = @_;
+    my ($table, $chain, $logchain) = @_;
 
     assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );
 
     my $chainref = { name           => $chain,
+		     logname        => $logchain || $chain,
 		     rules          => [],
 		     table          => $table,
 		     loglevel       => '',
@@ -2615,7 +2669,7 @@ sub new_chain($$)
 #
 # Find a chain
 #
-sub find_chain($$) {
+sub find_chain($$;$) {
     my ($table, $chain) = @_;
 
     assert( $table && $chain && $chain_table{$table} );
@@ -2626,7 +2680,7 @@ sub find_chain($$) {
 #
 # Create a chain if it doesn't exist already
 #
-sub ensure_chain($$)
+sub ensure_chain($$;$)
 {
     &find_chain( @_ ) || &new_chain( @_ );
 }
@@ -3179,6 +3233,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
+	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
+
 	for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3241,6 +3297,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
+	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
+
 	for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3266,7 +3324,7 @@ sub initialize_chain_table($) {
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
     }
 
-    if ( my $docker = $config{DOCKER} ) {
+    if ( $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
@@ -3376,15 +3434,43 @@ sub delete_references( $ ) {
 #
 # Calculate a digest for the passed chain and store it in the {digest} member.
 #
+# First, a lightweight version of format_rule()
+#
+sub irule_to_string( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}} ) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string .= join( '', ' -m comment --comment "', $ruleref->{comment}, '"' ) if $ruleref->{comment};
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
 
     for ( @{$chainref->{rules}} ) {
 	if ( $rules ) {
-	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
+	    $rules .= ' |' . irule_to_string( $_ );
 	} else {
-	    $rules = format_rule( $chainref, $_, 1 );
+	    $rules = irule_to_string( $_ );
 	}
     }
 
@@ -3746,7 +3832,7 @@ sub optimize_level4( $$ ) {
     #
     # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
     # the target's rules, provided that the target chain is short (< 4 rules) or has only one
-    # reference. This prevents multiple copies of long chains being created.
+    # reference. This prevents multiple copies of long chains from being created.
     #
     $progress = 1;
 
@@ -3856,7 +3942,10 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} &&
+							   @{$_->{rules}}        &&
+							   ! $_->{builtin},
+							   values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3876,12 +3965,11 @@ sub optimize_level8( $$$ ) {
 	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
-	    #
-	    # Skip empty chains
-	    #
-	    for my $chainref1 ( @chains1 ) {
-		next unless @{$chainref1->{rules}};
-		next if $chainref1->{optflags} & DONT_DELETE;
+
+	    for my $chainref1 (grep ! ( $_->{optflags} & DONT_DELETE ), @chains1 ) {
+		#
+		# Chains identical?
+		#
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
@@ -3892,7 +3980,7 @@ sub optimize_level8( $$$ ) {
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
 
-		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
+		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -4311,7 +4399,7 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & origin are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
 #
 sub get_keys1( $ ) {
     my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
@@ -4475,16 +4563,22 @@ sub valid_tables() {
 
 sub optimize_ruleset() {
 
+    my $optimize = $config{OPTIMIZE};
+
     for my $table ( valid_tables ) {
 
 	my $tableref = $chain_table{$table};
 	my $passes   = 0;
-	my $optimize = $config{OPTIMIZE};
 
 	$passes = optimize_level4(  $table, $tableref )           if $optimize & 4;
-	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
 	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
 
+	my $savepasses = $passes;
+
+	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
+
+	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16 && $passes > $savepasses + 1;
+
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
     }
@@ -4597,7 +4691,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{name} ,
+		       $chainref->{logname} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@@ -4782,6 +4876,7 @@ sub do_proto( $$$;$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $all      = ( $proto =~ s/:all$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4797,6 +4892,7 @@ sub do_proto( $$$;$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
+		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -4936,6 +5032,8 @@ sub do_proto( $$$;$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
+	    $proto = $proto . ':all' if $all;
+
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -4992,6 +5090,7 @@ sub do_iproto( $$$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $all      = ( $proto =~ s/:all$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -5006,6 +5105,7 @@ sub do_iproto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
+		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		@output = ( p => "${invert}${proto}" );
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5140,6 +5240,8 @@ sub do_iproto( $$$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
+	    $proto = $proto . ':all' if $all;
+
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -6768,13 +6870,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
-    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }
 
 sub log_irule( $$$;@ ) {
     my ( $level, $chainref, $disposition, @matches ) = @_;
 
-    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }
 
 #
@@ -6995,14 +7097,17 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
     my ( $logical, $provider ) = @_;
-
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 
     $global_variables |= ALL_COMMANDS;
 
-    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    if ( $interface eq loopback_interface ) {
+	$interfaceaddr{$interface} = "$variable=" . loopback_address;
+    } else {
+	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+	$interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    }
 
     set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
 
@@ -8190,19 +8295,8 @@ sub add_interface_options( $ ) {
 	# Generate a digest for each chain
 	#
 	for my $chainref ( values %input_chains, values %forward_chains ) {
-	    my $digest = '';
-
 	    assert( $chainref );
-
-	    for ( @{$chainref->{rules}} ) {
-		if ( $digest ) {
-		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
-		} else {
-		    $digest = format_rule( $chainref, $_, 1 );
-		}
-	    }
-
-	    $chainref->{digest} = sha1_hex $digest;
+	    calculate_digest( $chainref );
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -8491,7 +8585,7 @@ sub save_dynamic_chains() {
     my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
 
-    emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
+    emit ( 'if [ "$COMMAND" = reload ]; then' );
     push_indent;
 
     emit( 'if [ -n "$g_counters" ]; then' ,
@@ -8500,7 +8594,7 @@ sub save_dynamic_chains() {
 	);
 
     if ( have_capability 'IPTABLES_S' ) {
-	emit <<"EOF";
+	emithd <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
 else
@@ -8521,6 +8615,7 @@ fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
+
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
     $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8529,7 +8624,7 @@ fi
 EOF
 	}
     } else {
-	emit <<"EOF";
+	emithd <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -8549,7 +8644,8 @@ else
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
-	    emit << "EOF";
+	    emithd << "EOF";
+
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
     $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8563,7 +8659,7 @@ EOF
     emit ( 'else' );
     push_indent;
 
-emit <<"EOF";
+emithd <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
@@ -8600,7 +8696,7 @@ sub ensure_ipsets( @ ) {
 
 	pop_indent;
 
-	emit( qq(    fi\n) );
+	emit( q(    fi) );
 
     }
 
@@ -8776,7 +8872,6 @@ sub create_load_ipsets() {
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
-		  '',
 		);
 	} else {
 	    #
@@ -8788,7 +8883,7 @@ sub create_load_ipsets() {
 		   '    fi' );
 	};
 
-	emit( '}' );
+	emit( "}\n" );
     }
     #
     # Now generate load_ipsets()
@@ -8855,22 +8950,16 @@ sub create_load_ipsets() {
 
 	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
 	    ensure_ipsets( @ipsets );
-
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
-	    emit ( '' );
-	    ensure_ipsets( @ipsets );
-	    emit ( '' );
 	};
 
-	emit ( 'fi' ,
-	       '' );
+	emit ( 'fi' );
     } else {
 	emit 'true';
     }
 
     pop_indent;
 
-    emit '}';	    
+    emit "}\n";	    
 }
 
 #
@@ -9043,7 +9132,7 @@ sub create_netfilter_load( $ ) {
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
 	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  "fi\n"
+	  'fi'
 	);
 
     pop_indent;
@@ -9135,156 +9224,6 @@ sub preview_netfilter_load() {
     print "\n";
 }
 
-#
-# Generate the netfilter input for refreshing a list of chains
-#
-sub create_chainlist_reload($) {
-
-    my $chains = $_[0];
-
-    my @chains;
-
-    unless ( $chains eq ':none:' ) {
-	if ( $chains eq ':refresh:' ) {
-	    $chains = '';
-	} else {
-	    @chains =  split_list $chains, 'chain';
-	}
-
-	unless ( @chains ) {
-	    @chains = qw( blacklst ) if $filter_table->{blacklst};
-	    push @chains, 'blackout' if $filter_table->{blackout};
-
-	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
-		push @chains, $_->{name} if $_->{blacklistsection};
-	    }
-
-	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-	    $chains = join( ',', @chains ) if @chains;
-	}
-    }
-
-    $mode = NULL_MODE;
-
-    emit(  'chainlist_reload()',
-	   '{'
-	   );
-
-    push_indent;
-
-    if ( @chains ) {
-	my $word = @chains == 1 ? 'chain' : 'chains';
-
-	progress_message2 "Compiling iptables-restore input for $word @chains...";
-	save_progress_message "Preparing iptables-restore input for $word @chains...";
-
-	emit '';
-
-	my $table = 'filter';
-
-	my %chains;
-
-	my %tables;
-
-	for my $chain ( @chains ) {
-	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
-
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
-
-	    $chains{$table} = {} unless $chains{$table};
-
-	    if ( $chain ) {
-		my $chainref;
-		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
-		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
-
-		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
-		    $tables{$table} = 1;
-		} else {
-		    $chains{$table}{$chain} = $chainref;
-		}
-	    } else {
-		$tables{$table} = 1;
-	    }
-	}
-
-	for $table ( keys %tables ) {
-	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
-		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
-	    }
-	}
-
-	emit 'exec 3>${VARDIR}/.iptables-restore-input';
-
-	enter_cat_mode;
-
-	for $table ( qw(raw nat mangle filter) ) {
-	    my $tableref=$chains{$table};
-
-	    next unless $tableref;
-
-	    @chains = sort keys %$tableref;
-
-	    emit_unindented "*$table";
-
-	    for my $chain ( @chains ) {
-		my $chainref = $tableref->{$chain};
-		emit_unindented ":$chainref->{name} - [0:0]";
-	    }
-
-	    for my $chain ( @chains ) {
-		my $chainref = $tableref->{$chain};
-		my @rules = @{$chainref->{rules}};
-		my $name = $chainref->{name};
-
-		@rules = () unless @rules;
-		#
-		# Emit the chain rules
-		#
-		emitr($chainref, $_) for @rules;
-	    }
-	    #
-	    # Commit the changes to the table
-	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
-
-	    emit_unindented 'COMMIT';
-	}
-
-	enter_cmd_mode;
-
-	#
-	# Now generate the actual ip[6]tables-restore command
-	#
-	emit(  'exec 3>&-',
-	       '' );
-
-	if ( $family == F_IPV4 ) {
-	    emit ( 'progress_message2 "Running iptables-restore..."',
-		   '',
-		   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
-		   'if [ $? != 0 ]; then',
-		   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
-		   "fi\n"
-		 );
-	} else {
-	    emit ( 'progress_message2 "Running ip6tables-restore..."',
-		   '',
-		   'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
-		   'if [ $? != 0 ]; then',
-		   '    fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
-		   "fi\n"
-		 );
-	}
-    } else {
-	emit('true');
-    }
-
-    pop_indent;
-
-    emit "}\n";
-}
-
 #
 # Generate the netfilter input to stop the firewall
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
 
     copy2( $lib, $debug ) if -f $lib;
 
