IPv6 Samples use logical interface names

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,8 +335,9 @@ for f in lib.* ; do
 done
 
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 
 #

Shorewall-core/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50106
 
 if [ -z "$g_basedir" ]; then
     #
@@ -47,10 +47,6 @@ startup_error() {
     exit 1
 }
 
-only_root() {
-    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
-}
-
 #
 # Display a chain if it exists
 #
@@ -87,8 +83,6 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
     case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -417,9 +411,9 @@ resolve_arptables() {
 savesets() {
     local supported
 
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 
 #
@@ -428,9 +422,9 @@ savesets() {
 savesets1() {
     local supported
 
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 
 #
@@ -441,9 +435,9 @@ do_save() {
     local arptables
     status=0
 
-    if [ -f $g_firewall ]; then
+    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f $g_firewall $g_restorepath
+	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -455,7 +449,7 @@ do_save() {
 	    status=1
 	fi
     else
-	echo "   ERROR: $g_firewall does not exist" >&2
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
     fi
 
@@ -640,7 +634,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -6 -o route list table $table | grep -vF cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -653,7 +647,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -6 -o route list | grep -vF cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1191,26 +1185,6 @@ show_ipsec_command() {
     show_ipsec
 }
 
-show_saves_command() {
-    local f
-    local fn
-    local mtime
-
-    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
-    echo "Saved snapshots are:"
-    echo
-
-    for f in ${VARDIR}/*-iptables; do
-	fn=$(basename $f)
-	fn=${fn%-iptables}
-	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
-	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
-	echo "   $mtime ${fn%-iptables}"
-    done
-
-    echo
-}
-
 #
 # Show Command Executor
 #
@@ -1229,7 +1203,6 @@ show_command() {
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
-	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1324,47 +1297,37 @@ show_command() {
 
     [ -n "$g_debugging" ] && set -x
 
-    COMMAND="$COMMAND $1"
-
     case "$1" in
 	connections)
-	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 
-	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1388,7 +1351,6 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1425,50 +1387,33 @@ show_command() {
 	    fi
 	    ;;
 	chain)
-	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
-        rc)
-            shift
-	    [ $# -gt 1 ] && too_many_arguments $2
-            if [ -n "$1" -a -d "$1" ]; then
-                cat $1/shorewallrc
-            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
-                cat $g_basedir/shorewallrc
-            else
-                fatal_error "Can not determine the location of the shorewallrc file."
-            fi
-            ;;
 	policies)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1478,7 +1423,6 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1486,18 +1430,14 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
-	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1508,13 +1448,8 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
-	saves)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    show_saves_command
-	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1561,8 +1496,6 @@ show_command() {
 		    ;;
 	    esac
 
-	    only_root
-
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1880,7 +1813,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1994,6 +1927,41 @@ show_proc() # $1 = name of a file
     [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2577,21 +2545,15 @@ hits_command() {
     fi
 }
 
-#
-# Issue an error message and terminate if the firewall isn't started
-#
-require_started() {
-    if ! product_is_started; then
-	error_message "ERROR: $g_product is not started"
-	exit 2
-    fi
-}
-
 #
 # 'allow' command executor
 #
 allow_command() {
 
+    [ -n "$g_debugging" ] && set -x
+    [ $# -eq 1 ] && missing_argument
+
+    if product_is_started ; then
 	local allowed
 	local which
 	which='-s'
@@ -2599,10 +2561,8 @@ allow_command() {
 	range='--src-range'
 	local dynexists
 
-    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && missing_argument
-
 	if [ -n "$g_blacklistipset" ]; then
+
 	    case ${IPSET:=ipset} in
 		*/*)
 		    if [ ! -x "$IPSET" ]; then
@@ -2619,7 +2579,6 @@ allow_command() {
 	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
-	require_started
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 
@@ -2685,6 +2644,10 @@ allow_command() {
 	done
 
 	[ -n "$g_nolock" ] || mutex_off
+    else
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
 }
 
 #
@@ -2804,6 +2767,7 @@ determine_capabilities() {
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
+    USEPKTTYPE=
     KLUDGEFREE=
     MARK=
     XMARK=
@@ -2899,7 +2863,6 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
-	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3150,6 +3113,7 @@ determine_capabilities() {
 	fi
     fi
 
+    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3263,6 +3227,7 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
     fi
+    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
     report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
     report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
     report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3272,8 +3237,8 @@ report_capabilities_unsorted() {
     [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
     if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3366,7 +3331,6 @@ report_capabilities_unsorted() {
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
-    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3379,6 +3343,8 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
     fi
 
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
 }
 
 report_capabilities_unsorted1() {
@@ -3395,6 +3361,7 @@ report_capabilities_unsorted1() {
     report_capability1 CONNTRACK_MATCH
     report_capability1 NEW_CONNTRACK_MATCH
     report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
     report_capability1 PHYSDEV_BRIDGE
@@ -3472,7 +3439,6 @@ report_capabilities_unsorted1() {
     report_capability1 NETMAP_TARGET
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
-    report_capability1 NAT_INPUT_CHAIN
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3815,7 +3781,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# -eq 1 ]; then
+    if [ $# eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3958,7 +3924,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4112,15 +4078,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
 
-	if [ -x $g_firewall ]; then
+	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "$g_firewall is missing or is not executable"
+	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4249,11 +4215,11 @@ restart_command() {
 
     [ -n "$g_nolock" ] || mutex_on
 
-    if [ -x $g_firewall ]; then
+    if [ -x ${VARDIR}/firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
 	rc=$?
     else
-	error_message "$g_firewall is missing or is not executable"
+	error_message "${VARDIR}/firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
@@ -4263,10 +4229,10 @@ restart_command() {
 }
 
 run_command() {
-    if [ -x $g_firewall ] ; then
+    if [ -x ${VARDIR}/firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it ${VARDIR}/firewall $g_debugging $@
     else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
     fi
 }
 
@@ -4324,6 +4290,7 @@ usage() # $1 = exit status
 
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reenable <interface>"
+    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
 
     if [ -n "$g_lite" ]; then
@@ -4333,11 +4300,9 @@ usage() # $1 = exit status
     fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4380,9 +4345,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
-    echo "   [ show | list | ls ] rc"
     echo "   [ show | list | ls ] routing"
-    echo "   [ show | list | ls ] saves"
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
@@ -4431,6 +4394,7 @@ shorewall_cli() {
     g_use_verbosity=
     g_debug=
     g_export=
+    g_refreshchains=:none:
     g_confess=
     g_update=
     g_annotate=
@@ -4449,7 +4413,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_havemutex=
 
     VERBOSE=
     VERBOSITY=1
@@ -4622,14 +4585,12 @@ shorewall_cli() {
 
     case "$COMMAND" in
 	start)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4637,7 +4598,6 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
-	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4646,22 +4606,19 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
-	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it ${VARDIR}/firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
-	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4670,7 +4627,6 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
-	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4680,20 +4636,18 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    only_root
+	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
-	    only_root
 	    get_config Yes No Yes
     	    shift
     	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
-	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4704,63 +4658,53 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
-	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
-	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
-	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
-	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
-	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
-	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4777,13 +4721,11 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
-	    only_root
 	    get_config
 	    shift
 	    restore_command $@
             ;;
 	call)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4821,20 +4763,17 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
-	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
-	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1

Shorewall-core/lib.common

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.common
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
 #     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
@@ -754,7 +754,7 @@ mutex_on()
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
-    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 
 	lockd=$(dirname $LOCKFILE)
 
@@ -762,7 +762,7 @@ mutex_on()
 
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -775,13 +775,11 @@ mutex_on()
 
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
             lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
             chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
@@ -792,15 +790,10 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
-		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
-
-	if [ -n "$g_havemutex" ]; then
-	    trap mutex_off EXIT
-	fi
     fi
 }
 
@@ -809,10 +802,7 @@ mutex_on()
 #
 mutex_off()
 {
-    if [ -n "$g_havemutex" ]; then
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
-	eval $g_havemutex
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
-	g_havemutex=
-	trap '' exit
-    fi
 }
 

Shorewall-core/lib.core

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.installer

@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/manpages/shorewall.xml

@@ -405,6 +405,20 @@
       <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>options</arg>
+
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
+      rep="repeat"><replaceable>chain</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -445,54 +459,6 @@
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getcaps</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-R</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getrc</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-c</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -847,7 +813,7 @@
 
