Correct interface_is_up() to look for the 'state' as well as 'UP'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.cli

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -1201,11 +1201,17 @@ show_saves_command() {
     echo
 
     for f in ${VARDIR}/*-iptables; do
-	fn=$(basename $f)
+	case $f in
-	fn=${fn%-iptables}
+	    *\**)
-	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+	        ;;
-	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+	    *)
-	echo "   $mtime ${fn%-iptables}"
+		fn=$(basename $f)
+		fn=${fn%-iptables}
+		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
     done
 
     echo
@@ -1432,6 +1438,17 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+        rc)
+            shift
+	    [ $# -gt 1 ] && too_many_arguments $2
+            if [ -n "$1" -a -d "$1" ]; then
+                cat $1/shorewallrc
+            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
+                cat $g_basedir/shorewallrc
+            else
+                fatal_error "Can not determine the location of the shorewallrc file."
+            fi
+            ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
@@ -3804,7 +3821,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -4322,9 +4339,11 @@ usage() # $1 = exit status
     fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4367,6 +4386,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] rc"
     echo "   [ show | list | ls ] routing"
     echo "   [ show | list | ls ] saves"
     echo "   [ show | list | ls ] tc [ device ]"

Shorewall-core/lib.common

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
 #     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.core

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.installer

@@ -1,6 +1,5 @@
 #
-#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,6 +1,5 @@
 #
-#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/manpages/shorewall.xml

@@ -445,6 +445,54 @@
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getcaps</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-R</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getrc</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -1870,6 +1918,57 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">remote-getcaps</emphasis>
+        [-<option>R</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command executes <emphasis
+          role="bold">shorewall[6]-lite show capabilities -f &gt;
+          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
+          <replaceable>system</replaceable> via ssh then the generated file is
+          copied to <replaceable>directory</replaceable> on the local system.
+          If no <replaceable>directory</replaceable> is given, the current
+          working directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
+          shorewallrc file is also copied to
+          <replaceable>directory</replaceable>.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">remote-getrc</emphasis>
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
+          file from the remote <replaceable>system</replaceable> to
+          <replaceable>directory</replaceable> on the local system. If no
+          <replaceable>directory</replaceable> is given, the current working
+          directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
+          capabilities are also copied to
+          <replaceable>directory</replaceable>, as is done by the
+          <command>remote-getcaps</command> command.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -1921,9 +2020,9 @@
           role="bold">shorewall-lite save</emphasis> via ssh.</para>
 
           <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall-lite show capabilities -f
+          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
-          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
+          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
-          ssh then the generated file is copied to
+          via ssh then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -1934,13 +2033,6 @@
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2666,6 +2758,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">rc</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Displays the contents of
+                $SHAREDIR/shorewall/shorewallrc.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>[-<option>c</option>]<emphasis role="bold">
               routing</emphasis></term>

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Actions/action.IfEvent

@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Macros/macro.IPFS-API

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001

Shorewall/Macros/macro.IPFS-gateway

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080

Shorewall/Macros/macro.IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Perl/Shorewall/ARP.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7097,14 +7097,17 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
     my ( $logical, $provider ) = @_;
-
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 
     $global_variables |= ALL_COMMANDS;
 
-    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    if ( $interface eq loopback_interface ) {
+	$interfaceaddr{$interface} = "$variable=" . loopback_address;
+    } else {
+	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+	$interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    }
 
     set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -356,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3($) {
+sub generate_script_3() {
 
     if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -582,8 +582,8 @@ sub compile_info_command() {
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
     $test           = 0;
@@ -612,7 +612,6 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
-		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -779,7 +778,7 @@ sub compiler {
     #
     # Setup Masquerade/SNAT
     #
-    setup_snat( $update );
+    setup_snat;
     #
     # Setup Nat
     #
@@ -882,7 +881,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3( $chains );
+	generate_script_3();
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall

Shorewall/Perl/Shorewall/Config.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -562,7 +562,9 @@ our %helpers = ( amanda          => UDP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP,
-	       );
+    );
+
+use constant { INCLUDE_LIMIT     => 20 };
 
 our %helpers_map;
 
@@ -2527,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
     # Delete trailing comment
     #
     $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
 
     my @result = &split_line2( @_ );
 