-    emit <<'EOF';
+    emithd<<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
     }
 
-    emit <<'EOF';
+    emithd <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -270,12 +270,11 @@ sub generate_script_2() {
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
-	emit( '' );
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of initialize()
+    emit "}\n"; # End of initialize()
 
     emit( '' ,
 	  '#' ,
@@ -312,10 +311,9 @@ sub generate_script_2() {
 	    push_indent;
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-
+		verify_required_interfaces(0);
 		set_global_variables(0, 0);
-
-		handle_optional_interfaces(0);
+		handle_optional_interfaces;
 	    }
 
 	    emit ';;';
@@ -327,19 +325,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 
+	verify_required_interfaces(1);
 	set_global_variables(1,1);
+	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
-	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
-	} else {
-	    handle_optional_interfaces(1);
 	}
     } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	verify_required_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
@@ -358,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3($) {
+sub generate_script_3() {
 
     if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -368,7 +366,6 @@ sub generate_script_3($) {
 
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
-    create_chainlist_reload( $_[0] );
     create_save_ipsets;
     create_load_ipsets;
 
@@ -400,16 +397,10 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
     }
 
-    emit '';
-
-    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	   '   run_refresh_exit' ,
-	   'else' ,
-	   '    run_init_exit',
-	   'fi',
-	   '' );
-
-    emit( 'load_ipsets' ,
+    emit( '' ,
+	  'run_init_exit',
+	  '' ,
+	  'load_ipsets' ,
 	  '' );
 
     create_nfobjects;
@@ -467,11 +458,6 @@ sub generate_script_3($) {
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
-    emit( '',
-	  'if [ "$COMMAND" != refresh ]; then' );
-
-    push_indent;
-
     emit 'cat > ${VARDIR}/zones << __EOF__';
     dump_zone_contents;
     emit_unindented '__EOF__';
@@ -484,10 +470,6 @@ sub generate_script_3($) {
     dump_mark_layout;
     emit_unindented '__EOF__';
 
-    pop_indent;
-
-    emit "fi\n";
-
     emit '> ${VARDIR}/nat';
 
     add_addresses;
@@ -526,29 +508,12 @@ sub generate_script_3($) {
 
     my $config_dir = $globals{CONFIGDIR};
 
-    emit<<"EOF";
+    emithd <<"EOF";
     set_state Started $config_dir
     run_restored_exit
-elif [ \$COMMAND = refresh ]; then
-    chainlist_reload
+else
+    setup_netfilter
 EOF
-    push_indent;
-    setup_load_distribution;
-    setup_forwarding( $family , 0 );
-    pop_indent;
-    #
-    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-    #
-    emit( '    run_refreshed_exit',
-	  '    do_iptables -N shorewall' );
-
-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-
-    emit( "    set_state Started $config_dir",
-	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-	  'else',
-	  '    setup_netfilter'	);
-
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
@@ -573,7 +538,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
 
-    emit<<'EOF';
+    emithd<<'EOF';
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -583,9 +548,6 @@ case $COMMAND in
     reload)
         mylogger kern.info "$g_product reloaded"
         ;;
-    refresh)
-        mylogger kern.info "$g_product refreshed"
-        ;;
     restore)
         mylogger kern.info "$g_product restored"
         ;;
@@ -620,8 +582,8 @@ sub compile_info_command() {
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
+       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
     $test           = 0;
@@ -650,7 +612,6 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
-		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -658,7 +619,6 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
-		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -695,7 +655,7 @@ sub compiler {
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate , $inline );
+    get_configuration( $export , $update , $annotate );
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
     # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -818,7 +778,7 @@ sub compiler {
     #
     # Setup Masquerade/SNAT
     #
-    setup_snat( $update );
+    setup_snat;
     #
     # Setup Nat
     #
@@ -899,7 +859,7 @@ sub compiler {
 
 	optimize_level0;
 
-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -921,7 +881,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3( $chains );
+	generate_script_3();
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall

Shorewall/Perl/Shorewall/Config.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -30,6 +30,84 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
+#   A significant portion of this module is dedicated to the preprocessor:
+#
+#	process_compiler_directive() - processes compiler directives
+#
+#	embedded_shell() - handles embedded shell scripting
+#
+#	embedded_perl() - handles embedded perl scripting
+#
+#	read_a_line() - Reads the next configuration file record to
+#			be passed to the function processing the file.
+#
+#	    - Detects compiler directives and passes then to
+#	      process_compiler_directive() for handling.
+#
+#	    - Handles line continuation
+#
+#	    - Invokes a callback when the first (concatinated) non-directive
+#	      record is read from a file.
+#
+#	    - Conditionally expands variables.
+#
+#	    - Conditionally detects embedded Shell and Perl and passes them
+#	      off to embedded_shell() and embedded_perl() respectively.
+#
+#	    - Conditionally detects and handles [?}INCLUDE directives.
+#
+#	    - Conditionally detects and handles ?SECTION directives.
+#	      File processing functions can supply a callback to be
+#	      called during this processing.
+#
+#   File processing routines may need to open a second (third, fourth, ...)
+#   file while processing the main file (macro and/or action files). Two
+#   functions are provided to make that possible:
+#
+#      push_open() - open a file while leaving the current file open.
+#
+#      pop_open() - close the current file, and make the previous
+#		    file (if any) the current one.
+#
+#   Because this module expands variables, it must be aware of action
+#   parameters.
+#
+#	push_action_params() - populates the %actparams hash and
+#			       returns a reference to the previous
+#			       contents of that hash. The caller is
+#			       expected to store those contents locally.
+#
+#	pop_action_params()  - Restores the %actparams hash from
+#			       the reference returned by
+#			       push_action_params().
+#
+#   The following routines are provided for INLINE PERL within
+#   action bodies:
+#
+#	default_action_params() - called to fill in omitted
+#				  arguments when a DEFAULTS
+#				  line is encountered.
+#
+#	get_action_params() - returns an array of arguments.
+#
+#	setup_audit_action() - helper for A_* actions.
+#
+#	get_action_logging() - returns log level and tag
+#			       from the action's invocation.
+#
+#	get_action_chain_name() - returns chain name.
+#
+#	set_action_name_to_caller() - replace chain name
+#				      with that of invoking
+#				      chain for logging purposes.
+#
+#	set_action_disposition() - set the current action
+#				   disposition for logging purposes.
+#
+#	get_action_disposition() - get the current action disposition.
+#
+#	set_action_param() - set the value of an argument.
+#
 package Shorewall::Config;
 
 use strict;
@@ -111,6 +189,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
+				       emithd
 				       emitstd
 				       emit_unindented
 				       save_progress_message
@@ -224,10 +303,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                        DO_SECTION
 				       NORMAL_READ
 
+				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
-				       OPTIMIZE_USE_FIRST
 				       OPTIMIZE_ALL
 				     ) , ] ,
 		   protocols => [ qw (
@@ -335,7 +414,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
-		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -418,6 +496,10 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  NFLOG_SIZE      => '--nflog-size support',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
+                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 #
+		 # Helpers
+		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -465,9 +547,8 @@ use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
+               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
-
-	       OPTIMIZE_USE_FIRST      => 0x1000 # Always use interface 'first' chains -- undocumented
 	     };
 
 our %helpers = ( amanda          => UDP,
@@ -481,7 +562,9 @@ our %helpers = ( amanda          => UDP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP,
-	       );
+    );
+
+use constant { INCLUDE_LIMIT     => 20 };
 
 our %helpers_map;
 
@@ -512,8 +595,6 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -588,7 +669,6 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
-our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -597,6 +677,7 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 
 our $family;                 # Protocol family (4 or 6)
+our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -630,13 +711,13 @@ our %validlevels;            # Valid log levels.
 # Deprecated options with their default values
 #
 our %deprecated = (
-		   LEGACY_RESTART => 'no'
+		   LEGACY_RESTART => 'no' ,
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		  LEGACY_RESTART => 1
+		    LEGACY_RESTART => 1 ,
 		 );
 #
 # Eliminated options
@@ -651,6 +732,8 @@ our %eliminated = ( LOGRATE          => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                     MODULE_SUFFIX    => 1,
+                    MAPOLDACTIONS    => 1,
+		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -710,8 +793,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$) {
-    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+sub initialize( $;$$$) {
+    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -755,8 +838,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.8-Beta1",
-		    CAPVERSION              => 50106 ,
+		    VERSION                 => '5.2.0-Beta1',
+		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -800,6 +883,7 @@ sub initialize( $;$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
+	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -858,7 +942,6 @@ sub initialize( $;$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
-	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -901,7 +984,6 @@ sub initialize( $;$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
-	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -915,6 +997,7 @@ sub initialize( $;$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
+	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -972,7 +1055,6 @@ sub initialize( $;$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
-	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -1050,6 +1132,7 @@ sub initialize( $;$$) {
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
+	       NAT_INPUT_CHAIN => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1609,6 +1692,7 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
+		$line =~ s/[ \t]+\n/\n/gm;
 		print $script "$line\n" if $script;
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 
@@ -1629,6 +1713,15 @@ sub emit {
     }
 }
 
+#
+# Used to emit a 'here documents' string without introducing an unwanted blank line at the end
+#
+sub emithd( $ ) {
+    my ( $line ) = @_; #make writable
+    chomp $line;
+    emit $line;
+}
+
 #
 # Version of emit() that writes to standard out unconditionally
 #
@@ -1639,6 +1732,7 @@ sub emitstd {
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
+	    $line =~ s/[ \t]+\n/\n/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
@@ -2301,8 +2395,6 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
     my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
 
-    my $inlinematches = $config{INLINE_MATCHES};
-
     my ( $columns, $pairs, $rest );
 
     my $currline = $currentline;
@@ -2325,16 +2417,20 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
 
 	    $currline = $columns;
+	    #
+	    # Remove trailing white space
+	    #
+	    $currline =~ s/\s*$//;
 
