Correct a runtime error with NFQUEUE.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 

Shorewall-core/configure.pl

@@ -173,12 +173,7 @@ my $outfile;
 
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 
-if ( $ENV{SOURCE_DATE_EPOCH} ) {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
-} else {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
-}
-
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,8 +335,9 @@ for f in lib.* ; do
 done
 
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 
 #

Shorewall-core/lib.base

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50100
 
 if [ -z "$g_basedir" ]; then
     #
@@ -47,10 +47,6 @@ startup_error() {
     exit 1
 }
 
-only_root() {
-    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
-}
-
 #
 # Display a chain if it exists
 #
@@ -87,8 +83,6 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
     case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -417,9 +411,9 @@ resolve_arptables() {
 savesets() {
     local supported
 
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 
 #
@@ -428,9 +422,9 @@ savesets() {
 savesets1() {
     local supported
 
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 
 #
@@ -441,9 +435,9 @@ do_save() {
     local arptables
     status=0
 
-    if [ -f $g_firewall ]; then
+    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f $g_firewall $g_restorepath
+	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -455,7 +449,7 @@ do_save() {
 	    status=1
 	fi
     else
-	echo "   ERROR: $g_firewall does not exist" >&2
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
     fi
 
@@ -640,7 +634,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -6 -o route list table $table | grep -vF cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -653,7 +647,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -6 -o route list | grep -vF cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1143,31 +1137,16 @@ show_a_macro() {
     cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries or entries from the other address family
+# Don't dump empty SPD entries
 #
-spd_filter() {
-    #
-    # af   = Address Family (4 or 6)
-    # afok = Address Family of entry matches af
-    # p    = print the contents of A (entry is not empty)
-    # i    = Number of lines stored in A
-    #
-    awk -v af=$g_family \
-	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
-\
-	 /^src / { if (p) prnt( A, i );\
-		   afok = 1;\
-		   p	= 0;\
-		   i	= 0;\
-		   if ( af == 4 )\
-		       { if ( /:/ )  afok = 0; }\
-		   else\
-		       { if ( /\./ ) afok = 0; }\
-		 };\
-		 { if ( afok ) A[i++] = $0; };\
-	 /tmpl/	 { p = afok; };\
-\
-	 END	 { if (p) prnt( A, i ); }'
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1180,8 +1159,7 @@ heading() {
 
 show_ipsec() {
     heading "PFKEY SPD"
-    $IP -s -$g_family xfrm policy | spd_filter
-
+    $IP -s xfrm policy | spd_filter
     heading "PFKEY SAD"
     $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1191,26 +1169,6 @@ show_ipsec_command() {
     show_ipsec
 }
 
-show_saves_command() {
-    local f
-    local fn
-    local mtime
-
-    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
-    echo "Saved snapshots are:"
-    echo
-
-    for f in ${VARDIR}/*-iptables; do
-	fn=$(basename $f)
-	fn=${fn%-iptables}
-	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
-	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
-	echo "   $mtime ${fn%-iptables}"
-    done
-
-    echo
-}
-
 #
 # Show Command Executor
 #
@@ -1229,7 +1187,6 @@ show_command() {
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
-	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1324,47 +1281,37 @@ show_command() {
 
     [ -n "$g_debugging" ] && set -x
 
-    COMMAND="$COMMAND $1"
-
     case "$1" in
 	connections)
-	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 
-	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1388,7 +1335,6 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1425,50 +1371,33 @@ show_command() {
 	    fi
 	    ;;
 	chain)
-	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
-        rc)
-            shift
-	    [ $# -gt 1 ] && too_many_arguments $2
-            if [ -n "$1" -a -d "$1" ]; then
-                cat $1/shorewallrc
-            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
-                cat $g_basedir/shorewallrc
-            else
-                fatal_error "Can not determine the location of the shorewallrc file."
-            fi
-            ;;
 	policies)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1478,7 +1407,6 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1486,18 +1414,14 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
-	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1508,13 +1432,8 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
-	saves)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    show_saves_command
-	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1561,8 +1480,6 @@ show_command() {
 		    ;;
 	    esac
 
-	    only_root
-
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1880,7 +1797,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1994,6 +1911,41 @@ show_proc() # $1 = name of a file
     [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2577,114 +2529,109 @@ hits_command() {
     fi
 }
 
-#
-# Issue an error message and terminate if the firewall isn't started
-#
-require_started() {
-    if ! product_is_started; then
-	error_message "ERROR: $g_product is not started"
-	exit 2
-    fi
-}
-
 #
 # 'allow' command executor
 #
 allow_command() {
 
-    local allowed
-    local which
-    which='-s'
-    local range
-    range='--src-range'
-    local dynexists
-
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && missing_argument
 
-    if [ -n "$g_blacklistipset" ]; then
-	case ${IPSET:=ipset} in
-	    */*)
-		if [ ! -x "$IPSET" ]; then
-		    fatal_error "IPSET=$IPSET does not exist or is not executable"
-		fi
-		;;
-	    *)
-		IPSET="$(mywhich $IPSET)"
-		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		;;
-	esac
-    fi
+    if product_is_started ; then
+	local allowed
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+	local dynexists
 
-    if chain_exists dynamic; then
-	dynexists=Yes
-    elif [ -z "$g_blacklistipset" ]; then
-	require_started
-	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-    fi
+	if [ -n "$g_blacklistipset" ]; then
 
-    [ -n "$g_nolock" ] || mutex_on
-
-    while [ $# -gt 1 ]; do
-	shift
-
-	allowed=''
-
-	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		continue
-		;;
-	    *-*)
-		if [ -n "$g_blacklistipset" ]; then
-		    if qt $IPSET -D $g_blacklistipset $1; then
-			allowed=Yes
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
-		fi
-
-		if [ -n "$dynexists" ]; then
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-		    then
-			allowed=Yes
-		    fi
-		fi
-		;;
-	    *)
-		if [ -n "$g_blacklistipset" ]; then
-		    if qt $IPSET -D $g_blacklistipset $1; then
-			allowed=Yes
-		    fi
-		fi
-
-		if [ -n "$dynexists" ]; then
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
-		    then
-			allowed=Yes
-		    fi
-		fi
-		;;
-	esac
-
-	if [ -n "$allowed" ]; then
-	    progress_message2 "$1 Allowed"
-	else
-	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
 	fi
-    done
 