@@ -3320,7 +3326,7 @@ sub copy1( $ ) {
 			my @line = split / /;
 
 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 			my $filename = find_file $line[1];
 
@@ -3530,7 +3536,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
     my $multiline = shift;
 
-    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
     my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
 
     $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3617,7 +3623,7 @@ sub embedded_perl( $ ) {
     $embedded--;
 
     if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 	assert( close $perlscript );
 
@@ -3971,7 +3977,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;
 
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
 
 		my $filename = find_file $line[1];
 
@@ -5457,7 +5463,7 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
     }
 
-    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
@@ -6597,7 +6603,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 
-    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
     }
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -60,6 +60,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
+		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -98,12 +99,14 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
+our $loopback_address;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
+	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -370,6 +373,10 @@ sub rfc1918_networks() {
     @rfc1918_networks
 }
 
+sub loopback_address() {
+    $loopback_address;
+}
+
 #
 # Protocol/port validation
 #
@@ -755,6 +762,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
+	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -767,6 +775,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
+	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -37,7 +37,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
+    my $have_masq_rules;
+
     if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 
-	my $have_masq_rules;
-
 	directive_callback(
 	    sub ()
 	    {
@@ -647,6 +647,8 @@ sub convert_masq() {
 
 	close $snat, directive_callback( 0 );
     }
+
+    $have_masq_rules;
 }
 
 #

Shorewall/Perl/Shorewall/Proc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -5851,23 +5851,15 @@ sub process_snat( )
 }
 
 #
-# Process the masq or snat file
+# Process the snat file. Convert the masq file if found and non-empty
 #
-sub setup_snat( $ ) # Convert masq->snat if true
+sub setup_snat()
 {
     my $fn;
-    my $have_masq;
 
-    if ( $_[0] ) {
+    unless ( convert_masq ) {
-	convert_masq();
-    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
-    }
-
-    unless ( $have_masq ) {
 	#
-	# Masq file empty or didn't exist
+	# Masq file was empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/compiler.pl

@@ -32,7 +32,6 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
-#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -63,7 +62,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --timestamp ]
     [ --debug ]
     [ --confess ]
-    [ --refresh=<chainlist> ]
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
@@ -88,7 +86,6 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
-my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -114,8 +111,6 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
-			'r=s'             => \$chains,
-			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -143,7 +138,6 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
-	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,

Shorewall/Perl/lib.runtime

@@ -192,7 +192,7 @@ find_default_interface() {
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]' | grep -v ' state DOWN ')" ]
 }
 
 #

Shorewall/configfiles/masq

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/masq
-#
-# For information about entries in this file, type "man shorewall-masq"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-masq.html
-#
-###################################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/lib.cli-std

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -412,10 +412,14 @@ uptodate() {
 	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ $AUTOMAKE = recursive ]; then
+	elif [ "$AUTOMAKE" = recursive ]; then
 	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
 		return 1;
 	    fi
+	elif [ -z "$AUTOMAKE" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
 	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
@@ -1063,6 +1067,41 @@ restart_command() {
     return $rc
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Safe-start/safe-reload/safe-restart Command Executor
 #
@@ -1348,10 +1387,163 @@ rcp_command() {
     eval $RCP_COMMAND
 }
 