 	    $inline_matches = $pairs;
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = $inlinematches = '';
+	    $inline = '';
 	}
     }
     #
-    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
+    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
     #
     ( $columns, $pairs, $rest ) = split( ';', $currline );
 
@@ -2343,42 +2439,6 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
-
-	if ( $inlinematches ) {
-	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
-
-	    $inline_matches = $pairs;
-
-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
-		#
-		# Pairs are enclosed in curly brackets.
-		#
-		$columns = $1;
-		$pairs   = $2;
-	    } else {
-		$pairs = '';
-	    }
-	} elsif ( $inline ) {
-	    #
-	    # This file supports INLINE or IPTABLES
-	    #
-	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
-		$inline_matches = $pairs;
-
-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
-		    #
-		    # Pairs are enclosed in curly brackets.
-		    #
-		    $columns = $1;
-		    $pairs   = $2;
-		} else {
-		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
-		    $pairs = '';
-		}
-	    } 
-	} elsif ( $checkinline ) {
-	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
-	}
     } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -2469,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
     # Delete trailing comment
     #
     $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
 
     my @result = &split_line2( @_ );
 
@@ -2966,9 +3030,9 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      my $val = $actparams{$var} = evaluate_expression ( $expression,
-									$filename,
-									$linenumber,
-									0  );
+									 $filename,
+									 $linenumber,
+									 0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
@@ -3262,7 +3326,7 @@ sub copy1( $ ) {
 			my @line = split / /;
 
 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 			my $filename = find_file $line[1];
 
@@ -3472,7 +3536,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
     my $multiline = shift;
 
-    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
     my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
 
     $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3559,7 +3623,7 @@ sub embedded_perl( $ ) {
     $embedded--;
 
     if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 	assert( close $perlscript );
 
@@ -3913,7 +3977,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;
 
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 		my $filename = find_file $line[1];
 
@@ -4367,6 +4431,12 @@ sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
 }
 
+sub Nat_Input_Chain {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    qt1( "$iptables $iptablesw -t nat -L INPUT -n" );
+}
+
 sub Persistent_Snat() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4690,10 +4760,6 @@ sub IPSET_V5() {
     $result;
 }
 
-sub Usepkttype() {
-    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
-}
-
 sub Addrtype() {
     qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -5012,6 +5078,7 @@ our %detect_capability =
       MASQUERADE_TGT => \&Masquerade_Tgt,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
+      NAT_INPUT_CHAIN => \&Nat_Input_Chain,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
       NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -5048,7 +5115,6 @@ our %detect_capability =
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
       UDPLITEREDIRECT => \&Udpliteredirect,
-      USEPKTTYPE => \&Usepkttype,
       XCONNMARK_MATCH => \&Xconnmark_Match,
       XCONNMARK => \&Xconnmark,
       XMARK => \&Xmark,
@@ -5111,6 +5177,7 @@ sub determine_capabilities() {
 	#
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
+	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
 
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
@@ -5158,7 +5225,6 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5250,7 +5316,13 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
     }
 
-    @config_path = split /:/, $config{CONFIG_PATH};
+    my $path = $config{CONFIG_PATH};
+
+    my $chop = ( $path =~ s/^:// );
+
+    @config_path = split /:/, $path;
+
+    shift @config_path if $chop && ( $export || $> != 0 );
 
     #
     # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5389,7 +5461,33 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
     } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
-    }	
+    }
+
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
+	my $policy = $config{ $_ };
+
+	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
+	    } else {
+		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+	    }
+	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
+	    } else {
+		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+	    }
+	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
+	    } else {
+		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
+	    }
+	}
+
+	$config{$_} = $policy;
+    }
 
     my $fn;
 
@@ -5430,7 +5528,13 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
+			if ( $default eq 'Yes' || $default eq 'No' ) {
+			    $config{$var} = $val = $default;
+			} elsif ( $var eq 'CONFIG_PATH' ) {
+			    $val =~ s|^/etc/|\${CONFDIR}|;
+			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
+			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
+			}
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5438,7 +5542,6 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;
 
 		    }
-
 		}
 		if ( supplied $val ) {
 		    #
@@ -5919,9 +6022,12 @@ sub export_params() {
 }
 
 #
-# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
+# Walk the CONFIG_PATH converting
+# - FORMAT and COMMENT lines to compiler directives
+# - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
+# - Rename macros/actions to their 5.2 counterparts
 #
-sub convert_to_directives() {
+sub convert_to_version_5_2() {
     my $sharedir = $shorewallrc{SHAREDIR};
     #
     # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -5932,7 +6038,7 @@ sub convert_to_directives() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Performing Shorewall 5.2 conversions...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5943,40 +6049,129 @@ sub convert_to_directives() {
 
 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";
 
-		while ( my $file = readdir( $dirhandle ) ) {
-		    unless ( $file eq 'capabilities'       ||
-			     $file eq 'params'             ||
-			     $file =~ /^shorewall6?.conf$/ ||
-			     $file =~ /\.bak$/ ) {
-			$file = "$dir/$file";
-		
-			if ( -f $file && -w _ ) {
+		while ( my $fname = readdir( $dirhandle ) ) {
+		    unless ( $fname eq 'capabilities'       ||
+			     $fname eq 'params'             ||
+			     $fname =~ /^shorewall6?.conf$/ ||
+			     $fname =~ /\.bak$/ ) {
+			#
+			# File we are interested in
+			#
+			my $fullname = "$dir/$fname";
+
+			if ( -f $fullname && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $result = system << "EOF";
-			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
-                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
-                                             if ( /^\\s*COMMENT\\s+/ ) {
-                                                 s/COMMENT/?COMMENT/;
-                                             } elsif ( /^\\s*COMMENT\\s*\$/ ) {
-                                                 s/COMMENT/?COMMENT/;
-                                             }' $file
-EOF
-			    if ( $result == 0 ) {
-				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
-				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
-				} elsif ( rename "${file}.bak" , $file ) {
-				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
-				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
+			    my $v5_2_update = ( $fname eq 'rules'          ||
+						$fname =~ /^action\./      ||
+						$fname =~ /^macro\./       ||
+						$fname eq 'snat'           ||
+						$fname eq 'mangle'         ||
+						$fname eq 'conntrack'      ||
+						$fname eq 'accounting'     ||
+						$fname eq 'masq'           ||
+						$fname eq 'policy' );
+			    my $is_policy   = ( $fname eq 'policy' );
+			    my @file;
+			    my ( $ifile, $ofile );
+			    my $omitting = 0;
+			    my $changed;
+
+			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
+
+			    while ( <$ifile> ) {
+				if ( $omitting ) {
+				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
 				} else {
-				    warning message "Unable to rename ${file}.bak to $file:$!";
+				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
 				}
+
+				unless ( $omitting || /^\s*[#?]/ ) {
+				    if ( /^\s*FORMAT\s+/ ) {
+					s/FORMAT/?FORMAT/;
+					$changed = 1;
+				    }
+
+				    if ( /^\s*SECTION\s+/ ) {
+					s/SECTION/?SECTION/;
+					$changed = 1;
+				    }
+
+				    if ( /^\s*COMMENT\s+/ ) {
+					s/COMMENT/?COMMENT/;
+					$changed = 1;
+				    } elsif ( /^\\s*COMMENT\\s*\$/ ) {
+					s/COMMENT/?COMMENT/;
+				    }
+
+				    if ( $v5_2_update ) {
+					if ( /\bA_AllowICMPs\b/ ) {
+					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
+					    $changed = 1;
+					}
+
+					if ( $is_policy ) {
+					    if ( /\bA_(?:Drop|Reject)\b/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
+						} else {
+						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+						}
+
+						$changed = 1;
+					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
+						} else {
+						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+						}
+
+						$changed = 1;
+					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
+						} else {
+						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
+						}
+
+						$changed = 1;
+					    }
+					} else {
+					    unless ( /;;/ ) {
+						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
+						    s/;/;;/;
+						    $changed = 1;
+						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
+						    s/;/;;/;
+						    $changed = 1;
+						}
+					    }
+
+					    if ( /\bSMTPTrap\b/ ) {
+						s/SMTPTrap/SMTPtrap/;
+						$changed = 1;
+					    }
+					}
+				    }
+				}
+
+				push @file, $_;
+			    }
+
+			    close $ifile;
+
+			    if ( $changed ) {
+				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
+				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
+				print $ofile $_ for @file;
+				close $ofile;
+				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
 			    } else {
-				warning_message ("Unable to update file $file" );
+				progress_message "   File $file not updated -- no update required";
 			    }
 			} else {
-			    warning_message( "$file skipped (not writeable)" ) unless -d _;
+			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -5993,9 +6188,9 @@ EOF
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$$ ) {
+sub get_configuration( $$$ ) {
 
-    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;
+    my ( $export, $update, $annotate ) = @_;
 
     $globals{EXPORT} = $export;
 
@@ -6297,7 +6492,6 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'SAVE_ARPTABLES'             , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
-    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
 
     warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
 
@@ -6353,6 +6547,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'RENAME_COMBINED'            , 'Yes';
 
     if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6372,7 +6567,6 @@ sub get_configuration( $$$$ ) {
 	$origin{$_} ||= '';
     }
 	    
-    default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
     default_yes_no 'DOCKER'                     , '';
@@ -6405,11 +6599,14 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
-    default_yes_no 'AUTOMAKE'                   , '';
-    default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
+	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
+    }
+
     if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6606,6 +6803,13 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_BACKEND} = $val;
     }
 
+    if ( supplied( $val = $config{LOG_ZONE} ) ) {
+	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
+	$config{LOG_ZONE} = lc( $val );
+    } else {
+	$config{LOG_ZONE} = 'both';
+    }
+
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
     default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6782,7 +6986,7 @@ sub get_configuration( $$$$ ) {
     } else {
 	$val = numeric_value $config{OPTIMIZE};
 
-	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
+	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && $val <= OPTIMIZE_ALL;
     }
 
     require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
@@ -6851,7 +7055,7 @@ sub get_configuration( $$$$ ) {
 	$variables{$var} = $config{$val};
     }
 
-    convert_to_directives if $update;
+    convert_to_version_5_2 if $update;
 
     cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,6 +60,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
+		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -98,12 +99,14 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
+our $loopback_address;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
+	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -370,6 +373,10 @@ sub rfc1918_networks() {
     @rfc1918_networks
 }
 