-    [ -n "$g_nolock" ] || mutex_off
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
+	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+	fi
+
+	[ -n "$g_nolock" ] || mutex_on
+
+	while [ $# -gt 1 ]; do
+	    shift
+
+	    allowed=''
+
+	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
+		*-*)
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+			then
+			    allowed=Yes
+			fi
+		    fi
+		    ;;
+		*)
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
+			then
+			    allowed=Yes
+			fi
+		    fi
+		    ;;
+	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
+	done
+
+	[ -n "$g_nolock" ] || mutex_off
+    else
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
 }
 
 #
@@ -2804,6 +2751,7 @@ determine_capabilities() {
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
+    USEPKTTYPE=
     KLUDGEFREE=
     MARK=
     XMARK=
@@ -2822,7 +2770,7 @@ determine_capabilities() {
     GOTO_TARGET=
     LOGMARK_TARGET=
     IPMARK_TARGET=
-    LOG_TARGET=
+    LOG_TARGET=Yes
     ULOG_TARGET=
     NFLOG_TARGET=
     PERSISTENT_SNAT=
@@ -2855,8 +2803,6 @@ determine_capabilities() {
     WAIT_OPTION=
     CPU_FANOUT=
     NETMAP_TARGET=
-    NFLOG_SIZE=
-    RESTORE_WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2880,11 +2826,9 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
-    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
-
     if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	g_tool="$g_tool --wait"
+	tool="$tool --wait"
     fi
 
     chain=fooX$$
@@ -2899,7 +2843,6 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
-	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3150,6 +3093,7 @@ determine_capabilities() {
 	fi
     fi
 
+    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3190,15 +3134,12 @@ determine_capabilities() {
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
+    qt $g_tool -A $chain -j LOG || LOG_TARGET=
     qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
     qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
-    if qt $g_tool -A $chain -j NFLOG; then
-	NFLOG_TARGET=Yes
-	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
-    fi
 
     if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3263,6 +3204,7 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
     fi
+    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
     report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
     report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
     report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3272,8 +3214,8 @@ report_capabilities_unsorted() {
     [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
     if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3353,11 +3295,9 @@ report_capabilities_unsorted() {
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3365,8 +3305,6 @@ report_capabilities_unsorted() {
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
-    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
-    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3379,6 +3317,8 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
     fi
 
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
 }
 
 report_capabilities_unsorted1() {
@@ -3395,6 +3335,7 @@ report_capabilities_unsorted1() {
     report_capability1 CONNTRACK_MATCH
     report_capability1 NEW_CONNTRACK_MATCH
     report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
     report_capability1 PHYSDEV_BRIDGE
@@ -3470,9 +3411,6 @@ report_capabilities_unsorted1() {
     report_capability1 WAIT_OPTION
     report_capability1 CPU_FANOUT
     report_capability1 NETMAP_TARGET
-    report_capability1 NFLOG_SIZE
-    report_capability1 RESTORE_WAIT_OPTION
-    report_capability1 NAT_INPUT_CHAIN
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3777,7 +3715,7 @@ ipcalc_command() {
 
     valid_address $address || fatal_error "Invalid IP address: $address"
     [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
     [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
 
     address=$address/$vlsm
@@ -3815,7 +3753,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# -eq 1 ]; then
+    if [ $# eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3958,7 +3896,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4112,15 +4050,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
 
-	if [ -x $g_firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	if [ -x ${VARDIR}/firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "$g_firewall is missing or is not executable"
+	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4249,11 +4187,11 @@ restart_command() {
 
     [ -n "$g_nolock" ] || mutex_on
 
-    if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+    if [ -x ${VARDIR}/firewall ]; then
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
 	rc=$?
     else
-	error_message "$g_firewall is missing or is not executable"
+	error_message "${VARDIR}/firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
@@ -4263,10 +4201,10 @@ restart_command() {
 }
 
 run_command() {
-    if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
     else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
     fi
 }
 
@@ -4324,6 +4262,7 @@ usage() # $1 = exit status
 
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reenable <interface>"
+    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
 
     if [ -n "$g_lite" ]; then
@@ -4333,11 +4272,9 @@ usage() # $1 = exit status
     fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4380,9 +4317,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
-    echo "   [ show | list | ls ] rc"
     echo "   [ show | list | ls ] routing"
-    echo "   [ show | list | ls ] saves"
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
@@ -4431,6 +4366,7 @@ shorewall_cli() {
     g_use_verbosity=
     g_debug=
     g_export=
+    g_refreshchains=:none:
     g_confess=
     g_update=
     g_annotate=
@@ -4449,7 +4385,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_havemutex=
 
     VERBOSE=
     VERBOSITY=1
@@ -4622,14 +4557,12 @@ shorewall_cli() {
 
     case "$COMMAND" in
 	start)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4637,7 +4570,6 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
-	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4646,22 +4578,19 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
-	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it ${VARDIR}/firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
-	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4670,7 +4599,6 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
-	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4680,20 +4608,18 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    only_root
+	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
-	    only_root
 	    get_config Yes No Yes
     	    shift
     	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
-	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4704,63 +4630,53 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
-	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
-	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
-	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
-	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
-	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
-	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4777,13 +4693,11 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
-	    only_root
 	    get_config
 	    shift
 	    restore_command $@
             ;;
 	call)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4821,20 +4735,17 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
-	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
-	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.common
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
     local modulename
     modulename=$1
-    shift
-    local moduleoptions
-    moduleoptions=$*
     local modulefile
     local suffix
 
     if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
-		    insmod)
-			for directory in $moduledirectories; do
-			    for modulefile in $directory/${modulename}.*; do
-				if [ -f $modulefile ]; then
-				    insmod $modulefile $moduleoptions
-				    return
-				fi
-			    done
-			done
-			;;
-		    *)
-			modprobe -q $modulename $moduleoptions
-			;;
-		esac
-	    fi
-	fi
-    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	case $moduleloader in
-	    insmod)
-		for directory in $moduledirectories; do
-		    for modulefile in $directory/${modulename}.*; do
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
-			    return
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
 			fi
 		    done
 		done
-		;;
-	    *)
-		modprobe -q $modulename $moduleoptions
-		;;
-	esac
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
     fi
 }
 
@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
     fi
 
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
     fi
 
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+
     if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -754,7 +763,7 @@ mutex_on()
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
-    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 
 	lockd=$(dirname $LOCKFILE)
 
@@ -762,7 +771,7 @@ mutex_on()
 
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -775,14 +784,12 @@ mutex_on()
 
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -792,15 +799,10 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
-		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
-
-	if [ -n "$g_havemutex" ]; then
-	    trap mutex_off EXIT
-	fi
     fi
 }
 