+#
+# Remote-{getcaps|getrc} command executer
+#
+remote_capture() # $* = original arguments less the command.
+{
+    local verbose
+    verbose=$(make_verbose)
+    local finished
+    finished=0
+    local system
+    local getrc
+    getrc=
+    local getcaps
+    getcaps=
+    local remote_sw_dir_path
+    remote_sw_dir_path=
+    local root
+    root=root
+    local libexec
+    libexec=${LIBEXECDIR}
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			R*)
+			    getrc=Yes
+			    option=${option#R}
+			    ;;
+			c*)
+			    getcaps=Yes
+			    option=${option#c}
+			    ;;
+			r)
+			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
+			    root=$2
+			    option=
+			    shift
+			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
+			p)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    remote_sw_dir_path=$2
+			    option=
+			    shift
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			*)
+			    option_error $option
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    ;;
+	1)
+	    g_shorewalldir="."
+	    system=$1
+	    ;;
+	2)
+	    g_shorewalldir=$1
+	    system=$2
+	    ;;
+	*)
+	    too_many_arguments $3
+	    ;;
+    esac
+
+    g_export=Yes
+
+    ensure_config_path
+
+    get_config Yes
+
+    g_haveconfig=Yes
+
+    if [ -z "$system" ]; then
+        system=$FIREWALL
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+    fi
+
+    case $COMMAND in
+        remote-getrc)
+            getrc=Yes
+            ;;
+        remote-getcaps)
+            getcaps=Yes
+            ;;
+    esac
+
+    [ -n "$getcaps" ] && getrc=Yes
+
+    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
+        progress_message2 "Getting shorewallrc file on system $system..."
+
+        if [ -n "$remote_sw_dir_path" ]; then
+            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
+                fatal_error "Capturing RC file on system $system failed"
+            fi
+        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
+            fatal_error "Capturing RC file on system $system failed"
+        fi
+    fi
+
+    remote_sw_dir_path=
+
+    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
+        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
+            . $g_shorewalldir/shorewallrc
+            libexec="$LIBEXECDIR"
+
+            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
+            progress_message2 "Getting Capabilities on system $system..."
+
+            if [ $g_family -eq 4 ]; then
+                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+                    fatal_error "Capturing capabilities on system $system failed"
+                fi
+            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+                fatal_error "Capturing capabilities on system $system failed"
+            fi
+        else
+            fatal_error "$g_shorewalldir/shorewallrc is not present."
+        fi
+    fi
+}
+
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_reload_command() # $* = original arguments less the command.
+remote_commands() # $* = original arguments less the command.
 {
     local verbose
     verbose=$(make_verbose)
@@ -1464,34 +1656,26 @@ remote_reload_command() # $* = original arguments less the command.
 
     g_export=Yes
 
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    ensure_config_path
-	if [ -f $g_shorewalldir/params ]; then
-	    . $g_shorewalldir/params
-	fi
 
-	ensure_config_path
+    get_config Yes
 
-	get_config No
+    g_haveconfig=Yes
 
-	g_haveconfig=Yes
+    if [ -z "$system" ]; then
-
+        system=$FIREWALL
-	if [ -z "$system" ]; then
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
-    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
     fi
 
     if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ -f $capabilities ] || getcaps=Yes
+	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
     fi
 
     if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
-	progress_message "Getting Capabilities on system $system..."
+	progress_message2 "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1507,6 +1691,7 @@ remote_reload_command() # $* = original arguments less the command.
     #
     # Handle nonstandard remote VARDIR
     #
+    progress_message2 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"
@@ -1672,7 +1857,7 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_reload_command $@
+	    remote_commands $@
 	    ;;
 	export)
 	    shift
@@ -1690,6 +1875,10 @@ compiler_command() {
 	    shift
 	    safe_commands $@
 	    ;;
+        remote-getrc|remote-getcaps)
+            shift
+            remote_capture $@
+            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;