       <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg choice="plain"><option>saves</option></arg>
+      <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1350,7 +1316,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1807,6 +1773,63 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
+        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
+        </option><replaceable>directory</replaceable> ] [
+        <replaceable>chain</replaceable>... ]</term>
+
+        <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
+          <para>All steps performed by <command>restart</command> are
+          performed by <command>refresh</command> with the exception that
+          <command>refresh</command> only recreates the chains specified in
+          the command while <command>restart</command> recreates the entire
+          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
+          the static blacklisting chain <emphasis
+          role="bold">blacklst</emphasis> is assumed.</para>
+
+          <para>The listed chains are assumed to be in the filter table. You
+          can refresh chains in other tables by prefixing the chain name with
+          the table name followed by ":" (e.g., nat:net_dnat). Chain names
+          which follow are assumed to be in that table until the end of the
+          list or until an entry in the list names another table. Built-in
+          chains such as FORWARD may not be refreshed.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
+          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
+
+          <para>The <emphasis role="bold">refresh</emphasis> command has
+          slightly different behavior. When no chain name is given to the
+          <emphasis role="bold">refresh</emphasis> command, the mangle table
+          is refreshed along with the blacklist chain (if any). This allows
+          you to modify <filename>/etc/shorewall/tcrules </filename>and
+          install the changes using <emphasis
+          role="bold">refresh</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">reject</emphasis><replaceable>
         address</replaceable></term>
@@ -1918,57 +1941,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">remote-getcaps</emphasis>
-        [-<option>R</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command executes <emphasis
-          role="bold">shorewall[6]-lite show capabilities -f &gt;
-          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
-          <replaceable>system</replaceable> via ssh then the generated file is
-          copied to <replaceable>directory</replaceable> on the local system.
-          If no <replaceable>directory</replaceable> is given, the current
-          working directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
-          shorewallrc file is also copied to
-          <replaceable>directory</replaceable>.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">remote-getrc</emphasis>
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
-          file from the remote <replaceable>system</replaceable> to
-          <replaceable>directory</replaceable> on the local system. If no
-          <replaceable>directory</replaceable> is given, the current working
-          directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
-          capabilities are also copied to
-          <replaceable>directory</replaceable>, as is done by the
-          <command>remote-getcaps</command> command.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -2020,9 +1992,9 @@
           role="bold">shorewall-lite save</emphasis> via ssh.</para>
 
           <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
+          command <emphasis role="bold">shorewall-lite show capabilities -f
-          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
+          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
-          via ssh then the generated file is copied to
+          ssh then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -2033,6 +2005,13 @@
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2451,11 +2430,11 @@
         <replaceable>filename</replaceable> ]</term>
 
         <listitem>
-          <para>Creates a snapshot of the currently running firewall. The
+          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
-          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
+          The state of the firewall is stored in
-          the firewall is stored in
           /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> command. If
+          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
+          role="bold">shorewall -f start</emphasis> commands. If
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2758,15 +2737,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">rc</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Displays the contents of
-                $SHAREDIR/shorewall/shorewallrc.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term>[-<option>c</option>]<emphasis role="bold">
               routing</emphasis></term>
@@ -2792,20 +2762,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>saves</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
-                <command>save</command> command. Each snapshot is listed with
-                the date and time when it was taken. If there is a snapshot
-                with the name specified in the RESTOREFILE option in <ulink
-                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
-                snapshot is listed as the <emphasis>default</emphasis>
-                snapshot for the <command>restore</command> command.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -2965,7 +2921,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.2 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.2 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.2 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,7 +13,7 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-empty, annotated configuration files are installed
+ANNOTATED=				#If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.2 rc file
+# Default Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT/LEDE Shorewall 5.2 rc file
+# OpenWRT Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.2 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.sandbox

@@ -1,28 +0,0 @@
-#
-# Shorewall 5.2 rc file for installing into a Sandbox
-#
-BUILD=                                       # Default is to detect the build system
-HOST=linux
-INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
-PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
-PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
-CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
-SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
-MANDIR=		     			     # Leave empty
-INITDIR=				     # Leave empty				     				
-INITSOURCE=				     # Leave empty
-INITFILE=				     # Leave empty
-AUXINITSOURCE=				     # Leave empty
-AUXINITFILE=				     # Leave empty
-SERVICEDIR=				     # Leave empty
-SERVICEFILE=    			     # Leave empty
-SYSCONFFILE=				     # Leave empty
-SYSCONFDIR=				     # Leave empty			
-SPARSE=					     # Leave empty			
-ANNOTATED=				     # If non-empty, annotated configuration files are installed				
-VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
-VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
-DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
-SANDBOX=Yes				     # Indicates SANDBOX installation

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.2 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.2 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-init/init.debian.sh

@@ -73,16 +73,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
-    else
     if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-            return 1
+	return 0
-        fi
     fi
 }
 
@@ -112,6 +108,7 @@ shorewall_start () {
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
               #
 	      # Run in a sub-shell to avoid name collisions
 	      #
@@ -121,6 +118,7 @@ shorewall_start () {
 		  fi
 	      )
 	  fi
+      fi
   done
 
   echo "done."
@@ -147,8 +145,10 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
+      fi
   done
 
   echo "done."

Shorewall-init/init.fedora.sh

@@ -44,14 +44,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -77,6 +75,7 @@ start () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
 		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
 		retval=${PIPESTATUS[0]}
 		[ $retval -ne 0 ] && break
@@ -84,6 +83,9 @@ start () {
 		retval=6 #Product not configured
 		break
 	    fi
+	else
+	    break
+	fi
     done
 
     if [ $retval -eq 0 ]; then
@@ -108,6 +110,7 @@ stop () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
 		retval=${PIPESTATUS[0]}
 		[ $retval -ne 0 ] && break
@@ -115,6 +118,9 @@ stop () {
 		retval=6 #Product not configured
 		break
 	    fi
+	else
+	    break
+	fi
     done
 
     if [ $retval -eq 0 ]; then

Shorewall-init/init.openwrt.sh

@@ -75,14 +75,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -94,17 +92,17 @@ start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
+      fi
   done
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
       ipset -R < "$SAVE_IPSETS"
   fi
-
-  return 0
 }
 
 boot () {
@@ -119,8 +117,10 @@ stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
+	fi
     done
 
     if [ -n "$SAVE_IPSETS" ]; then
@@ -131,7 +131,5 @@ stop () {
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
-
-    return 0
 }
 

Shorewall-init/init.sh

@@ -69,12 +69,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	return 0
-    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
     else
-	return 1
+	return 0
     fi
 }
 
@@ -86,10 +84,12 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
+      fi
   done
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -107,8 +107,10 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
+      fi
   done
 
   if [ -n "$SAVE_IPSETS" ]; then

Shorewall-init/init.suse.sh

@@ -79,14 +79,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 6
+	return 0
     fi
 }
 
@@ -98,10 +96,12 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x $STATEDIR/firewall ]; then
 	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	      fi
 	  fi
+      fi
   done
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -117,8 +117,10 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
+      fi
   done
 
   if [ -n "$SAVE_IPSETS" ]; then

Shorewall-init/shorewall-init

@@ -33,12 +33,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
-        return 0
-    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
+    else
+	return 0
     fi
 }
 
@@ -67,6 +67,7 @@ shorewall_start () {
     printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
 		#
 		# Run in a sub-shell to avoid name collisions
 		#
@@ -76,6 +77,7 @@ shorewall_start () {
 		    fi
 		)
 	    fi
+	fi
     done
 
     if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -93,8 +95,10 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
+	fi
     done
 
     if [ -n "$SAVE_IPSETS" ]; then

Shorewall-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -0,0 +1,57 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Drop
+#
+# The audited default DROP common rules
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+Auth(A_DROP)
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Don't log broadcasts and multicasts
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep

Shorewall/Actions/action.A_REJECT

@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECT
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_REJECT!