@@ -809,10 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
-    if [ -n "$g_havemutex" ]; then
-	eval $g_havemutex
-	g_havemutex=
-	trap '' exit
-    fi
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 

Shorewall-core/lib.core

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.core
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
 
-SHOREWALL_LIBVERSION=50108
+SHOREWALL_LIBVERSION=50100
 
 #
 # Fatal Error

Shorewall-core/lib.installer

@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/manpages/shorewall.xml

@@ -405,6 +405,20 @@
       <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>options</arg>
+
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
+      rep="repeat"><replaceable>chain</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -445,54 +459,6 @@
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getcaps</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-R</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getrc</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-c</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -847,7 +813,7 @@
 
       <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg choice="plain"><option>saves</option></arg>
+      <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1350,7 +1316,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1807,6 +1773,63 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
+        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
+        </option><replaceable>directory</replaceable> ] [
+        <replaceable>chain</replaceable>... ]</term>
+
+        <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
+          <para>All steps performed by <command>restart</command> are
+          performed by <command>refresh</command> with the exception that
+          <command>refresh</command> only recreates the chains specified in
+          the command while <command>restart</command> recreates the entire
+          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
+          the static blacklisting chain <emphasis
+          role="bold">blacklst</emphasis> is assumed.</para>
+
+          <para>The listed chains are assumed to be in the filter table. You
+          can refresh chains in other tables by prefixing the chain name with
+          the table name followed by ":" (e.g., nat:net_dnat). Chain names
+          which follow are assumed to be in that table until the end of the
+          list or until an entry in the list names another table. Built-in
+          chains such as FORWARD may not be refreshed.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
+          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
+
+          <para>The <emphasis role="bold">refresh</emphasis> command has
+          slightly different behavior. When no chain name is given to the
+          <emphasis role="bold">refresh</emphasis> command, the mangle table
+          is refreshed along with the blacklist chain (if any). This allows
+          you to modify <filename>/etc/shorewall/tcrules </filename>and
+          install the changes using <emphasis
+          role="bold">refresh</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">reject</emphasis><replaceable>
         address</replaceable></term>
@@ -1918,57 +1941,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">remote-getcaps</emphasis>
-        [-<option>R</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command executes <emphasis
-          role="bold">shorewall[6]-lite show capabilities -f &gt;
-          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
-          <replaceable>system</replaceable> via ssh then the generated file is
-          copied to <replaceable>directory</replaceable> on the local system.
-          If no <replaceable>directory</replaceable> is given, the current
-          working directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
-          shorewallrc file is also copied to
-          <replaceable>directory</replaceable>.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">remote-getrc</emphasis>
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
-          file from the remote <replaceable>system</replaceable> to
-          <replaceable>directory</replaceable> on the local system. If no
-          <replaceable>directory</replaceable> is given, the current working
-          directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
-          capabilities are also copied to
-          <replaceable>directory</replaceable>, as is done by the
-          <command>remote-getcaps</command> command.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -2020,9 +1992,9 @@
           role="bold">shorewall-lite save</emphasis> via ssh.</para>
 
           <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
-          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
-          via ssh then the generated file is copied to
+          command <emphasis role="bold">shorewall-lite show capabilities -f
+          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
+          ssh then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -2033,6 +2005,13 @@
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2451,11 +2430,11 @@
         <replaceable>filename</replaceable> ]</term>
 
         <listitem>
-          <para>Creates a snapshot of the currently running firewall. The
-          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
-          the firewall is stored in
+          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
+          The state of the firewall is stored in
           /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> command. If
+          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
+          role="bold">shorewall -f start</emphasis> commands. If
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2758,15 +2737,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">rc</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Displays the contents of
-                $SHAREDIR/shorewall/shorewallrc.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term>[-<option>c</option>]<emphasis role="bold">
               routing</emphasis></term>
@@ -2792,20 +2762,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>saves</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
-                <command>save</command> command. Each snapshot is listed with
-                the date and time when it was taken. If there is a snapshot
-                with the name specified in the RESTOREFILE option in <ulink
-                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
-                snapshot is listed as the <emphasis>default</emphasis>
-                snapshot for the <command>restore</command> command.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -2965,7 +2921,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -3217,8 +3173,6 @@
     <title>FILES</title>
 
     <para>/etc/shorewall/</para>
-
-    <para>/etc/shorewall6/</para>
   </refsect1>
 
   <refsect1>
@@ -3228,18 +3182,13 @@
     url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
-    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
-    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
-    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
-    shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall-core/shorewall

@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.0
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,10 +25,6 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-#
-# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
-# options
-#
 PRODUCT=shorewall
 
 #

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.2 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.2 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.2 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-empty, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.2 rc file
+# Default Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT/LEDE Shorewall 5.2 rc file
+# OpenWRT Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.2 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.sandbox

@@ -1,28 +0,0 @@
-#
-# Shorewall 5.2 rc file for installing into a Sandbox
-#
-BUILD=                                       # Default is to detect the build system
-HOST=linux
-INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
-PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
-PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
-CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
-SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
-MANDIR=		     			     # Leave empty
-INITDIR=				     # Leave empty				     				
-INITSOURCE=				     # Leave empty
-INITFILE=				     # Leave empty
-AUXINITSOURCE=				     # Leave empty
-AUXINITFILE=				     # Leave empty
-SERVICEDIR=				     # Leave empty
-SERVICEFILE=    			     # Leave empty
-SYSCONFFILE=				     # Leave empty
-SYSCONFDIR=				     # Leave empty			
-SPARSE=					     # Leave empty			
-ANNOTATED=				     # If non-empty, annotated configuration files are installed				
-VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
-VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
-DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
-SANDBOX=Yes				     # Indicates SANDBOX installation

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.2 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.2 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-init/init.debian.sh

@@ -73,16 +73,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
-        if [ $PRODUCT = shorewall ]; then
-            ${SBINDIR}/shorewall compile
-        elif [ $PRODUCT = shorewall6 ]; then
-            ${SBINDIR}/shorewall -6 compile
-        else
-            return 1
-        fi
+	return 0
     fi
 }
 
@@ -112,14 +108,16 @@ shorewall_start () {
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
-	  )
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
+	  fi
       fi
   done
 
@@ -147,7 +145,9 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 
@@ -159,9 +159,8 @@ shorewall_stop () {
 
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       else
-	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
       fi
 