Shorewall/manpages/shorewall-masq.xml

@@ -1,781 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-masq</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>masq</refname>
-
-    <refpurpose>Shorewall Masquerade/SNAT definition file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall[6]/masq</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). While still supported, its use is deprecated in favor
-    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
-    introduced in Shorewall 5.0.14.</para>
-
-    <warning>
-      <para>The entries in this file are order-sensitive. The first entry that
-      matches a particular connection will be the one that is used.</para>
-    </warning>
-
-    <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
-      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
-      that.</para>
-    </warning>
-
-    <para>The columns in the file are as follows.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
-        role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>[<emphasis
-        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
-        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
-
-        <listitem>
-          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
-          comma-separated list of interface names. This is usually your
-          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
-
-          <para>Each interface must match an entry in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          entry that defines <filename
-          class="devicefile">ppp+</filename>.</para>
-
-          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          internet provider share a single interface</ulink>, the provider is
-          specified by including the provider name or number in
-          parentheses:</para>
-
-          <programlisting>        eth0(Avvanta)</programlisting>
-
-          <para>In that case, you will want to specify the interface's address
-          for that provider in the ADDRESS column.</para>
-
-          <para>The interface may be qualified by adding the character ":"
-          followed by a comma-separated list of destination host or subnet
-          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular destinations.
-          Exclusion is allowed (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
-
-          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
-          entry then include the ":" but omit the digit:</para>
-
-          <programlisting>        eth0(Avvanta):
-        eth2::192.0.2.32/27</programlisting>
-
-          <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, prefix the
-          interface name with "+":</para>
-
-          <programlisting>        +eth0
-        +eth0:192.0.2.32/27
-        +eth0:2</programlisting>
-
-          <para>This feature should only be required if you need to insert
-          rules in this file that preempt entries in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of ?COMMENT lines. These lines
-          begin with ?COMMENT; the remainder of the line is treated as a
-          comment which is attached to subsequent rules until another ?COMMENT
-          line is found or until the end of the file is reached. To stop
-          adding comments to rules, use a line containing only
-          ?COMMENT.</para>
-
-          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
-          With the exception of the leading '+', the interfacelist and
-          qualifiers may appear within the parentheses of <emphasis
-          role="bold">INLINE</emphasis>(...).</para>
-
-          <para>Example:</para>
-
-          <programlisting>        +INLINE(eth0)</programlisting>
-
-          <para>When this is done, you may augment the rule generated by
-          Shorewall with iptables matches of your own. These matches appear
-          after a semicolon (';') at the end of the line.</para>
-
-          <para>See example 8 below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        - Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
-
-        <listitem>
-          <para>Set of hosts that you wish to masquerade. You can specify this
-          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an
-          <emphasis>interface</emphasis> is deprecated). If you give the name
-          of an interface, the interface must be up before you start the
-          firewall and the Shorewall rules compiler will warn you of that
-          fact. (Shorewall will use your main routing table to determine the
-          appropriate addresses to masquerade).</para>
-
-          <para>The preferred way to specify the SOURCE is to supply one or
-          more host or network addresses separated by comma. You may use ipset
-          names preceded by a plus sign (+) to specify a set of hosts.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
-        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-        role="bold">:random</emphasis>][:persistent]|<emphasis
-        role="bold">detect</emphasis>|<emphasis
-        role="bold">random</emphasis>]</term>
-
-        <listitem>
-          <para>If you specify an address here, SNAT will be used and this
-          will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
-          in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
-          Shorewall will automatically add this address to the INTERFACE named
-          in the first column.</para>
-
-          <para>You may also specify a range of up to 256 IP addresses if you
-          want the SNAT address to be assigned from that range in a
-          round-robin fashion by connection. The range is specified by
-          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
-          You may follow the port range with<emphasis role="bold">
-          :random</emphasis> in which case assignment of ports from the list
-          will be random. <emphasis role="bold">random</emphasis> may also be
-          specified by itself in this column in which case random local port
-          assignments are made for the outgoing connections.</para>
-
-          <para>Example: 206.124.146.177-206.124.146.180</para>
-
-          <para>You may follow the port range (or <emphasis
-          role="bold">:random</emphasis>) with <emphasis
-          role="bold">:persistent</emphasis>. This is only useful when an
-          address range is specified and causes a client to be given the same
-          source/destination IP pair. This feature replaces the SAME modifier
-          which was removed from Shorewall in version 4.4.0. Unlike <emphasis
-          role="bold">random</emphasis>, <emphasis
-          role="bold">persistent</emphasis> may not be used by itself.</para>
-
-          <para>You may also use the special value "detect" which causes
-          Shorewall to determine the IP addresses configured on the interface
-          named in the INTERFACES column and substitute them in this
-          column.</para>
-
-          <para>Finally, you may also specify a comma-separated list of ranges
-          and/or addresses in this column.</para>
-
-          <para>This column may not contain DNS Names.</para>
-
-          <para>Normally, Netfilter will attempt to retain the source port
-          number. You may cause netfilter to remap the source port by
-          following an address or range (if any) by ":" and a port range with
-          the format
-          <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
-          is done, you must specify "tcp" or "udp" in the PROTO column.</para>
-
-          <para>Examples:</para>
-
-          <programlisting>        192.0.2.4:5000-6000
-        :4000-5000</programlisting>
-
-          <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
-          this column, no rewriting of the source IP address or port number
-          will be performed. This is useful if you want particular traffic to
-          be exempt from the entries that follow in the file.</para>
-
-          <para>If you want to leave this column empty but you need to specify
-          the next column then place a hyphen ("-") here.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
-
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
-        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
-          SCTP (132) or UDPLITE (136) then you may list one or more port
-          numbers (or names from services(5)) or port ranges separated by
-          commas.</para>
-
-          <para>Port ranges are of the form
-          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
-        [<emphasis>option</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
-
-        <listitem>
-          <para>If you specify a value other than "-" in this column, you must
-          be running kernel 2.6 and your kernel and iptables must include
-          policy match support.</para>
-