+sub loopback_address() {
+    $loopback_address;
+}
+
 #
 # Protocol/port validation
 #
@@ -755,6 +762,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
+	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -767,6 +775,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
+	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -718,7 +718,7 @@ sub add_common_rules ( $ ) {
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
     } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -810,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2554,9 +2554,6 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
-	        refresh)
-	            mylogger kern.err "ERROR:$g_product refresh failed"
-	            ;;
                 enable)
                     mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
@@ -2646,7 +2643,6 @@ EOF
 
         rm -f ${VARDIR}/proxyarp
     fi
-
 EOF
     } else {
 	emit <<'EOF';
@@ -2660,7 +2656,6 @@ EOF
 
         rm -f ${VARDIR}/proxyndp
     fi
-
 EOF
     }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
+    my $have_masq_rules;
+
     if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 
-	my $have_masq_rules;
-
 	directive_callback(
 	    sub ()
 	    {
@@ -647,6 +647,8 @@ sub convert_masq() {
 
 	close $snat, directive_callback( 0 );
     }
+
+    $have_masq_rules;
 }
 
 #

Shorewall/Perl/Shorewall/Proc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -161,6 +161,15 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
+
+		if ( have_ipsec ) {
+		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
+			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
+			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    }
+		}
+
 		$marked_interfaces{$interface} = 1;
 	    }
 
@@ -329,22 +338,22 @@ sub balance_default_route( $$$$ ) {
     if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
 	}
 
 	$first_default_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
 	}
     }
 }
@@ -359,22 +368,22 @@ sub balance_fallback_route( $$$$ ) {
     if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
 	}
 
 	$first_fallback_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
 	}
     }
 }
@@ -867,7 +876,7 @@ sub add_a_provider( $$ ) {
 	    }
 
 	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -876,7 +885,8 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do",
+		emit  ( '',
+			"find_interface_addresses $physical | while read address; do",
 			"    qt \$IP -$family rule del from \$address",
 			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
@@ -1241,7 +1251,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled",
 		   "fi\n",
 		 );
 	}
@@ -1575,7 +1585,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        while qt \$IP -6 route delete default table $table; do true; done",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1584,7 +1594,8 @@ sub finish_providers() {
 	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( '',
+		    "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1638,7 +1649,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 
@@ -1730,7 +1741,7 @@ sub process_providers( $ ) {
 
     add_a_provider( $providers{$_}, $tcdevices ) for @providers;
 
-    emit << 'EOF';;
+    emithd << 'EOF';;
 
 #
 # Enable an optional provider
@@ -1776,12 +1787,11 @@ EOF
     pop_indent;
     pop_indent;
 
-    emit << 'EOF';;
+    emithd << 'EOF';;
         *)
             startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
-
 }
 
 #
@@ -1885,20 +1895,19 @@ sub setup_providers() {
 
 	start_providers;
 
-	setup_null_routing if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
 
-	emit '';
-
-	emit "start_$providers{$_}->{what}_$_" for @providers;
-
-	emit '';
+	if ( @providers ) {
+	    emit "start_$providers{$_}->{what}_$_" for @providers;
+	    emit '';
+	}
 
 	finish_providers;
 
 	emit "\nrun_ip route flush cache";
 
 	pop_indent;
-	emit "fi\n";
+	emit 'fi';
 
 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
     } else {
@@ -1909,9 +1918,10 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
+	    emit '';
 	}
 
-	emit "\nundo_routing";
+	emit "undo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1936,7 +1946,7 @@ sub setup_providers() {
 
 	pop_indent;
 
-	emit "fi\n";
+	emit 'fi';
     }
 }
 
@@ -2186,17 +2196,13 @@ sub provider_realm( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
+
 #
-# Returns true if there were required or optional interfaces
-#
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {
 
     my @interfaces;
     my $wildcards;
-
     #
     # First do the provider interfacess. Those that are real providers will never have wildcard physical
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2220,10 +2226,6 @@ sub handle_optional_interfaces( $ ) {
 
     if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
-	my $gencase     = shift;
-
-	verify_required_interfaces( $gencase );
-	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2366,7 +2368,7 @@ sub handle_optional_interfaces( $ ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore|refresh)'
+		  '        start|reload|restore)'
 		);
 
 	    if ( $family == F_IPV4 ) {
@@ -2387,8 +2389,6 @@ sub handle_optional_interfaces( $ ) {
 
 	return 1;
     }
-
-    verify_required_interfaces( shift );
 }
 
 #

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,6 +96,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
     }
 
     emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
+	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
 
     push @proxyarp, "$address $interface $external $haveroute";

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $disposition = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+
     my $level = '';
 
     if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,6 +138,14 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
+	if ( $proto ne '-' ) {
+	    if ( $proto =~ s/:all$// ) {
+		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
+	    } else {
+		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
+	    }
+	}
+
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -199,7 +207,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 $rule,
+		 do_proto( $proto, $ports, $sports ) . 
+		 do_user ( $user ) . 
+		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,

Shorewall/Perl/Shorewall/Rules.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,7 @@ use constant { NULL_SECTION          => 0x00,
 	       INVALID_SECTION       => 0x10,
 	       UNTRACKED_SECTION     => 0x20,
 	       NEW_SECTION           => 0x40,
-	       DEFAULTACTION_SECTION => 0x80 };
+	       POLICYACTION_SECTION  => 0x80 };
 #
 # Number of elements in the action tuple
 #
@@ -112,6 +112,13 @@ our %section_functions = ( ALL_SECTION ,        \&rules_chain,
 			   UNTRACKED_SECTION,   \&untracked_chain,
 			   NEW_SECTION,         \&rules_chain );
 
+our %log_functions = ( ALL_SECTION ,         \&rules_log ,
+		       BLACKLIST_SECTION ,   \&blacklist_log ,
+		       ESTABLISHED_SECTION , \&established_log ,
+		       RELATED_SECTION ,     \&related_log ,
+		       INVALID_SECTION ,     \&invalid_log ,
+		       UNTRACKED_SECTION ,   \&untracked_log ,
+		       NEW_SECTION ,         \&rules_log );
 #
 # Section => STATE map - initialized in process_rules().
 #
@@ -403,8 +410,8 @@ sub initialize( $ ) {
 #
 # Create a rules chain
 #
-sub new_rules_chain( $ ) {
-    my $chainref = new_chain( 'filter', $_[0] );
+sub new_rules_chain( $$ ) {
+    my $chainref = new_chain( 'filter', &rules_chain( @_ ), &rules_log( @_ ) );
 
     if ( $config{FASTACCEPT} ) {
 	if ( $globals{RELATED_TARGET} eq 'ACCEPT' && ! $config{RELATED_LOG_LEVEL} ) {
@@ -445,7 +452,7 @@ sub new_policy_chain($$$$$)
 {
     my ($source, $dest, $policy, $provisional, $audit) = @_;
 
-    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_rules_chain( ${source}, ${dest} );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
 
@@ -455,9 +462,11 @@ sub new_policy_chain($$$$$)
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
-sub set_policy_chain($$$$$$)
+sub set_policy_chain($$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ( $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+
+    my $chain = rules_chain( $source, $dest );
 
     my $chainref = $filter_table->{$chain};
 
@@ -467,7 +476,7 @@ sub set_policy_chain($$$$$$)
 	    $chainref->{provisional} = '';
 	}
     } else {
-	$chainref = new_rules_chain $chain;
+	$chainref = new_rules_chain( $source, $dest );
     }
 
     unless ( $chainref->{policychain} ) {
@@ -483,6 +492,7 @@ sub set_policy_chain($$$$$$)
 	    if ( defined $polchainref->{synparams} ) {
 		$chainref->{synparams}   = $polchainref->{synparams};
 		$chainref->{synchain}    = $polchainref->{synchain};
+		$chainref->{synlog}      = $polchainref->{synlog};
 	    }
 
 	    $chainref->{pactions}    = $polchainref->{pactions} || [];
@@ -580,7 +590,7 @@ sub process_policy_actions( $$$ ) {
 	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
 		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
 
-		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
+		fatal_error "Invalid policy action ($paction)" if defined $remainder;
 
 		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
 	    }
@@ -743,7 +753,8 @@ sub process_a_policy1($$$$$$$) {
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
-	$chainref->{synchain}  = $chain
+	$chainref->{synchain}  = $chain;
+	$chainref->{synlog}    = '@' . $chainref->{logname};
     }
 
     $chainref->{pactions} = $pactionref;
@@ -753,19 +764,19 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
     } else {
@@ -832,6 +843,8 @@ sub save_policies() {
     }
 }
 
+sub ensure_rules_chain( $$ );
+
 #
 # Process the policy file
 #
@@ -881,19 +894,15 @@ sub process_policies()
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
-		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
-		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -927,27 +936,49 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 
+#
+# Determine the protocol to be used in the jump to the passed action
+#
+sub determine_action_protocol( $$ ) {
+    my ( $action, $proto ) = @_;
+
+    if ( my $actionproto = $actions{$action}{proto} ) {
+	if ( $proto eq '-' ) {
+	    $proto = $actionproto;
+	} else {
+	    if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
+		fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
+		$proto = $protonum;
+	    } else {
+		fatal_error( "Unknown protocol ($proto)" );
+	    }
+	}
+    }
+
+    $proto;
+}
+
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	my @pactions;
-
-	@pactions = @$pactions;
-
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 
-	for my $paction ( @pactions ) {
+	for my $paction ( @$pactions ) {
 	    my ( $action ) = split ':', $paction;
 
 	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
-		# Default action is a regular action -- jump to the action chain
+		# Policy action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
+		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		} else {
+		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		}
 	    } else {
 		#
-		# Default action is an inline 
+		# Policy action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
@@ -979,7 +1010,7 @@ sub add_policy_rules( $$$$$ ) {
 	}
  
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
-	fatal_error "Null target in policy_rules()" unless $target;
+	assert( $target );
 
 	if ( $target eq 'BLACKLIST' ) {
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
@@ -1040,7 +1071,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
     progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
 
-sub ensure_rules_chain( $ );
+sub finish_chain_sections( $ );
 
 #
 # Finish all policy Chains
@@ -1054,7 +1085,7 @@ sub complete_policy_chains() {
 	    my $provisional = $chainref->{provisional};
 	    my $defaults    = $chainref->{pactions};
 	    my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};
+	    my $synparams   = $chainref->{synparams};
 
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
@@ -1064,13 +1095,13 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
-						  $loglevel          ||
-						  $synparms          ||
-						  $config{MULTICAST} ||
-						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
+		    finish_chain_sections( $chainref ) if ( @$defaults         ||
+							    $loglevel          ||
+							    $synparams         ||
+							    $config{MULTICAST} ||
+							    ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
-		    ensure_rules_chain $name;
+		    finish_chain_sections( $chainref );
 		}
 	    }
 