Shorewall-init/init.fedora.sh

@@ -44,14 +44,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -68,20 +66,20 @@ start () {
 
     printf "Initializing \"Shorewall-based firewalls\": "
 
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
     for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
     done
@@ -108,25 +106,20 @@ stop () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
     done
 
     if [ $retval -eq 0 ]; then
-	if [ -n "$SAVE_IPSETS" ]; then
-	    mkdir -p $(dirname "$SAVE_IPSETS")
-	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
-		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	    else
-		rm -f "${SAVE_IPSETS}.tmp"
-	    fi
-	fi
-
 	rm -f $lockfile
 	success
     else

Shorewall-init/init.openwrt.sh

@@ -75,14 +75,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -94,8 +92,10 @@ start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -103,8 +103,6 @@ start () {
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
       ipset -R < "$SAVE_IPSETS"
   fi
-
-  return 0
 }
 
 boot () {
@@ -119,19 +117,17 @@ stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
     done
 
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
     fi
-
-    return 0
 }
 

Shorewall-init/init.sh

@@ -69,12 +69,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
     else
-	return 1
+	return 0
     fi
 }
 
@@ -86,8 +84,10 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -107,16 +107,16 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       fi
   fi
 

Shorewall-init/init.suse.sh

@@ -79,14 +79,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 6
+	return 0
     fi
 }
 
@@ -98,8 +96,10 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -117,16 +117,16 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 
   if [ -n "$SAVE_IPSETS" ]; then
       mkdir -p $(dirname "$SAVE_IPSETS")
       if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       fi
   fi
 }

Shorewall-init/shorewall-init

@@ -33,12 +33,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
+    else
+	return 0
     fi
 }
 
@@ -67,14 +67,16 @@ shorewall_start () {
     printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
+	    if [ -x ${STATEDIR}/firewall ]; then
+		#
+		# Run in a sub-shell to avoid name collisions
+		#
+		(
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+			${STATEDIR}/firewall ${OPTIONS} stop
+		    fi
+		)
+	    fi
 	fi
     done
 
@@ -93,16 +95,16 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
     done
 
     if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
     fi
 

Shorewall-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/shorecap

@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -0,0 +1,57 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Drop
+#
+# The audited default DROP common rules
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+Auth(A_DROP)
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Don't log broadcasts and multicasts
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep

Shorewall/Actions/action.A_REJECT

@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECT
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_REJECT!

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_Reject.deprecated

@@ -0,0 +1,54 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Reject
+#
+# The audited default REJECT action common rules
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep

Shorewall/Actions/action.AllowICMPs

@@ -13,6 +13,7 @@ DEFAULTS ACCEPT
     @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
+
     @1	-		-	ipv6-icmp	destination-unreachable
     @1	-		-	ipv6-icmp	packet-too-big
     @1	-		-	ipv6-icmp	time-exceeded
@@ -37,7 +38,7 @@ DEFAULTS ACCEPT
     @1	-		-	ipv6-icmp	148	# Certificate path solicitation
     @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
     @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
     @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall/Actions/action.Broadcast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.DNSAmp

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Drop.deprecated

@@ -0,0 +1,84 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Drop
+#
+# The former default DROP common rules. Use of this action is now deprecated
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Don't log broadcasts or multicasts
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+Invalid(DROP,@1)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)

Shorewall/Actions/action.Established

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.FIN

@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.FIN
-#
-# FIN Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# FIN[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN

Shorewall/Actions/action.IfEvent

@@ -107,11 +107,6 @@ if ( $command & $REAP_OPT ) {
 
 $duration .= '--rttl ' if $command & $TTL_OPT;
 
-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
-    $action = 'ACCEPT';
-}
-
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
 
@@ -135,7 +130,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Actions/action.Invalid

@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Multicast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.New

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.NotSyn

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.RST

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Reject.deprecated

@@ -0,0 +1,85 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Reject
+#
+# The former default REJECT action common rules. Use of this action is deprecated.
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+Invalid(DROP,@1)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)

Shorewall/Actions/action.Related

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.ResetEvent

@@ -41,11 +41,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "" );
-    $action = 'ACCEPT';
-}
-
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {

Shorewall/Actions/action.SetEvent

@@ -37,11 +37,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 
-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "" );
-    $action = 'ACCEPT';
-}
-
 if ( $destination eq 'dst' ) {
     perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {

Shorewall/Actions/action.TCPFlags

@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0

Shorewall/Actions/action.Untracked

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.allowInvalid

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.dropBcasts

@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcasts
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcasts[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcasts"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-

Shorewall/Actions/action.dropInvalid

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Macros/macro.FreeIPA

@@ -1,16 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.FreeIPA
-#
-# This macro handles FreeIPA server traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DNS
-HTTP
-HTTPS
-Kerberos
-Kpasswd
-LDAP
-LDAPS
-NTP

Shorewall/Macros/macro.IPMI

@@ -11,20 +11,13 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	8889		# WS-MAN
+PARAM	-	-	udp	623		# RMCP
 HTTP
-Telnet
-SNMP
-
-# TLS/secure ports
-PARAM	-	-	tcp	3520		# Remote Console (Redfish)
-PARAM	-	-	tcp	3669		# Virtual Media (Dell)
-PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
-PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
+SNMP
 SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.Kpasswd

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Kpasswd
-#
-# This macro handles Kerberos "passwd" traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	464
-PARAM	-	-	udp	464

Shorewall/Macros/macro.RDP

@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389

Shorewall/Macros/macro.RedisSecure

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSecure
-#
-# This macro handles Redis Secure (SSL/TLS) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	6380

Shorewall/Macros/macro.Rwhois

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Rwhois
-#
-# This macro handles Remote Who Is (rwhois) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	4321

Shorewall/Macros/macro.SNMPTrap.deprecated

@@ -1,9 +1,9 @@
 #
-# Shorewall -- /usr/share/shorewall/macro.Apcupsd
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles apcupsd traffic.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-PARAM	-	-	tcp	3551
+SNMPtrap

Shorewall/Macros/macro.SSDP

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDP
-#
-# This macro handles SSDP (used by DLNA/UPnP) client traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900

Shorewall/Macros/macro.SSDPserver

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDPserver
-#
-# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900
-PARAM	DEST	SOURCE	udp	-	1900