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_Reject.deprecated

@@ -0,0 +1,54 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Reject
+#
+# The audited default REJECT action common rules
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep

Shorewall/Actions/action.AllowICMPs

@@ -13,6 +13,7 @@ DEFAULTS ACCEPT
     @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
+
     @1	-		-	ipv6-icmp	destination-unreachable
     @1	-		-	ipv6-icmp	packet-too-big
     @1	-		-	ipv6-icmp	time-exceeded

Shorewall/Actions/action.Broadcast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.DNSAmp

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Drop.deprecated

@@ -0,0 +1,84 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Drop
+#
+# The former default DROP common rules. Use of this action is now deprecated
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Don't log broadcasts or multicasts
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+Invalid(DROP,@1)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)

Shorewall/Actions/action.Established

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.FIN

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -30,4 +30,4 @@
 
 DEFAULTS ACCEPT,-
 
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH

Shorewall/Actions/action.IfEvent

@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Actions/action.Invalid

@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Multicast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.New

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.NotSyn

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.RST

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Reject.deprecated

@@ -0,0 +1,85 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Reject
+#
+# The former default REJECT action common rules. Use of this action is deprecated.
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+Invalid(DROP,@1)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)

Shorewall/Actions/action.Related

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Untracked

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.allowInvalid

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.dropInvalid

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Macros/macro.FreeIPA

@@ -1,16 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.FreeIPA
-#
-# This macro handles FreeIPA server traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DNS
-HTTP
-HTTPS
-Kerberos
-Kpasswd
-LDAP
-LDAPS
-NTP

Shorewall/Macros/macro.IPMI

@@ -11,20 +11,14 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	8889		# WS-MAN
-HTTP
-Telnet
-SNMP
-
-# TLS/secure ports
 PARAM	-	-	tcp	3520		# Remote Console (Redfish)
-PARAM	-	-	tcp	3669		# Virtual Media (Dell)
+PARAM	-	-	udp	623		# RMCP
-PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
+HTTP
-PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
+SNMP
 SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.Kpasswd

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Kpasswd
-#
-# This macro handles Kerberos "passwd" traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	464
-PARAM	-	-	udp	464

Shorewall/Macros/macro.RedisSecure

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSecure
-#
-# This macro handles Redis Secure (SSL/TLS) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	6380

Shorewall/Macros/macro.Rwhois

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Rwhois
-#
-# This macro handles Remote Who Is (rwhois) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	4321

Shorewall/Macros/macro.SNMPTrap.deprecated

@@ -1,9 +1,9 @@
 #
-# Shorewall -- /usr/share/shorewall/macro.Apcupsd
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles apcupsd traffic.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-PARAM	-	-	tcp	3551
+SNMPtrap

Shorewall/Macros/macro.SSDP

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDP
-#
-# This macro handles SSDP (used by DLNA/UPnP) client traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900

Shorewall/Macros/macro.SSDPserver

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDPserver
-#
-# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900
-PARAM	DEST	SOURCE	udp	-	1900

Shorewall/Perl/Shorewall/ARP.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -172,12 +172,6 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
-				       rules_log
-				       blacklist_log
-				       established_log
-				       related_log
-				       invalid_log
-				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -341,7 +335,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
 #                                               blacklistsection
-#                                                            => Chain was created by entries in the blrules file
+#                                                            => Chain was created by entries in the BLACKLIST section of the rules file
 #                                               action       => <action tuple that generated this chain>
 #                                               restricted   => Logical OR of restrictions of rules in this chain.
 #                                               restriction  => Restrictions on further rules in this chain.
@@ -367,13 +361,13 @@ our $VERSION = 'MODULEVERSION';
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
-#       'loglevel', 'synparams', 'synchain', 'audit', 'default' and 'origin' only apply to policy chains.
+#       'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
 ###########################################################################################################################################
 #
 # For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
 # joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
 # connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
-# explicit policy for the ordered pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
+# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
 # wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
 #
 # Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
@@ -403,7 +397,7 @@ our $VERSION = 'MODULEVERSION';
 #      MAC Recent      - <dev>_rec
 #      SNAT            - <dev>_snat
 #      ECN             - <dev>_ecn
-#      INPUT Options   - <dev>_iop
+#      FORWARD Options - <dev>_fop
 #      OUTPUT Options  - <dev>_oop
 #      FORWARD Options - <dev>_fop
 #
@@ -880,9 +874,6 @@ sub validate_port( $$ ) {
     fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 
-#
-# Port or port-pair separated by ':'. Either port may be omitted in the pair
-#
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
@@ -923,15 +914,15 @@ sub validate_portpair( $$ ) {
 
 }
 
-#
-# Port or port-pair separated by '-'. Neither port may be omitted in the pair
-#
 sub validate_portpair1( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
 
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
     my @ports = split /-/, $portpair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
@@ -1325,14 +1316,14 @@ sub pop_match( $$ ) {
 
 sub clone_irule( $ );
 
-sub format_rule( $$ ) {
+sub format_rule( $$;$ ) {
-    my ( $chainref, $rulerefp ) = @_;
+    my ( $chainref, $rulerefp, $suppresshdr ) = @_;
 
     return $rulerefp->{cmd} if exists $rulerefp->{cmd};
 
-    my $rule = "-A $chainref->{name}";
+    my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
     #
-    # The code that follows can be destructive of the rule so we clone it
+    # The code the follows can be destructive of the rule so we clone it
     #
     my $ruleref = $rulerefp->{complex} ? clone_irule( $rulerefp ) : $rulerefp;
     my $nfacct  = $rulerefp->{nfacct};
@@ -2272,56 +2263,6 @@ sub untracked_chain($$) {
     '&' . &rules_chain(@_);
 }
 
-#
-# Logname for chains between an ordered pair of zones
-#
-sub rules_log( $$ ) {
-    my $logchain = $config{LOG_ZONE};
-
-    if ( $logchain eq 'both' ) {
-	join "$config{ZONE2ZONE}", @_;
-    } elsif ( $logchain eq 'src' ) {
-	$_[0];
-    } else {
-	$_[1];
-    }
-}
-
-#
-# Log name of the blacklist chain between an ordered pair of zones
-#
-sub blacklist_log($$) {
-    &rules_log(@_) . '~';
-}
-
-#
-# Log name of the established chain between an ordered pair of zones
-#
-sub established_log($$) {
-    '^' . &rules_log(@_)
-}
-
-#
-# Log name of the related chain between an ordered pair of zones
-#
-sub related_log($$) {
-    '+' . &rules_log(@_);
-}
-
-#
-# Log name of the invalid chain between an ordered pair of zones
-#
-sub invalid_log($$) {
-    '_' . &rules_log(@_);
-}
-
-#
-# Name of the untracked chain between an ordered pair of zones
-#
-sub untracked_log($$) {
-    '&' . &rules_log(@_);
-}
-
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@@ -2357,6 +2298,8 @@ sub use_forward_chain($$) {
 
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # Use it if we already have jumps to it
     #
@@ -2431,6 +2374,8 @@ sub use_input_chain($$) {
     my ( $interface, $chainref ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # We must use the interfaces's chain if the interface is associated with multiple Zones
     #
@@ -2510,6 +2455,8 @@ sub use_output_chain($$) {
     my ( $interface, $chainref)  = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
     #
     # We must use the interfaces's chain if the interface is associated with multiple Zones
     #
@@ -2641,14 +2588,13 @@ sub reserved_name( $ ) {
 #
 # Create a new chain and return a reference to it.
 #
-sub new_chain($$;$)
+sub new_chain($$)
 {
-    my ($table, $chain, $logchain) = @_;
+    my ($table, $chain) = @_;
 
     assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );
 
     my $chainref = { name           => $chain,
-		     logname        => $logchain || $chain,
 		     rules          => [],
 		     table          => $table,
 		     loglevel       => '',
@@ -2669,7 +2615,7 @@ sub new_chain($$;$)
 #
 # Find a chain
 #
-sub find_chain($$;$) {
+sub find_chain($$) {
     my ($table, $chain) = @_;
 
     assert( $table && $chain && $chain_table{$table} );
@@ -2680,7 +2626,7 @@ sub find_chain($$;$) {
 #
 # Create a chain if it doesn't exist already
 #
-sub ensure_chain($$;$)
+sub ensure_chain($$)
 {
     &find_chain( @_ ) || &new_chain( @_ );
 }
@@ -3233,8 +3179,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
-	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
-
 	for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3297,8 +3241,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
-	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
-
 	for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3324,7 +3266,7 @@ sub initialize_chain_table($) {
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
     }
 