@@ -1127,13 +1158,14 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = @zones > 1 ?
-		    new_chain 'filter' , syn_flood_chain $chainref :
-		    new_chain( 'filter' , '@' . $chainref->{name} );
+	    my $synchainref =
+		@zones > 1 ?
+		new_chain( 'filter' , syn_flood_chain $chainref , $chainref->{synlog} ) :
+		new_chain( 'filter' , '@' . $chainref->{name}   , '@' . $chainref->{logname} );
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $chainref->{name} ,
+			     $synchainref->{logname} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1200,12 +1232,12 @@ sub finish_chain_section ($$$) {
 		    if ( $twochains ) {
 			$chain2ref = $chainref;
 		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" );
+			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
 		    }
 
 		    log_rule_limit( $level,
 				    $chain2ref,
-				    $chain2ref->{name},
+				    $chain2ref->{logname},
 				    uc $target,
 				    $globals{LOGLIMIT},
 				    $tag ,
@@ -1262,7 +1294,7 @@ sub finish_chain_section ($$$) {
 	if ( $chain1ref->{is_policy} ) {
 	    if ( $chain1ref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chain1ref;
-		if ( $section == DEFAULTACTION_SECTION ) {
+		if ( $section == POLICYACTION_SECTION ) {
 		    if ( $chain1ref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chain1ref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -1284,21 +1316,10 @@ sub finish_chain_section ($$$) {
     pop_comment( $save_comment );
 }
 
-#
-# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
-#
-# Return a reference to the chain's table entry.
-#
-sub ensure_rules_chain( $ )
-{
-    my ($chain) = @_;
+sub finish_chain_sections( $ ) {
+    my ( $chainref ) = @_;
 
-    my $chainref = $filter_table->{$chain};
-
-    $chainref = new_rules_chain( $chain ) unless $chainref;
-
-    unless ( $chainref->{referenced} ) {
-	if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
@@ -1309,7 +1330,24 @@ sub ensure_rules_chain( $ )
 	}
 
 	$chainref->{referenced} = 1;
-    }
+}
+ 
+#
+# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+#
+# Return a reference to the chain's table entry.
+#
+sub ensure_rules_chain( $$ )
+{
+    my ($source, $dest) = @_;
+
+    my $chain = rules_chain( $source, $dest );
+
+    my $chainref = $filter_table->{$chain};
+
+    $chainref = new_rules_chain( $source, $dest ) unless $chainref;
+
+    finish_chain_sections( $chainref ) unless $chainref->{referenced};
 
     $chainref;
 }
@@ -1417,13 +1455,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$ ) {
+sub new_action( $$$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
 
-    fatal_error "Invalid action name($action)" if reserved_name( $action );
+    fatal_error "Reserved action name ($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
 
     $targets{$action} = $type;
 }
@@ -1431,11 +1469,7 @@ sub new_action( $$$$$ ) {
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
-# a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variables serve as arguments to the user's
-# exit. We call the exit corresponding to the name of the action but we
-# set $chain to the name of the iptables chain where rules are to be added.
-# Similarly, $level and $tag contain the log level and log tag respectively.
+# a 1- or 2-digit sequence number.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -1641,7 +1675,7 @@ sub merge_inline_source_dest( $$ ) {
 		    return join( ':', $invocation, $body );
 		}
 	    } else {
-		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+|/;
+		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+/;
 
 		if ( $invocation =~ /:\[|:\+/ ) {
 		    $invocation =~ s/:.*//;
@@ -1696,34 +1730,6 @@ sub isolate_basic_target( $ ) {
     $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
 
-#
-# Map pre-3.0 actions to the corresponding Macro invocation
-#
-
-sub find_old_action ( $$$ ) {
-    my ( $target, $macro, $param ) = @_;
-
-    if ( my $actiontype = find_macro( $macro ) ) {
-	( $macro, $actiontype , $param );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
-sub map_old_actions( $ ) {
-    my $target = shift;
-
-    if ( $target =~ /^Allow(.*)$/ ) {
-	find_old_action( $target, $1, 'ACCEPT' );
-    } elsif ( $target =~ /^Drop(.*)$/ ) {
-	find_old_action( $target, $1, 'DROP' );
-    } elsif ( $target = /^Reject(.*)$/ ) {
-	find_old_action( $target, $1, 'REJECT' );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -2049,9 +2055,10 @@ sub process_actions() {
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 
 	    my $state = '';
+	    my $proto = 0;
 
 	    if ( $action =~ /:/ ) {
-		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
+		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
 
@@ -2065,6 +2072,9 @@ sub process_actions() {
 			} else {
 			    fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
 			}
+		    } elsif ( /^proto=(.+)$/ ) {
+			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
+			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2085,9 +2095,11 @@ sub process_actions() {
 			next;
 		    }
 
+		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
+		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2097,6 +2109,8 @@ sub process_actions() {
 	    }
 
 	    if ( $opts & BUILTIN_OPT ) {
+		warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
+
 		my $actiontype = USERBUILTIN | OPTIONS;
 		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
 		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
@@ -2129,7 +2143,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
 	    }
 	}
     }
@@ -2167,7 +2181,7 @@ sub process_reject_action() {
     #
     # This gets called very early in the compilation process so we fake the section
     #
-    $section = DEFAULTACTION_SECTION;
+    $section = POLICYACTION_SECTION;
 
     if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
@@ -2501,7 +2515,7 @@ sub verify_audit($;$$) {
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
-# reference is also passed when rules are being generated during processing of a macro used as a default action.
+# reference is also passed when rules are being generated during processing of a macro used as a policy action.
 #
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -2604,10 +2618,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
-    if ( $config{ MAPOLDACTIONS } ) {
-	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
-    }
-
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
     $usergenerated = $actiontype & IPTABLES;
@@ -2973,7 +2983,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
-	$chainref = ensure_rules_chain $chain;
+	$chainref = ensure_rules_chain ${sourcezone}, ${destzone};
 	#
 	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
 	#
@@ -2983,7 +2993,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	    unless ( $auxref ) {
 		my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain;
+		$auxref = new_chain 'filter', $auxchain, $log_functions{$section}->( $sourcezone, $destzone );
 		$auxref->{blacklistsection} = 1 if $blacklist;
 
 		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
@@ -3012,6 +3022,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Verify action 'proto', if any
+	#
+	$proto = determine_action_protocol( $basictarget, $proto );
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3162,7 +3176,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     );
     }
 
-    unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
+    unless ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ||
 	     $inaction ||
 	     $blacklist ||
 	     $basictarget eq 'dropInvalid' ) {
@@ -3298,7 +3312,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
-	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
+	    unless unreachable_warning( $wildcard || $section == POLICYACTION_SECTION, $chainref );
     }
 
     $generated = 1;
@@ -3376,7 +3390,7 @@ sub check_state( $ ) {
 	}
     }
 
-    if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+    if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	if ( $state eq 'NEW' ) {
 	    #
 	    # If an INVALID or UNTRACKED rule would be emitted then we must include the state match
@@ -3917,7 +3931,7 @@ sub process_rules() {
     #
     # No need to finish the NEW section since no rules need to be generated
     #
-    $section = $next_section = DEFAULTACTION_SECTION;
+    $section = $next_section = POLICYACTION_SECTION;
 }
 
 sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -4736,6 +4750,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
+	    # Verify action 'proto', if any
+	    #
+	    $proto = determine_action_protocol( $cmd, $proto );
+	    #
 	    # Create the action:level:tag:param tuple.
 	    #
 	    my $normalized_target = normalize_action( $cmd, '', $params );
@@ -5436,7 +5454,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     #
     if ( $inaction ) {
 	$destnets = $dest;
-	assert( $param =~ /^(.*)|/ );
+	assert( $param =~ /^(.*)\|/ );
 	$interfaces=$1;
     } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
@@ -5467,22 +5485,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$interfaces    = $dest;
     }
     #
-    # Handle IPSEC options, if any
-    #
-    if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
-
-	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
-	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
-	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
-	}
-    } elsif ( have_ipsec ) {
-	$baserule .= '-m policy --pol none --dir out ';
-    }
-    #
     # Handle Protocol, Ports and Condition
     #
     $baserule .= do_proto( $proto, $ports, '' );
@@ -5493,7 +5495,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     $baserule .= do_user( $user )                    if $user ne '-';
     $baserule .= do_probability( $probability )      if $probability ne '-';
 
-    for my $fullinterface ( split_list( $interfaces, 'interface' ) ) {
+    my @interfaces = split_list( $interfaces, 'interface' );
+
+    for my $fullinterface ( @interfaces ) {
  
 	my $rule = '';
 	my $saveaddresses = $addresses;
@@ -5501,36 +5505,71 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
 
-	$interface =~ s/:.*//;   #interface name may include 'alias'
-
-	unless ( $inaction ) {
-	    if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
-		$interface    = $1;
-		my $provider  = $2;
-
-		fatal_error "Missing Provider ($dest)" unless supplied $provider;
-
-		$dest =~ s/[(]\w*[)]//;
-		my $realm = provider_realm( $provider );
-
-		fatal_error "$provider is not a shared-interface provider" unless $realm;
-
-		$rule .= "-m realm --realm $realm ";
-	    }
-
-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-
-	    if ( $interfaceref->{root} ) {
-		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	if ( $inaction ) {
+	    $interface =~ s/:.*// if $family == F_IPV4;   #interface name may include 'alias'
+	} else {
+	    if ( $interface eq firewall_zone ) {
+		if ( @interfaces == 1 ) {
+		    fatal_error q('+' not valid when the DEST is $FW) if $pre_nat;
+		    fatal_error q('MASQUERADE' not allowed when DEST is $FW) if $action eq 'MASQUERADE';
+		    require_capability 'NAT_INPUT_CHAIN', '$FW in the DEST column', 's';
+		    $interface = '';
+		} else {
+		    fatal_error q($FW may not appear in a list of interfaces);
+		}
 	    } else {
-		$rule .= match_dest_dev( $interface );
-		$interface = $interfaceref->{name};
+		$interface =~ s/:.*// if $family == F_IPV4;   #interface name may include 'alias'
+
+		if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
+		    $interface    = $1;
+		    my $provider  = $2;
+
+		    fatal_error "Missing Provider ($dest)" unless supplied $provider;
+
+		    $dest =~ s/[(]\w*[)]//;
+		    my $realm = provider_realm( $provider );
+
+		    fatal_error "$provider is not a shared-interface provider" unless $realm;
+
+		    $rule .= "-m realm --realm $realm ";
+		}
+
+		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+
+		if ( $interfaceref->{root} ) {
+		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		} else {
+		    $rule .= match_dest_dev( $interface );
+		    $interface = $interfaceref->{name};
+		}
 	    }
 