Shorewall/Makefile-lite

@@ -0,0 +1,82 @@
+#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+# Place this file in each export directory. Modify each copy to set HOST
+# to the name of the remote firewall corresponding to the directory.
+#
+#	To make the 'firewall' script, type "make".
+#
+#	Once the script is compiling correctly, you can install it by
+#	typing "make install".
+#
+################################################################################
+#                             V A R I A B L E S
+#
+# Files in the export directory on which the firewall script does not depend
+#
+IGNOREFILES =  firewall% Makefile% trace% %~
+#
+# Remote Firewall system
+#
+HOST = gateway
+#
+# Save some typing
+#
+LITEDIR = /var/lib/shorewall-lite
+#
+# Set this if the remote system has a non-standard modules directory
+#
+MODULESDIR=
+#
+# Default target is the firewall script
+#
+################################################################################
+#                                T A R G E T S
+#
+all: firewall
+#
+# Only generate the capabilities file if it doesn't already exist
+#
+capabilities:
+	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
+	scp root@$(HOST):$(LITEDIR)/capabilities .
+#
+# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
+# 'filter-out' will be presented with the list of files in this directory rather than "*"
+#
+firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
+	shorewall compile -e . firewall
+#
+# Only reload on demand.
+#
+install: firewall
+	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
+	ssh root@$(HOST) "/sbin/shorewall-lite restart"
+#
+# Save running configuration
+#
+save:
+	ssh root@$(HOST) "/sbin/shorewall-lite save"
+#
+# Remove generated files
+#
+clean:
+	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/ARP.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
     my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     if ( $source eq 'any' || $source eq 'all' ) {
         $source = ALLIP;
     } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
     }
 
     if ( have_bridges && ! $asection ) {
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
 
     copy2( $lib, $debug ) if -f $lib;
 
-    emithd<<'EOF';
+    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
     }
 
-    emithd <<'EOF';
+    emit <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -209,8 +209,6 @@ sub generate_script_2() {
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
     emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
-    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -268,13 +266,13 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
     }
 
     pop_indent;
 
-    emit "}\n"; # End of initialize()
+    emit "\n}\n"; # End of initialize()
 
     emit( '' ,
 	  '#' ,
@@ -311,9 +309,10 @@ sub generate_script_2() {
 	    push_indent;
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		verify_required_interfaces(0);
+
 		set_global_variables(0, 0);
-		handle_optional_interfaces;
+
+		handle_optional_interfaces(0);
 	    }
 
 	    emit ';;';
@@ -325,19 +324,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 
-	verify_required_interfaces(1);
 	set_global_variables(1,1);
-	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
 	}
     } else {
-	verify_required_interfaces(1);
-	emit( 'true' ) unless handle_optional_interfaces;
+	emit( 'true' ) unless handle_optional_interfaces(1);
     }
 
     pop_indent;
@@ -356,7 +355,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {
 
     if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -366,6 +365,7 @@ sub generate_script_3() {
 
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
+    create_chainlist_reload( $_[0] );
     create_save_ipsets;
     create_load_ipsets;
 
@@ -397,10 +397,16 @@ sub generate_script_3() {
 	emit 'load_kernel_modules Yes';
     }
 
-    emit( '' ,
-	  'run_init_exit',
-	  '' ,
-	  'load_ipsets' ,
+    emit '';
+
+    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	   '   run_refresh_exit' ,
+	   'else' ,
+	   '    run_init_exit',
+	   'fi',
+	   '' );
+
+    emit( 'load_ipsets' ,
 	  '' );
 
     create_nfobjects;
@@ -458,6 +464,11 @@ sub generate_script_3() {
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
+    emit( '',
+	  'if [ "$COMMAND" != refresh ]; then' );
+
+    push_indent;
+
     emit 'cat > ${VARDIR}/zones << __EOF__';
     dump_zone_contents;
     emit_unindented '__EOF__';
@@ -470,6 +481,10 @@ sub generate_script_3() {
     dump_mark_layout;
     emit_unindented '__EOF__';
 
+    pop_indent;
+
+    emit "fi\n";
+
     emit '> ${VARDIR}/nat';
 
     add_addresses;
@@ -508,12 +523,29 @@ sub generate_script_3() {
 
     my $config_dir = $globals{CONFIGDIR};
 
-    emithd <<"EOF";
+    emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    setup_netfilter
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
+    setup_load_distribution;
+    setup_forwarding( $family , 0 );
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
+
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);
+
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
@@ -538,7 +570,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
 
-    emithd<<'EOF';
+    emit<<'EOF';
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -548,6 +580,9 @@ case $COMMAND in
     reload)
         mylogger kern.info "$g_product reloaded"
         ;;
+    refresh)
+        mylogger kern.info "$g_product refreshed"
+        ;;
     restore)
         mylogger kern.info "$g_product restored"
         ;;
@@ -582,8 +617,8 @@ sub compile_info_command() {
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
     $export         = 0;
     $test           = 0;
@@ -612,6 +647,7 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
+		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -619,6 +655,7 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -652,10 +689,9 @@ sub compiler {
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
     #
-    #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $inline );
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
     # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -757,10 +793,13 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
     }
 
+    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
+    enable_script;
+    #
     # Validate the TC files so that the providers will know what interfaces have TC
     #
     my $tcinterfaces = process_tc;
@@ -778,7 +817,7 @@ sub compiler {
     #
     # Setup Masquerade/SNAT
     #
-    setup_snat;
+    setup_snat( $update );
     #
     # Setup Nat
     #
@@ -859,7 +898,7 @@ sub compiler {
 
 	optimize_level0;
 
-	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -881,7 +920,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3();
+	generate_script_3( $chains );
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,10 +60,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
-		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
+		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -74,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
+		  validate_port
+		  validate_portpair
+		  validate_portpair1
+		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -99,14 +103,12 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
-our $loopback_address;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -373,10 +375,6 @@ sub rfc1918_networks() {
     @rfc1918_networks
 }
 
-sub loopback_address() {
-    $loopback_address;
-}
-
 #
 # Protocol/port validation
 #
@@ -413,6 +411,114 @@ sub proto_name( $ ) {
     $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 
+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -466,6 +572,67 @@ sub validate_icmp( $ ) {
     fatal_error "Invalid ICMP Type ($type)"
 }
 
+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
 sub valid_6address( $ ) {
     my $address = $_[0];
 