-    if ( $config{DOCKER} ) {
+    if ( my $docker = $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
@@ -3434,43 +3376,15 @@ sub delete_references( $ ) {
 #
 # Calculate a digest for the passed chain and store it in the {digest} member.
 #
-# First, a lightweight version of format_rule()
-#
-sub irule_to_string( $ ) {
-    my ( $ruleref ) = @_;
-
-    return $ruleref->{cmd} if exists $ruleref->{cmd};
-
-    my $string = '';
-
-    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}} ) {
-	my $value = $ruleref->{$_};
-	if ( reftype $value ) {
-	    $string .= "$_=" . join( ',', @$value ) . ' ';
-	} else {
-	    $string .= "$_=$value ";
-	}
-    }
-
-    if ( $ruleref->{target} ) {
-	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
-	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
-    }
-
-    $string .= join( '', ' -m comment --comment "', $ruleref->{comment}, '"' ) if $ruleref->{comment};
-
-    $string;
-}
-
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
 
     for ( @{$chainref->{rules}} ) {
 	if ( $rules ) {
-	    $rules .= ' |' . irule_to_string( $_ );
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $rules = irule_to_string( $_ );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
     }
 
@@ -3832,7 +3746,7 @@ sub optimize_level4( $$ ) {
     #
     # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
     # the target's rules, provided that the target chain is short (< 4 rules) or has only one
-    # reference. This prevents multiple copies of long chains from being created.
+    # reference. This prevents multiple copies of long chains being created.
     #
     $progress = 1;
 
@@ -3942,10 +3856,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} &&
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
-							   @{$_->{rules}}        &&
-							   ! $_->{builtin},
-							   values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3965,11 +3876,12 @@ sub optimize_level8( $$$ ) {
 	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
-
-	    for my $chainref1 (grep ! ( $_->{optflags} & DONT_DELETE ), @chains1 ) {
 	    #
-		# Chains identical?
+	    # Skip empty chains
 	    #
+	    for my $chainref1 ( @chains1 ) {
+		next unless @{$chainref1->{rules}};
+		next if $chainref1->{optflags} & DONT_DELETE;
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
@@ -3980,7 +3892,7 @@ sub optimize_level8( $$$ ) {
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
 
-		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
+		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -4399,7 +4311,7 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment' & origin are omitted;
 #
 sub get_keys1( $ ) {
     my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
@@ -4563,21 +4475,15 @@ sub valid_tables() {
 
 sub optimize_ruleset() {
 
-    my $optimize = $config{OPTIMIZE};
-
     for my $table ( valid_tables ) {
 
 	my $tableref = $chain_table{$table};
 	my $passes   = 0;
+	my $optimize = $config{OPTIMIZE};
 
 	$passes = optimize_level4(  $table, $tableref )           if $optimize & 4;
-	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
-
-	my $savepasses = $passes;
-
 	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
-
+	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
-	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16 && $passes > $savepasses + 1;
 
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
@@ -4691,7 +4597,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{logname} ,
+		       $chainref->{name} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@@ -4876,7 +4782,6 @@ sub do_proto( $$$;$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
-	my $all      = ( $proto =~ s/:all$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4892,7 +4797,6 @@ sub do_proto( $$$;$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
-		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5032,8 +4936,6 @@ sub do_proto( $$$;$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
-	    $proto = $proto . ':all' if $all;
-
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -5090,7 +4992,6 @@ sub do_iproto( $$$ )
     if ( $proto ne '' ) {
 
 	my $synonly  = ( $proto =~ s/:syn$//i );
-	my $all      = ( $proto =~ s/:all$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
@@ -5105,7 +5006,6 @@ sub do_iproto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
-		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		@output = ( p => "${invert}${proto}" );
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5240,8 +5140,6 @@ sub do_iproto( $$$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 
-	    $proto = $proto . ':all' if $all;
-
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -6870,13 +6768,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
-    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }
 
 sub log_irule( $$$;@ ) {
     my ( $level, $chainref, $disposition, @matches ) = @_;
 
-    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }
 
 #
@@ -7097,17 +6995,14 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
     my ( $logical, $provider ) = @_;
+
     my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
+    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 
     $global_variables |= ALL_COMMANDS;
 
-    if ( $interface eq loopback_interface ) {
-	$interfaceaddr{$interface} = "$variable=" . loopback_address;
-    } else {
-	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
     $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
-    }
 
     set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
 
@@ -8295,8 +8190,19 @@ sub add_interface_options( $ ) {
 	# Generate a digest for each chain
 	#
 	for my $chainref ( values %input_chains, values %forward_chains ) {
+	    my $digest = '';
+
 	    assert( $chainref );
-	    calculate_digest( $chainref );
+
+	    for ( @{$chainref->{rules}} ) {
+		if ( $digest ) {
+		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+		} else {
+		    $digest = format_rule( $chainref, $_, 1 );
+		}
+	    }
+
+	    $chainref->{digest} = sha1_hex $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -8585,7 +8491,7 @@ sub save_dynamic_chains() {
     my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
 
-    emit ( 'if [ "$COMMAND" = reload ]; then' );
+    emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
     push_indent;
 
     emit( 'if [ -n "$g_counters" ]; then' ,
@@ -8594,7 +8500,7 @@ sub save_dynamic_chains() {
 	);
 
     if ( have_capability 'IPTABLES_S' ) {
-	emithd <<"EOF";
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
 else
@@ -8615,7 +8521,6 @@ fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
-
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
     $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8624,7 +8529,7 @@ fi
 EOF
 	}
     } else {
-	emithd <<"EOF";
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -8644,8 +8549,7 @@ else
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
-	    emithd << "EOF";
+	    emit << "EOF";
-
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
     $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8659,7 +8563,7 @@ EOF
     emit ( 'else' );
     push_indent;
 
-emithd <<"EOF";
+emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
@@ -8696,7 +8600,7 @@ sub ensure_ipsets( @ ) {
 
 	pop_indent;
 
-	emit( q(    fi) );
+	emit( qq(    fi\n) );
 
     }
 
@@ -8872,6 +8776,7 @@ sub create_load_ipsets() {
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
+		  '',
 		);
 	} else {
 	    #
@@ -8883,7 +8788,7 @@ sub create_load_ipsets() {
 		   '    fi' );
 	};
 
-	emit( "}\n" );
+	emit( '}' );
     }
     #
     # Now generate load_ipsets()
@@ -8950,16 +8855,22 @@ sub create_load_ipsets() {
 
 	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
 	    ensure_ipsets( @ipsets );
+
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
+	    emit ( '' );
 	};
 
-	emit ( 'fi' );
+	emit ( 'fi' ,
+	       '' );
     } else {
 	emit 'true';
     }
 
     pop_indent;
 
-    emit "}\n";	    
+    emit '}';	    
 }
 
 #
@@ -9132,7 +9043,7 @@ sub create_netfilter_load( $ ) {
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
 	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  'fi'
+	  "fi\n"
 	);
 
     pop_indent;
@@ -9224,6 +9135,156 @@ sub preview_netfilter_load() {
     print "\n";
 }
 