-	    $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
+	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}
 
 	$baserule .= do_condition( $condition , $chainref->{name} );
+	#
+	# Handle IPSEC options, if any
+	#
+	if ( $ipsec ne '-' ) {
+	    fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+
+	    my $dir = $interface ? 'out' : 'in';
+
+	    if ( $ipsec =~ /^yes$/i ) {
+		$baserule .= do_ipsec_options $dir, 'ipsec', '';
+	    } elsif ( $ipsec =~ /^no$/i ) {
+		$baserule .= do_ipsec_options $dir, 'none', '';
+	    } else {
+		$baserule .= do_ipsec_options $dir, 'ipsec', $ipsec;
+	    }
+	} elsif ( have_ipsec ) {
+	    if ( $interface ) {
+		$baserule .= '-m policy --pol none --dir out ';
+	    } else {
+		$baserule .= '-m policy --pol none --dir in ';
+	    }
+	}
 
 	my $detectaddress = 0;
 	my $exceptionrule = '';
@@ -5538,6 +5577,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	if ( $action eq 'SNAT' ) {
 	    if ( $addresses eq 'detect' ) {
+		fatal_error q('detect' not allowed when the destination is $FW) unless $interface;
 		my $variable = get_interface_address $interface;
 		$target .= " --to-source $variable";
 
@@ -5664,6 +5704,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		$target .= $addrlist;
 	    }
 	} elsif ( $action eq 'MASQUERADE' ) {
+	    fatal_error q('MASQUERADE' not allowed when the destination is $FW') unless $interface;
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
@@ -5681,7 +5722,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 $params,
 				 $loglevel,
 				 $source,
-				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
+				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
 				 $ipsec,
@@ -5694,6 +5735,10 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
+		# Verify action 'proto', if any
+		#
+		$proto = determine_action_protocol( $target, $proto );
+		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
 		#
@@ -5742,7 +5787,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $destnets = ALLIP unless supplied $destnets && $destnets ne '-';
 
 	    expand_rule( $chainref ,
-			 POSTROUTE_RESTRICT ,
+			 $interface ? POSTROUTE_RESTRICT : INPUT_RESTRICT ,
 			 $prerule ,
 			 $baserule . $inlinematches . $rule ,
 			 $source ,
@@ -5757,7 +5802,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $add_snat_aliases && $addresses ) {
+	    if ( $interface && $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5806,23 +5851,15 @@ sub process_snat( )
 }
 
 #
-# Process the masq or snat file
+# Process the snat file. Convert the masq file if found and non-empty
 #
-sub setup_snat( $ ) # Convert masq->snat if true
+sub setup_snat()
 {
     my $fn;
-    my $have_masq;
 
-    if ( $_[0] ) {
-	convert_masq();
-    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
-    }
-
-    unless ( $have_masq ) {
+    unless ( convert_masq ) {
 	#
-	# Masq file empty or didn't exist
+	# Masq file was empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
     if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
+		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police drop avrate ${in_avrate}kbit\n" );
+		  "    police avrate ${in_avrate}kbit drop\n" );
 	}
     } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
+		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
 
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
 
-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
+	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
 
 	$gateways = ALLIP if $gateways eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,7 +90,6 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
-		    find_interfaces_by_option1
 		    get_interface_option
 		    get_interface_origin
 		    interface_has_option
@@ -253,6 +252,17 @@ use constant { NO_UPDOWN   => 1,
 
 our %validinterfaceoptions;
 
+our %procinterfaceoptions=( accept_ra   => 1,
+			    arp_filter  => 1,
+			    arp_ignore  => 1,
+			    forward     => 1,
+			    logmartians => 1,
+			    proxyarp    => 1,
+			    proxyndp    => 1,
+			    routefilter => 1,
+			    sourceroute => 1,
+			  );
+
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -317,7 +327,7 @@ sub initialize( $$ ) {
     %mapbase = ();
     %mapbase1 = ();
     $baseseq = 0;
-    $minroot = 0;
+    $minroot = undef;
     $loopback_interface = '';
 
     %validzoneoptions = ( mss            => NUMERIC,
@@ -339,7 +349,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -363,9 +373,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -390,7 +400,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -402,18 +412,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -714,7 +724,7 @@ sub interface_match( $$ ) {
     return 1 if $piface eq $cifaceref->{bridge};
     return 1 if $ciface eq $pifaceref->{bridge};
 
-    if ( $minroot ) {
+    if ( defined $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
@@ -1204,15 +1214,16 @@ sub process_interface( $$ ) {
     }
 
     my $wildcard = 0;
+    my $physwild = 0;
     my $root;
 
     if ( $interface =~ /\+$/ ) {
-	$wildcard = 1;
+	$wildcard = $physwild = 1; # Default physical name is the logical name
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
 
-	if ( $minroot ) {
+	if ( defined $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1258,8 +1269,6 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 
 	for my $option (split_list1 $options, 'option' ) {
-	    next if $option eq '-';
-
 	    ( $option, my $value ) = split /=/, $option;
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1296,7 +1305,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1320,7 +1328,6 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1372,7 +1379,9 @@ sub process_interface( $$ ) {
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physwild = ( $value =~ /\+$/ );
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
+
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1400,6 +1409,14 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 
+	for my $option ( keys %options ) {
+	    if ( $root ) {
+		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
+	    } else {
+		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
+	    }
+	}
+
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1458,6 +1475,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
+						   physwild   => $physwild, # Currently unused
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1616,7 +1634,7 @@ sub known_interface($)
 
     my $iface = $interface;
 
-    if ( $minroot ) {
+    if ( defined $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
@@ -1857,7 +1875,8 @@ sub find_interfaces_by_option( $;$ ) {
     for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
-	next unless $interfaceref->{root};
+	next unless $interfaceref->{root};                                   # Don't return '+' interface
+	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
 
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1872,35 +1891,6 @@ sub find_interfaces_by_option( $;$ ) {
     \@ints;
 }
 
-#
-# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
-#
-# - All entries in %interfaces are searched.
-# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
-#
-sub find_interfaces_by_option1( $ ) {
-    my $option = $_[0];
-    my @ints = ();
-    my $wild = 0;
-
-    for my $interface ( @interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-
-	next unless defined $interfaceref->{physical};
-
-	my $optionsref = $interfaceref->{options};
-
-	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
-	    push @ints , $interface
-	}
-    }
-
-    return unless defined wantarray;
-
-    wantarray ? ( \@ints, $wild ) : \@ints;
-}
-
 #
 # Return the value of an option for an interface
 #
@@ -2031,6 +2021,7 @@ sub verify_required_interfaces( $ ) {
 
 	emit( "esac\n" );
 
+	$returnvalue = 1;
     }
 
     $interfaces = find_interfaces_by_option( 'required' );
@@ -2040,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore|refresh)' );
+	    emit( 'start|reload|restore)' );
 	    push_indent;
 	}
 
@@ -2076,7 +2067,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( 'esac' );
+	    emit( "esac\n" );
 	}
 
 	$returnvalue = 1;

Shorewall/Perl/compiler.pl

@@ -32,7 +32,6 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
-#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -40,7 +39,6 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
-#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -64,7 +62,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --timestamp ]
     [ --debug ]
     [ --confess ]
-    [ --refresh=<chainlist> ]
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
@@ -75,7 +72,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --shorewallrc=<pathname> ]
     [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
-    [ --inline ]
 _EOF_
 
 exit shift @_;
@@ -90,7 +86,6 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
-my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -102,7 +97,6 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
-my $inline        = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -117,8 +111,6 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
-			'r=s'             => \$chains,
-			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -132,7 +124,6 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
-			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -147,7 +138,6 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
-	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -159,5 +149,4 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
-	  inline          => $inline,
 	);

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -675,7 +675,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1065,8 +1065,6 @@ clear_firewall() {
     run_iptables -F
     qt $IPTABLES -t raw -F
 
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
     if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1103,7 +1101,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1375,8 +1373,6 @@ clear_firewall() {
     run_iptables -F
     qt $IP6TABLES -t raw -F
 
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
     run_clear_exit
 
     set_state "Cleared"

Shorewall/Perl/prog.footer

@@ -1,5 +1,23 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
+#
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#
+#	This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#	Free Software Foundation, either version 2 of the license or, at your
+#	option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
 ###############################################################################
 #
 # Give Usage Information
@@ -268,8 +286,10 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    $g_tool -Z
-	    $g_tool -t mangle -Z
+	    for table in raw mangle nat filter; do
+		qt $g_tool -t $table -Z
+	    done
+
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -353,6 +373,7 @@ case "$COMMAND" in
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
+	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Samples/Universal/shorewall.conf

@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -77,7 +79,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -199,8 +199,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -219,6 +217,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=Yes
 
 RESTART=restart

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0

Shorewall/Samples/one-interface/shorewall.conf

@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -88,7 +90,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Off
@@ -210,8 +210,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -230,6 +228,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -53,6 +53,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -85,7 +87,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -191,8 +193,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -207,8 +207,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -227,6 +225,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/three-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
-ACCEPT		eth2		-
-ACCEPT		-		eth2
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
+ACCEPT		DMZ_IF		-
+ACCEPT		-		DMZ_IF
 

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -88,7 +90,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -210,8 +210,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -230,6 +228,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/two-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF

Shorewall/actions.std

@@ -8,11 +8,8 @@
 #
 ###############################################################################
 #ACTION
-A_AllowICMPs inline		# Audited version of AllowICMPs
-A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
-A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -26,18 +23,18 @@ Broadcast    inline,audit	# Handles Broadcast/Anycast
 ?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 ?endif
-DNSAmp				# Matches one-question recursive DNS queries
-Drop				# Default Action for DROP policy (deprecated)
+DNSAmp	     proto=17		# Matches one-question recursive DNS queries
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline		# Drops DNS replies
+dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+DropDNSrep   inline,proto=17	# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
+FIN	     inline,audit,\	# Handles ACK,FIN packets
+	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
@@ -50,14 +47,15 @@ Multicast    inline,audit	# Handles Multicast
 Multicast    noinline,audit	# Handles Multicast
 ?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
-Reject				# Default Action for REJECT policy (deprecated)
+NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
+	     proto=6
+rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit	# Handle packets with RST set
+RST	     inline,audit,\	# Handle packets with RST set
+	     proto=6
 SetEvent     inline		# Initialize an event
-TCPFlags			# Handle bad flag combinations.
+TCPFlags     proto=6		# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#