@@ -762,7 +929,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
-	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -775,7 +941,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
-	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -667,7 +667,6 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
     add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {
@@ -718,7 +717,7 @@ sub add_common_rules ( $ ) {
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
     } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -2448,7 +2447,7 @@ sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
     my @match;
-    my $chainref = $mangle_table->{FORWARD};
+    my $chainref = $filter_table->{FORWARD};
 
     if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
@@ -2554,6 +2553,9 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
+	        refresh)
+	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            ;;
                 enable)
                     mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
@@ -2643,6 +2645,7 @@ EOF
 
         rm -f ${VARDIR}/proxyarp
     fi
+
 EOF
     } else {
 	emit <<'EOF';
@@ -2656,6 +2659,7 @@ EOF
 
         rm -f ${VARDIR}/proxyndp
     fi
+
 EOF
     }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
-    my $have_masq_rules;
-
     if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 
+	my $have_masq_rules;
+
 	directive_callback(
 	    sub ()
 	    {
@@ -647,8 +647,6 @@ sub convert_masq() {
 
 	close $snat, directive_callback( 0 );
     }
-
-    $have_masq_rules;
 }
 
 #
@@ -943,17 +941,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
-	    my @servers;
-
-	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
-		$server = record_runtime_address( $1, $2 );
-		$server =~ s/ $//;
-		@servers = ( $server );
-	    } else {
-		@servers = validate_address $server, 1;
-	    }
-
+	    my @servers = validate_address $server, 1;
 	    $server = join ',', @servers;
 	}
 

Shorewall/Perl/Shorewall/Proc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -64,8 +64,6 @@ our @load_interfaces;
 
 our $balancing;
 our $fallback;
-our $balanced_providers;
-our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -101,8 +99,6 @@ sub initialize( $ ) {
     %provider_interfaces    = ();
     @load_interfaces        = ();
     $balancing              = 0;
-    $balanced_providers     = 0;
-    $fallback_providers     = 0;
     $fallback               = 0;
     $metrics                = 0;
     $first_default_route    = 1;
@@ -125,7 +121,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask   = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
     my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -161,15 +157,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
-
-		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
-			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    }
-		}
-
 		$marked_interfaces{$interface} = 1;
 	    }
 
@@ -336,24 +323,18 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $balanced_providers == 1 ) {
-	    if ( $gateway ) {
-		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
-	    } else {
-		emit qq(DEFAULT_ROUTE="dev $interface $realm");
-	    }
-	} elsif ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_default_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -366,24 +347,18 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $fallback_providers == 1 ) {
-	    if ( $gateway ) {
-		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
-	    } else {
-		emit qq(FALLBACK_ROUTE="dev $interface $realm");
-	    }
-	} elsif ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_fallback_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -511,7 +486,7 @@ sub process_a_provider( $ ) {
 
     if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
     } elsif ( $gw eq 'none' ) {
@@ -521,9 +496,6 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
     } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
-
-	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
-
 	validate_address $gateway, 0;
 
 	if ( defined $mac ) {
@@ -614,7 +586,6 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
-		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -622,12 +593,7 @@ sub process_a_provider( $ ) {
 	}
     }
 
-    if ( $balance ) {
-	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
-	$balanced_providers++;
-    } elsif ( $default ) {
-	$fallback_providers++;
-    }
+    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
 
     if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -701,6 +667,7 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
+
     }
 
     unless ( $loose || $pseudo ) {
@@ -859,7 +826,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
 
@@ -875,8 +842,8 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
 
-	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -885,25 +852,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( '',
-			"find_interface_addresses $physical | while read address; do",
-			"    qt \$IP -$family rule del from \$address",
-			"    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "    qt \$IP -$family rule del from \$address" );
+		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
-	}
 
-	if ( @{$providerref->{persistent_routes}} ) {
-	    emit '';
-	    emit $_ for @{$providers{$table}->{persistent_routes}};
-	}
+	    if ( @{$providerref->{persistent_routes}} ) {
+		emit '';
+		emit $_ for @{$providers{$table}->{persistent_routes}};
+	    }
 
-	if ( @{$providerref->{persistent_rules}} ) {
-	    emit '';
-	    emit $_ for @{$providers{$table}->{persistent_rules}};
+	    if ( @{$providerref->{persistent_rules}} ) {
+		emit '';
+		emit $_ for @{$providers{$table}->{persistent_rules}};
+	    }
 	}
 
 	pop_indent;
@@ -911,6 +877,7 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 
+
 	pop_indent;
 
 	emit( "}\n" );
@@ -936,7 +903,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
     }
@@ -968,7 +935,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
 
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -997,7 +964,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
 
-	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
     }
 
     if ( $balance ) {
@@ -1009,16 +976,14 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route replace default table $id dev $physical metric $number);
+	    emit qq(run_ip route add default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 
-	emit( 'g_fallback=Yes' ) if $persistent;
-
 	$metrics = 1;
     }
 
@@ -1040,13 +1005,12 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
-			  qq(    qt \$IP -$family rule del from $address pref 20000),
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1103,21 +1067,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
-	    );
-
-	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit  ( '#',
-		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
-		    '#',
-		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
-		    '    true',
-		    'done',
-		    ''
-		);
-	}
-
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1251,7 +1201,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1262,14 +1212,12 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
-	    );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
 
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}
 
 	pop_indent;
@@ -1370,7 +1318,7 @@ sub add_an_rtrule1( $$$$$ ) {
 
     $priority = "pref $priority";
 
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
     push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
 
     if ( $persistent ) {
@@ -1468,22 +1416,22 @@ sub add_a_route( ) {
 
     if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
     } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
+	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
     }
 
@@ -1585,17 +1533,16 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
-		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( '',
-		    "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1607,7 +1554,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1634,7 +1581,7 @@ sub finish_providers() {
 	}
 
 	emit ( '#',
-	       '# Delete any default routes with metric 0 in the \'balance\' table',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1649,7 +1596,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 
@@ -1662,10 +1609,7 @@ sub finish_providers() {
 	      'fi',
 	      '' );
     } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( '#',
-	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
-	      '#',
-	      "delete_default_routes $default",
+	emit( "delete_default_routes $default",
 	      ''
 	    );
     }
@@ -1710,7 +1654,7 @@ sub process_providers( $ ) {
     }
 
     if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
 
 	my $fn = open_file( 'route_rules' );
 
@@ -1741,7 +1685,7 @@ sub process_providers( $ ) {
 
     add_a_provider( $providers{$_}, $tcdevices ) for @providers;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
 
 #
 # Enable an optional provider
@@ -1787,11 +1731,12 @@ EOF
     pop_indent;
     pop_indent;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
         *)
             startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
+
 }
 
 #
@@ -1895,19 +1840,20 @@ sub setup_providers() {
 
 	start_providers;
 