+#
+# Generate the netfilter input for refreshing a list of chains
+#
+sub create_chainlist_reload($) {
+
+    my $chains = $_[0];
+
+    my @chains;
+
+    unless ( $chains eq ':none:' ) {
+	if ( $chains eq ':refresh:' ) {
+	    $chains = '';
+	} else {
+	    @chains =  split_list $chains, 'chain';
+	}
+
+	unless ( @chains ) {
+	    @chains = qw( blacklst ) if $filter_table->{blacklst};
+	    push @chains, 'blackout' if $filter_table->{blackout};
+
+	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
+		push @chains, $_->{name} if $_->{blacklistsection};
+	    }
+
+	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	    $chains = join( ',', @chains ) if @chains;
+	}
+    }
+
+    $mode = NULL_MODE;
+
+    emit(  'chainlist_reload()',
+	   '{'
+	   );
+
+    push_indent;
+
+    if ( @chains ) {
+	my $word = @chains == 1 ? 'chain' : 'chains';
+
+	progress_message2 "Compiling iptables-restore input for $word @chains...";
+	save_progress_message "Preparing iptables-restore input for $word @chains...";
+
+	emit '';
+
+	my $table = 'filter';
+
+	my %chains;
+
+	my %tables;
+
+	for my $chain ( @chains ) {
+	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
+
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+
+	    $chains{$table} = {} unless $chains{$table};
+
+	    if ( $chain ) {
+		my $chainref;
+		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
+		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
+
+		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
+		    $tables{$table} = 1;
+		} else {
+		    $chains{$table}{$chain} = $chainref;
+		}
+	    } else {
+		$tables{$table} = 1;
+	    }
+	}
+
+	for $table ( keys %tables ) {
+	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
+		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
+	    }
+	}
+
+	emit 'exec 3>${VARDIR}/.iptables-restore-input';
+
+	enter_cat_mode;
+
+	for $table ( qw(raw nat mangle filter) ) {
+	    my $tableref=$chains{$table};
+
+	    next unless $tableref;
+
+	    @chains = sort keys %$tableref;
+
+	    emit_unindented "*$table";
+
+	    for my $chain ( @chains ) {
+		my $chainref = $tableref->{$chain};
+		emit_unindented ":$chainref->{name} - [0:0]";
+	    }
+
+	    for my $chain ( @chains ) {
+		my $chainref = $tableref->{$chain};
+		my @rules = @{$chainref->{rules}};
+		my $name = $chainref->{name};
+
+		@rules = () unless @rules;
+		#
+		# Emit the chain rules
+		#
+		emitr($chainref, $_) for @rules;
+	    }
+	    #
+	    # Commit the changes to the table
+	    #
+	    enter_cat_mode unless $mode == CAT_MODE;
+
+	    emit_unindented 'COMMIT';
+	}
+
+	enter_cmd_mode;
+
+	#
+	# Now generate the actual ip[6]tables-restore command
+	#
+	emit(  'exec 3>&-',
+	       '' );
+
+	if ( $family == F_IPV4 ) {
+	    emit ( 'progress_message2 "Running iptables-restore..."',
+		   '',
+		   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
+		   'if [ $? != 0 ]; then',
+		   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
+		   "fi\n"
+		 );
+	} else {
+	    emit ( 'progress_message2 "Running ip6tables-restore..."',
+		   '',
+		   'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
+		   'if [ $? != 0 ]; then',
+		   '    fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
+		   "fi\n"
+		 );
+	}
+    } else {
+	emit('true');
+    }
+
+    pop_indent;
+
+    emit "}\n";
+}
+
 #
 # Generate the netfilter input to stop the firewall
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
 
     copy2( $lib, $debug ) if -f $lib;
 
-    emithd<<'EOF';
+    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
     }
 
-    emithd <<'EOF';
+    emit <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -270,11 +270,12 @@ sub generate_script_2() {
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( '' );
     }
 
     pop_indent;
 
-    emit "}\n"; # End of initialize()
+    emit "\n}\n"; # End of initialize()
 
     emit( '' ,
 	  '#' ,
@@ -311,9 +312,10 @@ sub generate_script_2() {
 	    push_indent;
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		verify_required_interfaces(0);
+
 		set_global_variables(0, 0);
-		handle_optional_interfaces;
+
+		handle_optional_interfaces(0);
 	    }
 
 	    emit ';;';
@@ -325,19 +327,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 
-	verify_required_interfaces(1);
 	set_global_variables(1,1);
-	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
 	}
     } else {
-	verify_required_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces(1);
-	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
@@ -356,7 +358,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {
 
     if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -366,6 +368,7 @@ sub generate_script_3() {
 
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
+    create_chainlist_reload( $_[0] );
     create_save_ipsets;
     create_load_ipsets;
 
@@ -397,10 +400,16 @@ sub generate_script_3() {
 	emit 'load_kernel_modules Yes';
     }
 
-    emit( '' ,
+    emit '';
+
+    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	   '   run_refresh_exit' ,
+	   'else' ,
 	   '    run_init_exit',
-	  '' ,
+	   'fi',
-	  'load_ipsets' ,
+	   '' );
+
+    emit( 'load_ipsets' ,
 	  '' );
 
     create_nfobjects;
@@ -458,6 +467,11 @@ sub generate_script_3() {
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
+    emit( '',
+	  'if [ "$COMMAND" != refresh ]; then' );
+
+    push_indent;
+
     emit 'cat > ${VARDIR}/zones << __EOF__';
     dump_zone_contents;
     emit_unindented '__EOF__';
@@ -470,6 +484,10 @@ sub generate_script_3() {
     dump_mark_layout;
     emit_unindented '__EOF__';
 
+    pop_indent;
+
+    emit "fi\n";
+
     emit '> ${VARDIR}/nat';
 
     add_addresses;
@@ -508,12 +526,29 @@ sub generate_script_3() {
 
     my $config_dir = $globals{CONFIGDIR};
 
-    emithd <<"EOF";
+    emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
+elif [ \$COMMAND = refresh ]; then
-    setup_netfilter
+    chainlist_reload
 EOF
+    push_indent;
+    setup_load_distribution;
+    setup_forwarding( $family , 0 );
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
+
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);
+
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
@@ -538,7 +573,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
 
-    emithd<<'EOF';
+    emit<<'EOF';
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -548,6 +583,9 @@ case $COMMAND in
     reload)
         mylogger kern.info "$g_product reloaded"
         ;;
+    refresh)
+        mylogger kern.info "$g_product refreshed"
+        ;;
     restore)
         mylogger kern.info "$g_product restored"
         ;;
@@ -582,8 +620,8 @@ sub compile_info_command() {
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
-       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
     $export         = 0;
     $test           = 0;
@@ -612,6 +650,7 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
+		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -619,6 +658,7 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -655,7 +695,7 @@ sub compiler {
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $inline );
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
     # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -778,7 +818,7 @@ sub compiler {
     #
     # Setup Masquerade/SNAT
     #
-    setup_snat;
+    setup_snat( $update );
     #
     # Setup Nat
     #
@@ -859,7 +899,7 @@ sub compiler {
 
 	optimize_level0;
 
-	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -881,7 +921,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3();
+	generate_script_3( $chains );
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall

Shorewall/Perl/Shorewall/Config.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -189,7 +189,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
-				       emithd
 				       emitstd
 				       emit_unindented
 				       save_progress_message
@@ -303,10 +302,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                        DO_SECTION
 				       NORMAL_READ
 
-				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
+				       OPTIMIZE_USE_FIRST
 				       OPTIMIZE_ALL
 				     ) , ] ,
 		   protocols => [ qw (
@@ -414,6 +413,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
+		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -496,10 +496,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                  NFLOG_SIZE      => '--nflog-size support',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
-                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
-		 #
-		 # Helpers
-		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -547,8 +543,9 @@ use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
-               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
+
+	       OPTIMIZE_USE_FIRST      => 0x1000 # Always use interface 'first' chains -- undocumented
 	     };
 
 our %helpers = ( amanda          => UDP,
@@ -564,8 +561,6 @@ our %helpers = ( amanda          => UDP,
 		 tftp            => UDP,
 	       );
 
-use constant { INCLUDE_LIMIT     => 20 };
-
 our %helpers_map;
 
 our %helpers_names;
@@ -595,6 +590,8 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
+		      refresh	       => 1,
+		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -669,6 +666,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -677,7 +675,6 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 
 our $family;                 # Protocol family (4 or 6)
-our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -711,13 +708,13 @@ our %validlevels;            # Valid log levels.
 # Deprecated options with their default values
 #
 our %deprecated = (
-		   LEGACY_RESTART => 'no' ,
+		   LEGACY_RESTART => 'no'
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		    LEGACY_RESTART => 1 ,
+		  LEGACY_RESTART => 1
 		 );
 #
 # Eliminated options
@@ -732,8 +729,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                     MODULE_SUFFIX    => 1,
-                    MAPOLDACTIONS    => 1,
-		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -793,8 +788,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
+sub initialize( $;$$) {
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -838,8 +833,8 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.0-Beta1',
+		    VERSION                 => "5.1.8-Beta1",
-		    CAPVERSION              => 50200 ,
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -883,7 +878,6 @@ sub initialize( $;$$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
-	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -942,6 +936,7 @@ sub initialize( $;$$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
+	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -984,6 +979,7 @@ sub initialize( $;$$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
+	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -997,7 +993,6 @@ sub initialize( $;$$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
-	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1055,6 +1050,7 @@ sub initialize( $;$$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
+	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -1132,7 +1128,6 @@ sub initialize( $;$$$) {
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
-	       NAT_INPUT_CHAIN => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1692,7 +1687,6 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		$line =~ s/[ \t]+\n/\n/gm;
 		print $script "$line\n" if $script;
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 
@@ -1713,15 +1707,6 @@ sub emit {
     }
 }
 
-#
-# Used to emit a 'here documents' string without introducing an unwanted blank line at the end
-#
-sub emithd( $ ) {
-    my ( $line ) = @_; #make writable
-    chomp $line;
-    emit $line;
-}
-
 #
 # Version of emit() that writes to standard out unconditionally
 #
@@ -1732,7 +1717,6 @@ sub emitstd {
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
-	    $line =~ s/[ \t]+\n/\n/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
@@ -2395,6 +2379,8 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
     my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
 
+    my $inlinematches = $config{INLINE_MATCHES};
+
     my ( $columns, $pairs, $rest );
 
     my $currline = $currentline;
@@ -2417,20 +2403,16 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
 
 	    $currline = $columns;
-	    #
-	    # Remove trailing white space
-	    #
-	    $currline =~ s/\s*$//;
 
 	    $inline_matches = $pairs;
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = '';
+	    $inline = $inlinematches = '';
 	}
     }
     #
-    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
+    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
     #
     ( $columns, $pairs, $rest ) = split( ';', $currline );
 
@@ -2439,6 +2421,42 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+
+	if ( $inlinematches ) {
+	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
+
+	    $inline_matches = $pairs;
+
+	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		#
+		# Pairs are enclosed in curly brackets.
+		#
+		$columns = $1;
+		$pairs   = $2;
+	    } else {
+		$pairs = '';
+	    }
+	} elsif ( $inline ) {
+	    #
+	    # This file supports INLINE or IPTABLES
+	    #
+	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+		$inline_matches = $pairs;
+
+		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		    #
+		    # Pairs are enclosed in curly brackets.
+		    #
+		    $columns = $1;
+		    $pairs   = $2;
+		} else {
+		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
+		    $pairs = '';
+		}
+	    } 
+	} elsif ( $checkinline ) {
+	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
+	}
     } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -3322,7 +3340,7 @@ sub copy1( $ ) {
 			my @line = split / /;
 
 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
 
 			my $filename = find_file $line[1];
 
@@ -3532,7 +3550,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
     my $multiline = shift;
 
-    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
     my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
 
     $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3619,7 +3637,7 @@ sub embedded_perl( $ ) {
     $embedded--;
 
     if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
 
 	assert( close $perlscript );
 
@@ -3973,7 +3991,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;
 
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
 
 		my $filename = find_file $line[1];
 
@@ -4427,12 +4445,6 @@ sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
 }
 
-sub Nat_Input_Chain {
-    have_capability( 'NAT_ENABLED' ) || return '';
-
-    qt1( "$iptables $iptablesw -t nat -L INPUT -n" );
-}
-
 sub Persistent_Snat() {
     have_capability( 'NAT_ENABLED' ) || return '';
 
@@ -4756,6 +4768,10 @@ sub IPSET_V5() {
     $result;
 }
 
+sub Usepkttype() {
+    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
+}
+
 sub Addrtype() {
     qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -5074,7 +5090,6 @@ our %detect_capability =
       MASQUERADE_TGT => \&Masquerade_Tgt,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
-      NAT_INPUT_CHAIN => \&Nat_Input_Chain,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
       NETMAP_TARGET => \&Netmap_Target,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -5111,6 +5126,7 @@ our %detect_capability =
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
       UDPLITEREDIRECT => \&Udpliteredirect,
+      USEPKTTYPE => \&Usepkttype,
       XCONNMARK_MATCH => \&Xconnmark_Match,
       XCONNMARK => \&Xconnmark,
       XMARK => \&Xmark,
@@ -5173,7 +5189,6 @@ sub determine_capabilities() {
 	#
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
 
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
@@ -5221,6 +5236,7 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
+	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5312,13 +5328,7 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
     }
 
-    my $path = $config{CONFIG_PATH};
+    @config_path = split /:/, $config{CONFIG_PATH};
-
-    my $chop = ( $path =~ s/^:// );
-
-    @config_path = split /:/, $path;
-
-    shift @config_path if $chop && ( $export || $> != 0 );
 
     #
     # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5459,32 +5469,6 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
     }	
 
-    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
-	my $policy = $config{ $_ };
-
-	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
-	    if ( $family == F_IPV4 ) {
-		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
-	    } else {
-		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-	    }
-	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
-	    if ( $family == F_IPV4 ) {
-		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
-	    } else {
-		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-	    }
-	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
-	    if ( $family == F_IPV4 ) {
-		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
-	    } else {
-		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
-	    }
-	}
-
-	$config{$_} = $policy;
-    }
-
     my $fn;
 
     unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -5524,13 +5508,7 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			if ( $default eq 'Yes' || $default eq 'No' ) {
+			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
-			    $config{$var} = $val = $default;
-			} elsif ( $var eq 'CONFIG_PATH' ) {
-			    $val =~ s|^/etc/|\${CONFDIR}|;
-			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
-			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
-			}
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5538,6 +5516,7 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;
 
 		    }
+
 		}
 		if ( supplied $val ) {
 		    #
@@ -6018,12 +5997,9 @@ sub export_params() {
 }
 
 #
-# Walk the CONFIG_PATH converting
+# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
-# - FORMAT and COMMENT lines to compiler directives
-# - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
-# - Rename macros/actions to their 5.2 counterparts
 #
-sub convert_to_version_5_2() {
+sub convert_to_directives() {
     my $sharedir = $shorewallrc{SHAREDIR};
     #
     # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -6034,7 +6010,7 @@ sub convert_to_version_5_2() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Performing Shorewall 5.2 conversions...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -6045,129 +6021,40 @@ sub convert_to_version_5_2() {
 
 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";
 
-		while ( my $fname = readdir( $dirhandle ) ) {
+		while ( my $file = readdir( $dirhandle ) ) {
-		    unless ( $fname eq 'capabilities'       ||
+		    unless ( $file eq 'capabilities'       ||
-			     $fname eq 'params'             ||
+			     $file eq 'params'             ||
-			     $fname =~ /^shorewall6?.conf$/ ||
+			     $file =~ /^shorewall6?.conf$/ ||
-			     $fname =~ /\.bak$/ ) {
+			     $file =~ /\.bak$/ ) {
-			#
+			$file = "$dir/$file";
-			# File we are interested in
-			#
-			my $fullname = "$dir/$fname";
 		
-			if ( -f $fullname && -w _ ) {
+			if ( -f $file && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $v5_2_update = ( $fname eq 'rules'          ||
+			    my $result = system << "EOF";
-						$fname =~ /^action\./      ||
+			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
-						$fname =~ /^macro\./       ||
+                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
-						$fname eq 'snat'           ||
+                                             if ( /^\\s*COMMENT\\s+/ ) {
-						$fname eq 'mangle'         ||
-						$fname eq 'conntrack'      ||
-						$fname eq 'accounting'     ||
-						$fname eq 'masq'           ||
-						$fname eq 'policy' );
-			    my $is_policy   = ( $fname eq 'policy' );
-			    my @file;
-			    my ( $ifile, $ofile );
-			    my $omitting = 0;
-			    my $changed;
-
-			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
-
-			    while ( <$ifile> ) {
-				if ( $omitting ) {
-				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
-				} else {
-				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
-				}
-
-				unless ( $omitting || /^\s*[#?]/ ) {
-				    if ( /^\s*FORMAT\s+/ ) {
-					s/FORMAT/?FORMAT/;
-					$changed = 1;
-				    }
-
-				    if ( /^\s*SECTION\s+/ ) {
-					s/SECTION/?SECTION/;
-					$changed = 1;
-				    }
-
-				    if ( /^\s*COMMENT\s+/ ) {
                                                  s/COMMENT/?COMMENT/;
-					$changed = 1;
                                              } elsif ( /^\\s*COMMENT\\s*\$/ ) {
                                                  s/COMMENT/?COMMENT/;
-				    }
+                                             }' $file
-
+EOF
-				    if ( $v5_2_update ) {
+			    if ( $result == 0 ) {
-					if ( /\bA_AllowICMPs\b/ ) {
+				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
-					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
+				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
-					    $changed = 1;
+				} elsif ( rename "${file}.bak" , $file ) {
-					}
+				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
-
+				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
-					if ( $is_policy ) {
-					    if ( /\bA_(?:Drop|Reject)\b/ ) {
-						if ( $family == F_IPV4 ) {
-						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
 				} else {
-						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+				    warning message "Unable to rename ${file}.bak to $file:$!";
-						}
-
-						$changed = 1;
-					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
-						if ( $family == F_IPV4 ) {
-						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
-						} else {
-						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-						}
-
-						$changed = 1;
-					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
-						if ( $family == F_IPV4 ) {
-						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
-						} else {
-						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
-						}
-
-						$changed = 1;
 				}
 			    } else {
-					    unless ( /;;/ ) {
+				warning_message ("Unable to update file $file" );
-						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
-						    s/;/;;/;
-						    $changed = 1;
-						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
-						    s/;/;;/;
-						    $changed = 1;
-						}
-					    }
-
-					    if ( /\bSMTPTrap\b/ ) {
-						s/SMTPTrap/SMTPtrap/;
-						$changed = 1;
-					    }
-					}
-				    }
-				}
-
-				push @file, $_;
-			    }
-
-			    close $ifile;
-
-			    if ( $changed ) {
-				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
-				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
-				print $ofile $_ for @file;
-				close $ofile;
-				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
-			    } else {
-				progress_message "   File $file not updated -- no update required";
 			    }
 			} else {
-			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
+			    warning_message( "$file skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -6184,9 +6071,9 @@ sub convert_to_version_5_2() {
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$ ) {
+sub get_configuration( $$$$ ) {
 
-    my ( $export, $update, $annotate ) = @_;
+    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;
 
     $globals{EXPORT} = $export;
 
@@ -6488,6 +6375,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'SAVE_ARPTABLES'             , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
+    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
 
     warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
 
@@ -6543,7 +6431,6 @@ sub get_configuration( $$$ ) {
     default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'RENAME_COMBINED'            , 'Yes';
 
     if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6563,6 +6450,7 @@ sub get_configuration( $$$ ) {
 	$origin{$_} ||= '';
     }
 	    
+    default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
     default_yes_no 'DOCKER'                     , '';
@@ -6595,14 +6483,11 @@ sub get_configuration( $$$ ) {
     default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
-    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
+    default_yes_no 'AUTOMAKE'                   , '';
+    default_yes_no 'TRACK_PROVIDERS'            , '';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 
-    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
-	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
-    }
-
     if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6799,13 +6684,6 @@ sub get_configuration( $$$ ) {
 	$config{LOG_BACKEND} = $val;
     }
 
-    if ( supplied( $val = $config{LOG_ZONE} ) ) {
-	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
-	$config{LOG_ZONE} = lc( $val );
-    } else {
-	$config{LOG_ZONE} = 'both';
-    }
-
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
     default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6982,7 +6860,7 @@ sub get_configuration( $$$ ) {
     } else {
 	$val = numeric_value $config{OPTIMIZE};
 
-	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && $val <= OPTIMIZE_ALL;
+	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
     }
 
     require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
@@ -7051,7 +6929,7 @@ sub get_configuration( $$$ ) {
 	$variables{$var} = $config{$val};
     }
 
-    convert_to_version_5_2 if $update;
+    convert_to_directives if $update;
 
     cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,7 +60,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
-		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -99,14 +98,12 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
-our $loopback_address;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -373,10 +370,6 @@ sub rfc1918_networks() {
     @rfc1918_networks
 }
 
-sub loopback_address() {
-    $loopback_address;
-}
-
 #
 # Protocol/port validation
 #
@@ -762,7 +755,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
-	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -775,7 +767,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
-	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -718,7 +718,7 @@ sub add_common_rules ( $ ) {
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
     } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -2554,6 +2554,9 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
+	        refresh)
+	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            ;;
                 enable)
                     mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
@@ -2643,6 +2646,7 @@ EOF
 
         rm -f ${VARDIR}/proxyarp
     fi
+
 EOF
     } else {
 	emit <<'EOF';
@@ -2656,6 +2660,7 @@ EOF
 
         rm -f ${VARDIR}/proxyndp
     fi
+
 EOF
     }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
-    my $have_masq_rules;
-
     if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 
+	my $have_masq_rules;
+
 	directive_callback(
 	    sub ()
 	    {
@@ -647,8 +647,6 @@ sub convert_masq() {
 
 	close $snat, directive_callback( 0 );
     }
-
-    $have_masq_rules;
 }
 
 #

Shorewall/Perl/Shorewall/Proc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -161,15 +161,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
-
-		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
-			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    }
-		}
-
 		$marked_interfaces{$interface} = 1;
 	    }
 
@@ -338,22 +329,22 @@ sub balance_default_route( $$$$ ) {
     if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
-		emit qq(DEFAULT_ROUTE="dev $interface $realm");
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_default_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -368,22 +359,22 @@ sub balance_fallback_route( $$$$ ) {
     if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
-		emit qq(FALLBACK_ROUTE="dev $interface $realm");
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_fallback_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -885,8 +876,7 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( '',
+		emit  ( "find_interface_addresses $physical | while read address; do",
-			"find_interface_addresses $physical | while read address; do",
 			"    qt \$IP -$family rule del from \$address",
 			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
@@ -1251,7 +1241,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1585,7 +1575,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1594,8 +1584,7 @@ sub finish_providers() {
 	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( '',
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
-		    "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1649,7 +1638,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 
@@ -1741,7 +1730,7 @@ sub process_providers( $ ) {
 
     add_a_provider( $providers{$_}, $tcdevices ) for @providers;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
 
 #
 # Enable an optional provider
@@ -1787,11 +1776,12 @@ EOF
     pop_indent;
     pop_indent;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
         *)
             startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
+
 }
 
 #
@@ -1895,19 +1885,20 @@ sub setup_providers() {
 
 	start_providers;
 
-	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing if $config{NULL_ROUTE_RFC1918};
+
+	emit '';
+
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 
-	if ( @providers ) {
-	    emit "start_$providers{$_}->{what}_$_" for @providers;
 	emit '';
-	}
 
 	finish_providers;
 
 	emit "\nrun_ip route flush cache";
 
 	pop_indent;
-	emit 'fi';
+	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
     } else {
@@ -1918,10 +1909,9 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
+	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1946,7 +1936,7 @@ sub setup_providers() {
 
 	pop_indent;
 
-	emit 'fi';
+	emit "fi\n";
     }
 }
 
@@ -2196,13 +2186,17 @@ sub provider_realm( $ ) {
 }
 
 #
-# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
+# This function is called by the compiler when it is generating the detect_configuration() function.
-
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {
 
     my @interfaces;
     my $wildcards;
+
     #
     # First do the provider interfacess. Those that are real providers will never have wildcard physical
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2226,6 +2220,10 @@ sub handle_optional_interfaces() {
 
     if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
+
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2368,7 +2366,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore)'
+		  '        start|reload|restore|refresh)'
 		);
 
 	    if ( $family == F_IPV4 ) {
@@ -2389,6 +2387,8 @@ sub handle_optional_interfaces() {
 
 	return 1;
     }
+
+    verify_required_interfaces( shift );
 }
 
 #

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,6 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
     }
 
     emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
 
     push @proxyarp, "$address $interface $external $haveroute";

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $disposition = $action;
     my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
     my $level = '';
 
     if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
-	if ( $proto ne '-' ) {
-	    if ( $proto =~ s/:all$// ) {
-		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
-	    } else {
-		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
-	    }
-	}
-
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -207,9 +199,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 do_proto( $proto, $ports, $sports ) . 
+		 $rule,
-		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,

Shorewall/Perl/Shorewall/Rules.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,7 @@ use constant { NULL_SECTION          => 0x00,
 	       INVALID_SECTION       => 0x10,
 	       UNTRACKED_SECTION     => 0x20,
 	       NEW_SECTION           => 0x40,
-	       POLICYACTION_SECTION  => 0x80 };
+	       DEFAULTACTION_SECTION => 0x80 };
 #
 # Number of elements in the action tuple
 #
@@ -112,13 +112,6 @@ our %section_functions = ( ALL_SECTION ,        \&rules_chain,
 			   UNTRACKED_SECTION,   \&untracked_chain,
 			   NEW_SECTION,         \&rules_chain );
 