Shorewall/configfiles/masq

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/masq
-#
-# For information about entries in this file, type "man shorewall-masq"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-masq.html
-#
-###################################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/configfiles/shorewall.conf

@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
+LOG_ZONE=Both
+
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -77,7 +79,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -199,8 +199,6 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
-
 MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
@@ -219,6 +217,8 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No
 
 RESTART=restart
@@ -241,7 +241,7 @@ TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=No
+TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 

Shorewall/configpath

@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

Shorewall/lib.cli-std

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,11 +47,10 @@ get_config() {
 	fi
     fi
 
-    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
-    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+    if [ -n "$g_shorewalldir" ]; then
 	config="$g_shorewalldir/$PRODUCT.conf"
+    else
+	config=$(find_file ${PRODUCT}.conf)
     fi
 
     if [ -f $config ]; then
@@ -211,30 +210,35 @@ get_config() {
 	LOG_VERBOSITY=-1
     fi
 
-    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
+    if [ -z "${g_export}${g_test}" ]; then
+	if [ -n "$SHOREWALL_SHELL" ]; then
+	    if [ ! -x "$SHOREWALL_SHELL" ]; then
+		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+		SHOREWALL_SHELL=/bin/sh
+	    fi
 	fi
-    fi
 
-    if [ -n "$IP" ]; then
-	case "$IP" in
-	    */*)
-		if [ ! -x "$IP" ] ; then
-		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IP 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    fatal_error "Can't find $IP executable"
-		fi
-		IP=$prog
-		;;
-	esac
+	if [ -n "$IP" ]; then
+	    case "$IP" in
+		*/*)
+		    if [ ! -x "$IP" ] ; then
+			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    prog="$(mywhich $IP 2> /dev/null)"
+		    if [ -z "$prog" ] ; then
+			fatal_error "Can't find $IP executable"
+		    fi
+		    IP=$prog
+		    ;;
+	    esac
+	else
+	    IP='ip'
+	fi
     else
-	IP='ip'
+	[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
+	[ -n "$IP" ]              || IP='ip'
     fi
 
     case $VERBOSITY in
@@ -277,10 +281,18 @@ get_config() {
 
     case $AUTOMAKE in
 	Yes|yes)
+	    AUTOMAKE=1
 	    ;;
 	No|no)
 	    AUTOMAKE=
 	    ;;
+	[1-9])
+	    ;;
+	[1-9][0-9])
+	    ;;
+	[Rr]ecursive)
+	    AUTOMAKE=recursive
+	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
 		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
@@ -337,8 +349,12 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
+	case $COMMAND in
+	    blacklist|allow|drop|logdrop|reject)
+		setup_dbl
+		;;
+	esac
     fi
 
     if [ -z "$PERL_HASH_SEED" ]; then
@@ -358,6 +374,17 @@ get_config() {
     [ -f $lib ] && . $lib
 }
 
+#
+# Ensure that the effective UID is 0 or that we are dealing with a private configuration
+#
+ensure_root() {
+    if [ $(id -u) -ne 0 ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	    startup_error "Ordinary users may not $COMMAND the default $PRODUCT configuration"
+	fi
+    fi
+}
+
 #
 # Determine if there are config files newer than the passed object
 #
@@ -365,20 +392,39 @@ uptodate() {
     [ -x $1 ] || return 1
 
     local dir
-    local ifs
+    local busybox
+    local find
 
-    ifs="$IFS"
-    IFS=':'
+    find=$(mywhich find)
 
-    for dir in $g_shorewalldir $CONFIG_PATH; do
-	if [ -n "$(find ${dir} -newer $1)" ]; then
-	    IFS="$ifs"
+    [ -n "${find}" ] || return 1
+    [ -h "${find}" ] && busybox=Yes
+
+    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
+	if [ -n "${busybox}" ]; then
+	    #
+	    # Busybox 'find' doesn't support -quit.
+	    #
+	    if [ $AUTOMAKE = recursive ]; then
+		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
+		    return 1;
+		fi
+	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
+		return 1;
+	    fi
+	elif [ "$AUTOMAKE" = recursive ]; then
+	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
+	elif [ -z "$AUTOMAKE" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
+	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
     done
 
-    IFS="$ifs"
-
     return 0
 }
 
@@ -408,11 +454,7 @@ compiler() {
 
     pc=${LIBEXECDIR}/shorewall/compiler.pl
 
-    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	fi
-    fi
+    ensure_root
     #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
@@ -423,7 +465,7 @@ compiler() {
     get_config Yes
 
     case $COMMAND in
-	*start|try|refresh|reload|restart|safe-*)
+	*start|try|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -465,11 +507,9 @@ compiler() {
     [ -n "$g_test" ]           && options="$options --test"
     [ -n "$g_preview" ]        && options="$options --preview"
     [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
     [ -n "$g_confess" ]        && options="$options --confess"
     [ -n "$g_update" ]         && options="$options --update"
     [ -n "$g_annotate" ]       && options="$options --annotate"
-    [ -n "$g_inline" ]         && options="$options --inline"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -574,10 +614,6 @@ start_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
@@ -619,24 +655,24 @@ start_command() {
     esac
 
     if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/firewall; then
+	if ! uptodate $g_firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
     fi
 
     if [ -n "$AUTOMAKE" ]; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging start
+	[ -n "$g_nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging start
 	rc=$?
-	[ -n "$nolock" ] || mutex_off
+	[ -n "$g_nolock" ] || mutex_off
     else
 	g_file="${VARDIR}/.start"
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.start $g_debugging start
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product start failed"
@@ -688,10 +724,6 @@ compile_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			-)
 			    finished=1
 			    option=
@@ -712,7 +744,7 @@ compile_command() {
 
     case $# in
 	0)
-	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=$g_firewall
 	    ;;
 	1)
 	    g_file=$1
@@ -770,6 +802,10 @@ check_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -782,10 +818,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -822,7 +854,7 @@ check_command() {
 
     g_doing="Checking"
 
-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }
 
 #
@@ -854,6 +886,10 @@ update_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -866,16 +902,11 @@ update_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			a*)
 			    g_annotate=Yes
 			    option=${option#a}
 			    ;;
 			A*)
-			    g_inline=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -914,7 +945,7 @@ update_command() {
 
     g_doing="Updating"
 
-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }
 
 #
@@ -965,7 +996,6 @@ restart_command() {
 			    option=${option#T}
 			    ;;
 			i*)
-			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
@@ -1011,117 +1041,65 @@ restart_command() {
     [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
 
     if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate ${VARDIR}/firewall && g_fast=Yes
+	uptodate $g_firewall && g_fast=Yes
     fi
 
     g_file="${VARDIR}/.${COMMAND}"
 
     if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
     else
-	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+	[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
+	[ -n "$g_nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
-	[ -n "$nolock" ] || mutex_off
+	[ -n "$g_nolock" ] || mutex_off
     fi
 
     return $rc
 }
 
-#
-# Refresh Command Executor
-#
-refresh_command() {
-    local finished
-    finished=0
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
 
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
 
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			d*)
-			    g_debug=Yes
-			    option=${option#d}
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
-			D)
-			    if [ $# -gt 1 ]; then
-				g_shorewalldir="$2"
-				option=
-				shift
-			    else
-				fatal_error "The -D option requires a directory name"
-			    fi
-			    ;;
-			*)
-			    option_error $option
-			    ;;
-		    esac
-		done
-		shift
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
 		;;
 	    *)
-		finished=1
+		return 1
 		;;
 	esac
-    done
-
-    if [ $# -gt 0 ]; then
-	g_refreshchains=$1
-	shift
-
-	while [ $# -gt 0 ]; do
-	    g_refreshchains="$g_refreshchains,$1"
-	    shift
-	done
-    else
-	g_refreshchains=:refresh:
     fi
-
-    product_is_started || fatal_error "$g_product is not running"
-
-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
-
-    g_file="${VARDIR}/.refresh"
-
-    if compiler $g_debugging $nolock compile "$g_file"; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/.refresh $g_debugging refresh
-	rc=$?
-	[ -n "$nolock" ] || mutex_off
-    else
-	rc=$?
-    fi
-
-    return $rc
 }
 
 #
@@ -1246,7 +1224,7 @@ safe_commands() {
 	    ;;
     esac
 
-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
@@ -1261,7 +1239,7 @@ safe_commands() {
 		run_it ${VARDIR}/.$command clear
 	    fi
 
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 
 	    echo "New configuration has been rejected and the old one restored"
 	    exit 2
@@ -1269,7 +1247,7 @@ safe_commands() {
 
     fi
 
-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
 }
 
 #
@@ -1359,7 +1337,7 @@ try_command() {
 
     g_file="${VARDIR}/.$command"
 
-    if ! compiler $g_debugging $nolock compile "$g_file"; then
+    if ! compiler $g_debugging $g_nolock compile "$g_file"; then
 	status=$?
 	exit $status
     fi
@@ -1379,7 +1357,7 @@ try_command() {
 	    ;;
     esac
 
-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on
 
     if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
@@ -1391,7 +1369,7 @@ try_command() {
 	fi
     fi
 