-	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 
-	if ( @providers ) {
-	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
-	}
+	emit '';
+
+	emit "start_$providers{$_}->{what}_$_" for @providers;
+
+	emit '';
 
 	finish_providers;
 
 	emit "\nrun_ip route flush cache";
 
 	pop_indent;
-	emit 'fi';
+	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
     } else {
@@ -1918,10 +1864,9 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
+	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1946,8 +1891,9 @@ sub setup_providers() {
 
 	pop_indent;
 
-	emit 'fi';
+	emit "fi\n";
     }
+
 }
 
 #
@@ -2196,13 +2142,17 @@ sub provider_realm( $ ) {
 }
 
 #
-# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
-
+# This function is called by the compiler when it is generating the detect_configuration() function.
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {
 
     my @interfaces;
     my $wildcards;
+
     #
     # First do the provider interfacess. Those that are real providers will never have wildcard physical
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2226,6 +2176,10 @@ sub handle_optional_interfaces() {
 
     if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
+
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2368,7 +2322,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore)'
+		  '        start|reload|restore|refresh)'
 		);
 
 	    if ( $family == F_IPV4 ) {
@@ -2389,6 +2343,8 @@ sub handle_optional_interfaces() {
 
 	return 1;
     }
+
+    verify_required_interfaces( shift );
 }
 
 #

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,6 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
     }
 
     emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
 
     push @proxyarp, "$address $interface $external $haveroute";

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $disposition = $action;
     my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
     my $level = '';
 
     if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
-	if ( $proto ne '-' ) {
-	    if ( $proto =~ s/:all$// ) {
-		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
-	    } else {
-		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
-	    }
-	}
-
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -207,9 +199,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 do_proto( $proto, $ports, $sports ) . 
-		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 $rule,
 		 $source ,
 		 $dest ,
 		 '' ,

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
     if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
     } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
-		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
+		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
 
-	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
-	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
+	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
 	$gateways = ALLIP if $gateways eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,8 +90,9 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
+		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -113,31 +114,31 @@ our $VERSION = 'MODULEVERSION';
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
-#			 super	 =>    0|1
-#			 options =>    { in_out	 => < policy match string >
-#					 in	 => < policy match string >
-#					 out	 => < policy match string >
-#				       }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
-#										...
-#									      }
-#								   hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
-#								 }
-#						 <interface2> => ...
-#					       }
-#					     ]
-#			}
-#	      <zone2> => ...
-#	    }
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
+#                                        in      => < policy match string >
+#                                        out     => < policy match string >
+#                                      }
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
+#                        children =>   [ <children> ]
+#                        interfaces => { <interfaces1> => 1, ... }
+#                        bridge =>     <bridge>
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                                                                  options => { <option1> => <value1>
+#                                                                               ...
+#                                                                             }
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
+#                                                                  origin   => <where defined>
+#                                                                }
+#                                                <interface2> => ...
+#                                              }
+#                                            ]
+#                       }
+#             <zone2> => ...
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -159,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
-#				      root	  => <name without trailing '+'>
-#				      options	  => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
-#						       ...
-#						     }
-#				      zone	  => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
-#				      origin	  => <where defined>
-#				    }
-#		  }
+#     %interfaces { <interface1> => { name        => <name of interface>
+#                                     root        => <name without trailing '+'>
+#                                     options     => { port => undef|1
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      ...
+#                                                    }
+#                                     zone        => <zone name>
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     ports       => <number of port on this bridge>
+#                                     ipsec       => undef|1 # Has an ipsec host group
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
+#                                     wildcard    => undef|1 # Wildcard Name
+#                                     zones       => { zone1 => 1, ... }
+#                                     origin      => <where defined>
+#                                   }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -252,17 +253,6 @@ use constant { NO_UPDOWN   => 1,
 
 our %validinterfaceoptions;
 
-our %procinterfaceoptions=( accept_ra   => 1,
-			    arp_filter  => 1,
-			    arp_ignore  => 1,
-			    forward     => 1,
-			    logmartians => 1,
-			    proxyarp    => 1,
-			    proxyndp    => 1,
-			    routefilter => 1,
-			    sourceroute => 1,
-			  );
-
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -327,7 +317,7 @@ sub initialize( $$ ) {
     %mapbase = ();
     %mapbase1 = ();
     $baseseq = 0;
-    $minroot = undef;
+    $minroot = 0;
     $loopback_interface = '';
 
     %validzoneoptions = ( mss            => NUMERIC,
@@ -349,7 +339,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -373,9 +363,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION,
+				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -400,7 +390,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -412,18 +402,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION,
+				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -711,40 +701,6 @@ sub haveipseczones() {
     0;
 }
 
-#
-# Returns 1 if the two interfaces passed are related
-#
-sub interface_match( $$ ) {
-    my ( $piface, $ciface ) = @_;
-
-    return 1 if $piface eq $ciface;
-
-    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
-
-    return 1 if $piface eq $cifaceref->{bridge};
-    return 1 if $ciface eq $pifaceref->{bridge};
-
-    if ( defined $minroot ) {
-	if ( $piface =~ /\+$/ ) {
-	    my $root    = $pifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $ciface ) >= $rlength ) {
-		return 1 if $ciface eq $root;
-		chop $ciface;
-	    }
-	} elsif ( $ciface =~ /\+$/ ) {
-	    my $root    = $cifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $piface ) >= $rlength ) {
-		return 1 if $piface eq $root;
-		chop $piface;
-	    }
-	}
-    }
-
-    0;
-}
-
 #
 # Report about zones.
 #
@@ -782,7 +738,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -791,17 +747,6 @@ sub zone_report()
 	    }
 	}
 
-      PARENT:
-	for my $p ( @{$zoneref->{parents}} ) {
-	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
-		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
-		    next PARENT if interface_match( $pi, $ci );
-		}
-	    }
-
-	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
-	}
-
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1214,16 +1159,15 @@ sub process_interface( $$ ) {
     }
 
     my $wildcard = 0;
-    my $physwild = 0;
     my $root;
 
     if ( $interface =~ /\+$/ ) {
-	$wildcard = $physwild = 1; # Default physical name is the logical name
+	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
 
-	if ( defined $minroot ) {
+	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1269,6 +1213,8 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 
 	for my $option (split_list1 $options, 'option' ) {
+	    next if $option eq '-';
+
 	    ( $option, my $value ) = split /=/, $option;
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1305,6 +1251,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1328,6 +1275,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1379,9 +1327,7 @@ sub process_interface( $$ ) {
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
-		    $physwild = ( $value =~ /\+$/ );
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
-
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1409,14 +1355,6 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 
-	for my $option ( keys %options ) {
-	    if ( $root ) {
-		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
-	    } else {
-		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
-	    }
-	}
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1475,7 +1413,6 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1634,11 +1571,13 @@ sub known_interface($)
 
     my $iface = $interface;
 