-          <para>Comma-separated list of options from the following. Only
-          packets that will be encrypted via an SA that matches these options
-          will have their source address changed.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is specified using
-                setkey(8) using the 'unique:<emphasis>number</emphasis> option
-                for the SPD level.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is the SPI of the SA
-                used to encrypt/decrypt packets.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto=</emphasis><emphasis
-              role="bold">ah</emphasis>|<emphasis
-              role="bold">esp</emphasis>|<emphasis
-              role="bold">ipcomp</emphasis></term>
-
-              <listitem>
-                <para>IPSEC Encapsulation Protocol</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>sets the MSS field in TCP packets</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">mode=</emphasis><emphasis
-              role="bold">transport</emphasis>|<emphasis
-              role="bold">tunnel</emphasis></term>
-
-              <listitem>
-                <para>IPSEC mode</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">strict</emphasis></term>
-
-              <listitem>
-                <para>Means that packets must match all rules.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">next</emphasis></term>
-
-              <listitem>
-                <para>Separates rules; can only be used with strict</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">yes</emphasis></term>
-
-              <listitem>
-                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated to match the rule.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
-        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
-        role="bold">:C</emphasis>]</term>
-
-        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don't want to define a test but need to specify
-          anything in the following columns, place a "-" in this field.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>!</term>
-
-              <listitem>
-                <para>Inverts the test (not equal)</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>value</emphasis></term>
-
-              <listitem>
-                <para>Value of the packet or connection mark.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>mask</emphasis></term>
-
-              <listitem>
-                <para>A mask to be applied to the mark before testing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">:C</emphasis></term>
-
-              <listitem>
-                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
-
-        <listitem>
-          <para>This column was formerly labelled USER/GROUP.</para>
-
-          <para>Only locally-generated connections will match if this column
-          is non-empty.</para>
-
-          <para>When this column is non-empty, the rule matches only if the
-          program generating the output is running under the effective
-          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
-          specified (or is NOT running under that id if "!" is given).</para>
-
-          <para>Examples:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>joe</term>
-
-              <listitem>
-                <para>program must be run by joe</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>:kids</term>
-
-              <listitem>
-                <para>program must be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>!:kids</term>
-
-              <listitem>
-                <para>program must not be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>#program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>Beginning with Shorewall 4.5.10, when the
-          <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) Added in Shorewall 4.5.6. This column may be
-          included and may contain one or more addresses (host or network)
-          separated by commas. Address ranges are not allowed. When this
-          column is supplied, rules are generated that require that the
-          original destination address matches one of the listed addresses. It
-          is useful for specifying that SNAT should occur only for connections
-          that were acted on by a DNAT when they entered the firewall.</para>
-
-          <para>This column was formerly labelled ORIGINAL DEST.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0. When non-empty, requires the
-          <firstterm>Statistics Match</firstterm> capability in your kernel
-          and ip6tables and causes the rule to match randomly but with the
-          given <replaceable>probability</replaceable>. The
-          <replaceable>probability</replaceable> is a number 0 &lt;
-          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
-          at up to 8 decimal points of precision.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>IPv4 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple masquerading setup where eth0 connects to a
-          DSL or cable modem and eth1 connects to your local network with
-          subnet 192.168.0.0/24.</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE
-        eth0    192.168.0.0/24</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 2:</term>
-
-        <listitem>
-          <para>You add a router to your local network to connect subnet
-          192.168.1.0/24 which you also want to masquerade. You then add a
-          second entry for eth0 to this file:</para>
-
-          <programlisting>        #INTERFACE   SOURCE
-        eth0         192.168.1.0/24</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 3:</term>
-
-        <listitem>
-          <para>You have an IPSEC tunnel through ipsec0 and you want to
-          masquerade packets coming from 192.168.1.0/24 but only if these
-          packets are destined for hosts in 10.1.1.0/24:</para>
-
-          <programlisting>        #INTERFACE              SOURCE
-        ipsec0:10.1.1.0/24      196.168.1.0/24</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 4:</term>
-
-        <listitem>
-          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
-          to use source address 206.124.146.176 which is NOT the primary
-          address of eth0. You want 206.124.146.176 to be added to eth0 with
-          name eth0:0.</para>
-
-          <programlisting>        #INTERFACE              SOURCE          ADDRESS
-        eth0:0                  192.168.1.0/24  206.124.146.176</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 5:</term>
-
-        <listitem>
-          <para>You want all outgoing SMTP traffic entering the firewall from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.177. You want all other outgoing traffic from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.176.</para>
-
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
-        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
-        eth0         172.20.1.0/29    206.124.146.176</programlisting>
-
-          <warning>
-            <para>The order of the above two rules is significant!</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 6:</term>
-
-        <listitem>
-          <para>Connections leaving on eth0 and destined to any host defined
-          in the ipset <emphasis>myset</emphasis> should have the source IP
-          address changed to 206.124.146.177.</para>
-
-          <programlisting>        #INTERFACE              SOURCE          ADDRESS
-        eth0:+myset[dst]        -               206.124.146.177</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 7:</term>
-
-        <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
-
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/masq:
-
-       #INTERFACE SOURCE         ADDRESS     ...
-       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
-       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv4 Example 8:</term>
-
-        <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
-          70.90.191.123. You want to use the iptables statistics match to
-          masquerade outgoing connections evenly between these two
-          addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(eth1)  0.0.0.0/0      70.90.191.121 ;;  -m statistic --mode random --probability 0.50
-       eth1          0.0.0.0/0      70.90.191.123 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       eth1          0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
-       eth1          0.0.0.0/0      70.90.191.123 
-</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
-        eth0         2001:470:b:787::0/64    -</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          then these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/masq</para>
-
-    <para>/etc/shorewall6/masq</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall(8)</para>
-  </refsect1>
-</refentry>