-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
 
     return 0
 }
@@ -1409,10 +1387,163 @@ rcp_command() {
     eval $RCP_COMMAND
 }
 
+#
+# Remote-{getcaps|getrc} command executer
+#
+remote_capture() # $* = original arguments less the command.
+{
+    local verbose
+    verbose=$(make_verbose)
+    local finished
+    finished=0
+    local system
+    local getrc
+    getrc=
+    local getcaps
+    getcaps=
+    local remote_sw_dir_path
+    remote_sw_dir_path=
+    local root
+    root=root
+    local libexec
+    libexec=${LIBEXECDIR}
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			R*)
+			    getrc=Yes
+			    option=${option#R}
+			    ;;
+			c*)
+			    getcaps=Yes
+			    option=${option#c}
+			    ;;
+			r)
+			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
+			    root=$2
+			    option=
+			    shift
+			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
+			p)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    remote_sw_dir_path=$2
+			    option=
+			    shift
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			*)
+			    option_error $option
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    ;;
+	1)
+	    g_shorewalldir="."
+	    system=$1
+	    ;;
+	2)
+	    g_shorewalldir=$1
+	    system=$2
+	    ;;
+	*)
+	    too_many_arguments $3
+	    ;;
+    esac
+
+    g_export=Yes
+
+    ensure_config_path
+
+    get_config Yes
+
+    g_haveconfig=Yes
+
+    if [ -z "$system" ]; then
+        system=$FIREWALL
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+    fi
+
+    case $COMMAND in
+        remote-getrc)
+            getrc=Yes
+            ;;
+        remote-getcaps)
+            getcaps=Yes
+            ;;
+    esac
+
+    [ -n "$getcaps" ] && getrc=Yes
+
+    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
+        progress_message2 "Getting shorewallrc file on system $system..."
+
+        if [ -n "$remote_sw_dir_path" ]; then
+            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
+                fatal_error "Capturing RC file on system $system failed"
+            fi
+        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
+            fatal_error "Capturing RC file on system $system failed"
+        fi
+    fi
+
+    remote_sw_dir_path=
+
+    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
+        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
+            . $g_shorewalldir/shorewallrc
+            libexec="$LIBEXECDIR"
+
+            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
+            progress_message2 "Getting Capabilities on system $system..."
+
+            if [ $g_family -eq 4 ]; then
+                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+                    fatal_error "Capturing capabilities on system $system failed"
+                fi
+            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+                fatal_error "Capturing capabilities on system $system failed"
+            fi
+        else
+            fatal_error "$g_shorewalldir/shorewallrc is not present."
+        fi
+    fi
+}
+
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_reload_command() # $* = original arguments less the command.
+remote_commands() # $* = original arguments less the command.
 {
     local verbose
     verbose=$(make_verbose)
@@ -1478,10 +1609,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -1527,34 +1654,28 @@ remote_reload_command() # $* = original arguments less the command.
 	litedir="${VARDIR}-lite"
     fi
 
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
-	if [ -f $g_shorewalldir/params ]; then
-	    . $g_shorewalldir/params
-	fi
+    g_export=Yes
 
-	ensure_config_path
+    ensure_config_path
 
-	get_config No
+    get_config Yes
 
-	g_haveconfig=Yes
+    g_haveconfig=Yes
 
-	if [ -z "$system" ]; then
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
-    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+    if [ -z "$system" ]; then
+        system=$FIREWALL
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
     fi
 
     if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ -f $capabilities ] || getcaps=Yes
+	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
     fi
 
     if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
-	progress_message "Getting Capabilities on system $system..."
+	progress_message2 "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1566,12 +1687,11 @@ remote_reload_command() # $* = original arguments less the command.
 
     file=$(resolve_file $g_shorewalldir/firewall)
 
-    g_export=Yes
-
     program=$sbindir/${PRODUCT}-lite
     #
     # Handle nonstandard remote VARDIR
     #
+    progress_message2 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"
@@ -1712,11 +1832,11 @@ export_command() # $* = original arguments less the command.
 }
 
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	uptodate $g_firewall || echo "   WARNING: $g_firewall is not up to date" >&2
+	run_it $g_firewall $g_debugging $@
     else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
     fi
 }
 
@@ -1727,11 +1847,6 @@ compiler_command() {
 	    shift
 	    compile_command $@
 	    ;;
-	refresh)
-	    get_config Yes Yes
-	    shift
-	    refresh_command $@
-	    ;;
 	check|ck)
 	    shift
 	    check_command $@
@@ -1742,22 +1857,28 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_reload_command $@
+	    remote_commands $@
 	    ;;
 	export)
 	    shift
 	    export_command $@
 	    ;;
 	try)
+	    only_root
 	    get_config Yes
 	    shift
 	    try_command $@
 	    ;;
 	safe-reload|safe-restart|safe-start)
+	    only_root
 	    get_config Yes
 	    shift
 	    safe_commands $@
 	    ;;
+        remote-getrc|remote-getcaps)
+            shift
+            remote_capture $@
+            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;

Shorewall/manpages/shorewall-actions.xml

@@ -191,6 +191,27 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.10. Specifies that the action is
+                only usable with the specified
+                <replaceable>protocol</replaceable> (name or number). When the
+                action is invoked with no protocol specified in the PROTO
+                column, or if the action is used as a Policy Action, the named
+                <replaceable>protocol</replaceable> will be assumed. If a
+                protocol is specified in the PROTO column of an invocation,
+                then it must match the named
+                <replaceable>protocol</replaceable>.</para>
+
+                <para>The <option>proto</option> option has no effect if the
+                <option>inline</option> or <option>builtin</option> option is
+                specified. A warning is issued if <option>proto</option> is
+                specified along with <option>builtin</option>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>section</option></term>
 

Shorewall/manpages/shorewall-conntrack.xml

@@ -84,7 +84,7 @@
         role="bold">CT</emphasis>:<emphasis
         role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
         role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IP[6]TABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
           <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -272,9 +272,32 @@
               will also be logged at that level.</para>
             </listitem>
 
+            <listitem>
+              <para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
+
+              <para>IPv6 only.</para>
+
+              <para>Added in Shorewall 4.6.0. Allows you to specify any
+              iptables <replaceable>target</replaceable> with target options
+              (e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
+              recognized by Shorewall, the following error message will be
+              issued:</para>
+
+              <simplelist>
+                <member>ERROR: Unknown target
+                (<replaceable>target</replaceable>)</member>
+              </simplelist>
+
+              <para>This error message may be eliminated by adding
+              <replaceable>target</replaceable> as a builtin action in <ulink
+              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+            </listitem>
+
             <listitem>
               <para><option>IPTABLES</option>(<replaceable>target</replaceable>)</para>
 
+              <para>IPv4 only.</para>
+
               <para>Added in Shorewall 4.6.0. Allows you to specify any
               iptables <replaceable>target</replaceable> with target options
               (e.g., "IPTABLES(AUDIT --type drop)"). If the target is not one
@@ -447,7 +470,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
+                both the incoming interface and source address match.</para>
               </listitem>
             </varlistentry>
 
@@ -543,7 +566,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
+                both the outgoing interface and destination address
                 match.</para>
               </listitem>
             </varlistentry>
@@ -579,14 +602,23 @@
 
         <listitem>
           <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number.</para>
+          protocol number. tcp and 6 may be optionally followed by <emphasis
+          role="bold">:syn </emphasis>to match only the SYN packet (first
+          packet in the three-way handshake).</para>
 
-          <para>Beginning with Shorewall 4.5.12, this column is labeled
-          <emphasis role="bold">PROTOS</emphasis> and can accept a
-          comma-separated list of protocols. Either <emphasis
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols and either <emphasis
           role="bold">proto</emphasis> or <emphasis
           role="bold">protos</emphasis> is accepted in the alternate input
           format.</para>
+
+          <para>Beginning with Shorewall 5.1.11, when <emphasis
+          role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
+          specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
+          compiler will default to <emphasis role="bold">:syn</emphasis>. If
+          you wish the rule to match packets with any valid combination of TCP
+          flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
+          <emphasis role="bold">6:all</emphasis>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-interfaces.xml

@@ -112,7 +112,10 @@ loc     eth2            -</programlisting>
           url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
           for a discussion of this problem.</para>
 
-          <para>Shorewall allows '+' as an interface name.</para>
+          <para>Shorewall allows '+' as an interface name, but that usage is
+          deprecated. A better approach is to specify
+          '<option>physical</option>=+' in the OPTIONS column (see
+          below).</para>
 
           <para>There is no need to define the loopback interface (lo) in this
           file.</para>
@@ -193,6 +196,54 @@ loc     eth2            -</programlisting>
           should have no embedded white-space.</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
+
+              <listitem>
+                <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>0</term>
+
+                    <listitem>
+                      <para>Do not accept Router Advertisements.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>1</term>
+
+                    <listitem>
+                      <para>Accept Route Advertisements if forwarding is
+                      disabled.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>2</term>
+
+                    <listitem>
+                      <para>Overrule forwarding behavior. Accept Route
+                      Advertisements even if forwarding is enabled.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>If the option is specified without a value, then the
+                value 1 is assumed.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
 
@@ -209,12 +260,12 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para/>
-
                 <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                 </note>
               </listitem>
             </varlistentry>
@@ -243,16 +294,14 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
-                <para/>
-
                 <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                 </note>
 
-                <para/>
-
                 <warning>
                   <para>Do not specify <emphasis
                   role="bold">arp_ignore</emphasis> for any interface involved
@@ -430,6 +479,25 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>IPv6 only Sets the
+                /proc/sys/net/ipv6/conf/interface/forwarding option to the
+                specified value. If no value is supplied, then 1 is
+                assumed.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">ignore[=1]</emphasis></term>
 
@@ -496,9 +564,11 @@ loc     eth2            -</programlisting>
                 <para/>
 
                 <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                 </note>
 
                 <blockquote>
@@ -625,7 +695,10 @@ loc     eth2            -</programlisting>
 
                 <para>If the <emphasis>interface</emphasis> name is a wildcard
                 name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'.</para>
+                <emphasis>name</emphasis> must also end in '+'. The physical
+                <replaceable>name</replaceable> may end in '+' (or be exactly
+                '+') when the <replaceable>interface</replaceable> name is not
+                a wildcard name.</para>
 
                 <para>If <option>physical</option> is not specified, then it's
                 value defaults to the <emphasis>interface</emphasis>
@@ -647,9 +720,13 @@ loc     eth2            -</programlisting>
                 url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                 </ulink></para>
 
-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
 
                 <para>Only those interfaces with the <option>proxyarp</option>
                 option will have their setting changed; the value assigned to
@@ -665,9 +742,13 @@ loc     eth2            -</programlisting>
                 <para>IPv6 only. Sets
                 /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
 
-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
 
                 <para>Only those interfaces with the <option>proxyndp</option>
                 option will have their setting changed; the value assigned to
@@ -731,9 +812,11 @@ loc     eth2            -</programlisting>
                 filtering.</para>
 
                 <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                 </note>
 
                 <para>This option can also be enabled globally via the
@@ -842,9 +925,11 @@ loc     eth2            -</programlisting>
                 specified (if any) or 1 if no value is given.</para>
 
                 <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                 </note>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall-logging.xml

@@ -362,7 +362,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     is 2 and AF_INET6 is 10).</para>
 
     <para>The name immediately following the number is the currently-selected
-    backend, and the ones in parantheses are the ones that are available. You
+    backend, and the ones in parentheses are the ones that are available. You
     can change the currently selected backend by echoing it's name into
     /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>