-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
+	    chop $iface;
+
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1660,8 +1599,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
-
-	    chop $iface;
 	}
     }
 
@@ -1875,8 +1812,7 @@ sub find_interfaces_by_option( $;$ ) {
     for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
-	next unless $interfaceref->{root};                                   # Don't return '+' interface
-	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
+	next unless $interfaceref->{root};
 
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1891,6 +1827,35 @@ sub find_interfaces_by_option( $;$ ) {
     \@ints;
 }
 
+#
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
+#
+sub find_interfaces_by_option1( $ ) {
+    my $option = $_[0];
+    my @ints = ();
+    my $wild = 0;
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+
+	next unless defined $interfaceref->{physical};
+
+	my $optionsref = $interfaceref->{options};
+
+	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= $interfaceref->{wildcard};
+	    push @ints , $interface
+	}
+    }
+
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
+}
+
 #
 # Return the value of an option for an interface
 #
@@ -2021,7 +1986,6 @@ sub verify_required_interfaces( $ ) {
 
 	emit( "esac\n" );
 
-	$returnvalue = 1;
     }
 
     $interfaces = find_interfaces_by_option( 'required' );
@@ -2031,7 +1995,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore)' );
+	    emit( 'start|reload|restore|refresh)' );
 	    push_indent;
 	}
 
@@ -2067,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( "esac\n" );
+	    emit( 'esac' );
 	}
 
 	$returnvalue = 1;

Shorewall/Perl/compiler.pl

@@ -32,6 +32,7 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
+#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -39,6 +40,7 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
+#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -62,6 +64,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --timestamp ]
     [ --debug ]
     [ --confess ]
+    [ --refresh=<chainlist> ]
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
@@ -72,6 +75,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --shorewallrc=<pathname> ]
     [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
+    [ --inline ]
 _EOF_
 
 exit shift @_;
@@ -86,6 +90,7 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
+my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -97,6 +102,7 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
+my $inline        = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -111,6 +117,8 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
+			'r=s'             => \$chains,
+			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -124,6 +132,7 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
+			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -138,6 +147,7 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
+	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -149,4 +159,5 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
+	  inline          => $inline,
 	);

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
     $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route table $1
+	qt $IP -$g_family route del $route
     done
 } 
 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
             conntrack -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
     local interface
     interface=$1
@@ -912,8 +912,6 @@ detect_gateway() # $1 = interface $2 = table number
     # Maybe there's a default route through this gateway already
     #
     [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-
-    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #
@@ -1065,6 +1063,8 @@ clear_firewall() {
     run_iptables -F
     qt $IPTABLES -t raw -F
 
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
     if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,6 +1373,8 @@ clear_firewall() {
     run_iptables -F
     qt $IP6TABLES -t raw -F
 
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
     run_clear_exit
 
     set_state "Cleared"

Shorewall/Perl/prog.footer

@@ -1,23 +1,5 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
-#
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
-#
-#	This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#	Free Software Foundation, either version 2 of the license or, at your
-#	option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
 ###############################################################################
 #
 # Give Usage Information
@@ -96,13 +78,11 @@ reload_command() {
     detect_configuration
     define_firewall
     status=$?
-
-    if [ $status -eq 0 ]; then
-	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-	progress_message3 "done."
-    else
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    if [ -n "$SUBSYSLOCK" ]; then
+ 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
     fi
+
+    [ $status -eq 0 ] && progress_message3 "done."
 }
 
 ################################################################################
@@ -147,10 +127,8 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
-g_dockeringress=
 g_dockernetwork=
 g_forcereload=
-g_fallback=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -286,10 +264,8 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    for table in raw mangle nat filter; do
-		qt $g_tool -t $table -Z
-	    done
-
+	    $g_tool -Z
+	    $g_tool -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -373,7 +349,6 @@ case "$COMMAND" in
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -443,12 +418,9 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    COMMAND=disable
 	    detect_configuration $1
-	    disable_provider $1 Yes
-	    COMMAND=enable
-	    detect_configuration $1
-	    enable_provider  $1 Yes
+	    COMMAND=enable  disable_provider $1 Yes
+	    COMMAND=disable enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0

Shorewall/Samples/Universal/shorewall.conf

@@ -45,8 +45,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -79,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -185,6 +183,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -199,10 +199,14 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -217,8 +221,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=Yes
 
 RESTART=restart
@@ -247,8 +249,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/shorewall.conf

@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -90,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Off
@@ -210,10 +210,14 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -228,8 +232,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart
@@ -258,8 +260,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
-dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -53,8 +53,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -87,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -193,6 +191,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -207,10 +207,14 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -225,8 +229,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart
@@ -255,8 +257,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
-ACCEPT		-		LOC_IF
-ACCEPT		DMZ_IF		-
-ACCEPT		-		DMZ_IF
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
 

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -90,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -210,10 +210,14 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No
 
 MUTEX_TIMEOUT=60
@@ -228,8 +232,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart
@@ -258,8 +260,6 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/two-interfaces/snat

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
-ACCEPT		-		LOC_IF
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/actions.std

@@ -8,8 +8,11 @@
 #
 ###############################################################################
 #ACTION
+A_AllowICMPs inline		# Audited version of AllowICMPs
+A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
+A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -18,44 +21,33 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-?if __ADDRTYPE
-Broadcast    inline,audit	# Handles Broadcast/Anycast
-?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
-?endif
-DNSAmp	     proto=17		# Matches one-question recursive DNS queries
+DNSAmp				# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit,\	# Handles ACK,FIN packets
-	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
-?if __ADDRTYPE
-Multicast    inline,audit	# Handles Multicast
-?else
 Multicast    noinline,audit	# Handles Multicast
-?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
-	     proto=6
-rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit,\	# Handle packets with RST set
-	     proto=6
+RST	     inline,audit	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handle bad flag combinations.
+TCPFlags			# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#

Shorewall/configfiles/disabled

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/disabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully disabled using the 'disable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any

Shorewall/configfiles/enabled

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/enabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully enabled using the 'enable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any

Shorewall/configfiles/masq

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /etc/shorewall/masq
+#
+# For information about entries in this file, type "man shorewall-masq"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-masq.html
+#
+###################################################################################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY