Correct handling of dbl=src_dst in interface OPTIONS

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1201,11 +1201,17 @@ show_saves_command() {
     echo
 
     for f in ${VARDIR}/*-iptables; do
-	fn=$(basename $f)
+	case $f in
-	fn=${fn%-iptables}
+	    *\**)
-	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+	        ;;
-	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+	    *)
-	echo "   $mtime ${fn%-iptables}"
+		fn=$(basename $f)
+		fn=${fn%-iptables}
+		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
     done
 
     echo
@@ -3815,7 +3821,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall/Actions/action.IfEvent

@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Macros/macro.IPFS-API

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001

Shorewall/Macros/macro.IPFS-gateway

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080

Shorewall/Macros/macro.IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Perl/Shorewall/Config.pm

@@ -2529,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
     # Delete trailing comment
     #
     $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
 
     my @result = &split_line2( @_ );
 
@@ -5459,7 +5463,7 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
     }
 
-    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
@@ -6599,7 +6603,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 
-    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -810,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,

Shorewall/Perl/lib.runtime

@@ -675,7 +675,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1101,7 +1101,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?

Shorewall/lib.cli-std

@@ -412,10 +412,14 @@ uptodate() {
 	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ $AUTOMAKE = recursive ]; then
+	elif [ "$AUTOMAKE" = recursive ]; then
 	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
 		return 1;
 	    fi
+	elif [ -z "$AUTOMAKE" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
 	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
@@ -1063,6 +1067,41 @@ restart_command() {
     return $rc
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Safe-start/safe-reload/safe-restart Command Executor
 #
@@ -1441,13 +1480,11 @@ remote_capture() # $* = original arguments less the command.
 	    ;;
     esac
 
-    [ -f $g_shorewalldir/${PRODUCT}.conf ] || fatal_error "Missing file: $g_shorewalldir/${PRODUCT}.conf."
-
     g_export=Yes
 
     ensure_config_path
 
-    get_config No
+    get_config Yes
 
     g_haveconfig=Yes
 
@@ -1468,7 +1505,7 @@ remote_capture() # $* = original arguments less the command.
     [ -n "$getcaps" ] && getrc=Yes
 
     if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
-        progress_message2 "Getting RC file on system $system..."
+        progress_message2 "Getting shorewallrc file on system $system..."
 
         if [ -n "$remote_sw_dir_path" ]; then
             if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
@@ -1619,23 +1656,15 @@ remote_commands() # $* = original arguments less the command.
 
     g_export=Yes
 
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    ensure_config_path
-	if [ -f $g_shorewalldir/params ]; then
-	    . $g_shorewalldir/params
-	fi
 
-	ensure_config_path
+    get_config Yes
 
-	get_config No
+    g_haveconfig=Yes
 
-	g_haveconfig=Yes
+    if [ -z "$system" ]; then
-
+        system=$FIREWALL
-	if [ -z "$system" ]; then
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
-    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
     fi
 
     if [ -z "$getcaps" ]; then
@@ -1646,7 +1675,7 @@ remote_commands() # $* = original arguments less the command.
     if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
-	progress_message "Getting Capabilities on system $system..."
+	progress_message2 "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1662,6 +1691,7 @@ remote_commands() # $* = original arguments less the command.
     #
     # Handle nonstandard remote VARDIR
     #
+    progress_message2 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"

docs/PortKnocking.xml

@@ -42,7 +42,8 @@
 
   <note>
     <para>The techniques described in this article were superseded in
-    Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
+    Shorewall 4.5.19 with the introduction of <ulink
+    url="Events.html">Shorewall Events</ulink>.</para>
   </note>
 
   <note>

docs/Shorewall-5.xml

@@ -24,6 +24,8 @@
 
       <year>2017</year>
 
+      <year>2018</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>