Shorewall/manpages/shorewall-params.xml

@@ -26,10 +26,8 @@
     <title>Description</title>
 
     <para>Assign any shell variables that you need in this file. The file is
-    always processed by <filename>/bin/sh</filename> or by the shell specified
+    always processed by <filename>/bin/sh</filename> so the full range of
-    through SHOREWALL_SHELL in <ulink
+    shell capabilities may be used.</para>
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
-    range of shell capabilities may be used.</para>
 
     <para>It is suggested that variable names begin with an upper case letter
     to distinguish them from variables used internally within the Shorewall

Shorewall6-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall6-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall6-lite/lib.base
 #
 #     (c) 2011, 2014 - Tom Eastep (teastep@shorewall.net)
 #

docs/Events.xml

@@ -680,7 +680,7 @@ Knock                                          #Port Knocking</programlisting>
       <para><filename>/etc/shorewall/action.Knock</filename>:</para>
 
       <programlisting>#
-# Shorewall version 4 - SSH_BLACKLIST Action
+# Shorewall version 4 - Port-Knocking Action
 #
 ?format 2
 ###############################################################################

docs/PortKnocking.xml

@@ -42,7 +42,8 @@
 
   <note>
     <para>The techniques described in this article were superseded in
-    Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
+    Shorewall 4.5.19 with the introduction of <ulink
+    url="Events.html">Shorewall Events</ulink>.</para>
   </note>
 
   <note>

docs/Shorewall-5.xml

@@ -24,6 +24,8 @@
 
       <year>2017</year>
 
+      <year>2018</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -135,6 +137,21 @@
         <listitem>
           <para>CHAIN_SCRIPTS (Removed in Shorewall 5.1).</para>
         </listitem>
+
+        <listitem>
+          <para>MODULE_SUFFIX (Removed in Shorewall 5.1.7). Shorewall can now
+          locate modules independent of their suffix (extension).</para>
+        </listitem>
+
+        <listitem>
+          <para>INLINE_MATCHES (Removed in Shorewall 5.2). Inline matches are
+          now separated from column-oriented input by two adjacent semicolons
+          (";;").</para>
+        </listitem>
+
+        <listitem>
+          <para>MAPOLDACTIONS (Removed in Shorewall 5.2). </para>
+        </listitem>
       </itemizedlist>
 
       <para>A compilation warning is issued when any of these options are
@@ -173,17 +190,18 @@
       <title>Obsolete Configuration Files</title>
 
       <para>Support has been removed for the 'blacklist', 'tcrules',
-      'routestopped', 'notrack' and 'tos' files.</para>
+      'routestopped', 'notrack', 'tos' and 'masq' files.</para>
 
-      <para>The <option>-t</option> and <option>-b</option> options of the
+      <para>The <command>update</command> command is available to convert the
-      <command>update</command> command are still available to convert the
+      'tcrules' and 'tos' files to the equivalent 'mangle' file, to convert
-      'tcrules' and 'tos' files to the equivalent 'mangle' file and to convert
+      the 'blacklist' file into an equivalent 'blrules' file, and to convert
-      the 'blacklist' file into an equivalent 'blrules' file.</para>
+      the 'masq' file to the equivalent 'snat' file.</para>
 
-      <para>As in Shorewall 4.6.12, the <option>-s</option> option is
+      <para>As in Shorewall 4.6.12, the <command>update</command> command
-      available to convert the 'routestopped' file into the equivalent
+      converts the 'routestopped' file into the equivalent 'stoppedrules' file
-      'stoppedrules' file and the <option>-n</option> option is available to
+      and converts a 'notrack' file to the equivalent 'conntrack' file.</para>
-      convert a 'notrack' file to the equivalent 'conntrack' file.</para>
+
+      <para>Note that in Shorewall 5.2, the update command </para>
     </section>
 
     <section>
@@ -367,6 +385,33 @@
         equivalent RESTART setting.</para>
       </note>
     </section>
+
+    <section>
+      <title>refresh</title>
+
+      <para>Given the availability of ipset-based blacklisting, the
+      <command>refresh</command> command was eliminated in Shorewall
+      5.2.</para>
+
+      <para>Some users may have been using <command>refresh</command> as a
+      lightweight form of <command>reload</command>. The most common of these
+      uses seem to be for reloading traffic shaping after an interface has
+      gone down and come back up. The best way to handle this situation under
+      5.2 is to make the interface 'optional' in your
+      /etc/shorewall[6]/interfaces file, then either:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Install Shorewall-init and enable IFUPDOWN; or</para>
+        </listitem>
+
+        <listitem>
+          <para>Use the <command>reenable</command> command when the interface
+          comes back up in place of the <command>refresh</command>
+          command.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
   </section>
 
   <section>
@@ -423,9 +468,14 @@
   <section>
     <title>Upgrading to Shorewall 5</title>
 
-    <para>It is strongly recommended that you first upgrade your installation
+    <para><important>
-    to a 4.6 release that supports the <option>-A</option> option to the
+        <para>For detailed upgrade information, please consult the 'Migration
-    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
+        Issues' section of the release notes for the version that you are
+        upgrading to.</para>
+      </important>It is strongly recommended that you first upgrade your
+    installation to a 4.6 release that supports the <option>-A</option> option
+    to the <command>update</command> command; 4.6.13.2 or later is
+    preferred.</para>
 
     <para>Once you are on that release, execute the <command>shorewall update
     -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -445,7 +495,9 @@
     have been removed -- the updates triggered by those options are now
     performed unconditionally. The <option>-i </option>and <option>-A
     </option>options have been retained - both enable checking for issues that
-    could result if INLINE_MATCHES were to be set to Yes.</para>
+    could result if INLINE_MATCHES were to be set to Yes. The -i option was
+    removed in Shorewall 5.2, given that the INLINE_MATCHES option was also
+    removed.</para>
 
     <section>
       <title id="CHAIN_SCRIPTS">CHAIN_SCRIPTS Removal</title>

docs/support.xml

@@ -42,7 +42,7 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 and 5.1.</para>
+        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
 
         <note>
           <para>Shorewall versions earlier than 5.0.0 are no longer supported;