-our %log_functions = ( ALL_SECTION ,         \&rules_log ,
-		       BLACKLIST_SECTION ,   \&blacklist_log ,
-		       ESTABLISHED_SECTION , \&established_log ,
-		       RELATED_SECTION ,     \&related_log ,
-		       INVALID_SECTION ,     \&invalid_log ,
-		       UNTRACKED_SECTION ,   \&untracked_log ,
-		       NEW_SECTION ,         \&rules_log );
 #
 # Section => STATE map - initialized in process_rules().
 #
@@ -410,8 +403,8 @@ sub initialize( $ ) {
 #
 # Create a rules chain
 #
-sub new_rules_chain( $$ ) {
+sub new_rules_chain( $ ) {
-    my $chainref = new_chain( 'filter', &rules_chain( @_ ), &rules_log( @_ ) );
+    my $chainref = new_chain( 'filter', $_[0] );
 
     if ( $config{FASTACCEPT} ) {
 	if ( $globals{RELATED_TARGET} eq 'ACCEPT' && ! $config{RELATED_LOG_LEVEL} ) {
@@ -452,7 +445,7 @@ sub new_policy_chain($$$$$)
 {
     my ($source, $dest, $policy, $provisional, $audit) = @_;
 
-    my $chainref = new_rules_chain( ${source}, ${dest} );
+    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
 
@@ -462,11 +455,9 @@ sub new_policy_chain($$$$$)
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
-sub set_policy_chain($$$$$)
+sub set_policy_chain($$$$$$)
 {
-    my ( $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
-
-    my $chain = rules_chain( $source, $dest );
 
     my $chainref = $filter_table->{$chain};
 
@@ -476,7 +467,7 @@ sub set_policy_chain($$$$$)
 	    $chainref->{provisional} = '';
 	}
     } else {
-	$chainref = new_rules_chain( $source, $dest );
+	$chainref = new_rules_chain $chain;
     }
 
     unless ( $chainref->{policychain} ) {
@@ -492,7 +483,6 @@ sub set_policy_chain($$$$$)
 	    if ( defined $polchainref->{synparams} ) {
 		$chainref->{synparams}   = $polchainref->{synparams};
 		$chainref->{synchain}    = $polchainref->{synchain};
-		$chainref->{synlog}      = $polchainref->{synlog};
 	    }
 
 	    $chainref->{pactions}    = $polchainref->{pactions} || [];
@@ -590,7 +580,7 @@ sub process_policy_actions( $$$ ) {
 	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
 		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
 
-		fatal_error "Invalid policy action ($paction)" if defined $remainder;
+		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
 
 		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
 	    }
@@ -753,8 +743,7 @@ sub process_a_policy1($$$$$$$) {
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
-	$chainref->{synchain}  = $chain;
+	$chainref->{synchain}  = $chain
-	$chainref->{synlog}    = '@' . $chainref->{logname};
     }
 
     $chainref->{pactions} = $pactionref;
@@ -764,19 +753,19 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
     } else {
@@ -843,8 +832,6 @@ sub save_policies() {
     }
 }
 
-sub ensure_rules_chain( $$ );
-
 #
 # Process the policy file
 #
@@ -894,15 +881,19 @@ sub process_policies()
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
-		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
+		    my $name  = rules_chain( $zone,  $zone1 );
-		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
+		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
-		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
+		    my $name  = rules_chain( $zone,  $zone1 );
-		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
+		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -936,49 +927,27 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 
-#
-# Determine the protocol to be used in the jump to the passed action
-#
-sub determine_action_protocol( $$ ) {
-    my ( $action, $proto ) = @_;
-
-    if ( my $actionproto = $actions{$action}{proto} ) {
-	if ( $proto eq '-' ) {
-	    $proto = $actionproto;
-	} else {
-	    if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
-		fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
-		$proto = $protonum;
-	    } else {
-		fatal_error( "Unknown protocol ($proto)" );
-	    }
-	}
-    }
-
-    $proto;
-}
-
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
+	my @pactions;
+
+	@pactions = @$pactions;
+
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 
-	for my $paction ( @$pactions ) {
+	for my $paction ( @pactions ) {
 	    my ( $action ) = split ':', $paction;
 
 	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
-		# Policy action is a regular action -- jump to the action chain
+		# Default action is a regular action -- jump to the action chain
 		#
-		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
-		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
-		} else {
 		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
-		}
 	    } else {
 		#
-		# Policy action is an inline 
+		# Default action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
@@ -1010,7 +979,7 @@ sub add_policy_rules( $$$$$ ) {
 	}
  
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
-	assert( $target );
+	fatal_error "Null target in policy_rules()" unless $target;
 
 	if ( $target eq 'BLACKLIST' ) {
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
@@ -1071,7 +1040,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
     progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
 
-sub finish_chain_sections( $ );
+sub ensure_rules_chain( $ );
 
 #
 # Finish all policy Chains
@@ -1085,7 +1054,7 @@ sub complete_policy_chains() {
 	    my $provisional = $chainref->{provisional};
 	    my $defaults    = $chainref->{pactions};
 	    my $name        = $chainref->{name};
-	    my $synparams   = $chainref->{synparams};
+	    my $synparms    = $chainref->{synparms};
 
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
@@ -1095,13 +1064,13 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    finish_chain_sections( $chainref ) if ( @$defaults         ||
+		    ensure_rules_chain $name if ( @$defaults         ||
 						  $loglevel          ||
-							    $synparams         ||
+						  $synparms          ||
 						  $config{MULTICAST} ||
 						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
-		    finish_chain_sections( $chainref );
+		    ensure_rules_chain $name;
 		}
 	    }
 
@@ -1158,14 +1127,13 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref =
+	    my $synchainref = @zones > 1 ?
-		@zones > 1 ?
+		    new_chain 'filter' , syn_flood_chain $chainref :
-		new_chain( 'filter' , syn_flood_chain $chainref , $chainref->{synlog} ) :
+		    new_chain( 'filter' , '@' . $chainref->{name} );
-		new_chain( 'filter' , '@' . $chainref->{name}   , '@' . $chainref->{logname} );
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $synchainref->{logname} ,
+			     $chainref->{name} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1232,12 +1200,12 @@ sub finish_chain_section ($$$) {
 		    if ( $twochains ) {
 			$chain2ref = $chainref;
 		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" );
 		    }
 
 		    log_rule_limit( $level,
 				    $chain2ref,
-				    $chain2ref->{logname},
+				    $chain2ref->{name},
 				    uc $target,
 				    $globals{LOGLIMIT},
 				    $tag ,
@@ -1294,7 +1262,7 @@ sub finish_chain_section ($$$) {
 	if ( $chain1ref->{is_policy} ) {
 	    if ( $chain1ref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chain1ref;
-		if ( $section == POLICYACTION_SECTION ) {
+		if ( $section == DEFAULTACTION_SECTION ) {
 		    if ( $chain1ref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chain1ref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -1316,10 +1284,21 @@ sub finish_chain_section ($$$) {
     pop_comment( $save_comment );
 }
 
-sub finish_chain_sections( $ ) {
+#
-    my ( $chainref ) = @_;
+# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+#
+# Return a reference to the chain's table entry.
+#
+sub ensure_rules_chain( $ )
+{
+    my ($chain) = @_;
 
-	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
+    my $chainref = $filter_table->{$chain};
+
+    $chainref = new_rules_chain( $chain ) unless $chainref;
+
+    unless ( $chainref->{referenced} ) {
+	if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
@@ -1332,23 +1311,6 @@ sub finish_chain_sections( $ ) {
 	$chainref->{referenced} = 1;
     }
 
-#
-# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
-#
-# Return a reference to the chain's table entry.
-#
-sub ensure_rules_chain( $$ )
-{
-    my ($source, $dest) = @_;
-
-    my $chain = rules_chain( $source, $dest );
-
-    my $chainref = $filter_table->{$chain};
-
-    $chainref = new_rules_chain( $source, $dest ) unless $chainref;
-
-    finish_chain_sections( $chainref ) unless $chainref->{referenced};
-
     $chainref;
 }
 
@@ -1455,13 +1417,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state ) = @_;
 
-    fatal_error "Reserved action name ($action)" if reserved_name( $action );
+    fatal_error "Invalid action name($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
 
     $targets{$action} = $type;
 }
@@ -1469,7 +1431,11 @@ sub new_action( $$$$$$ ) {
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
-# a 1- or 2-digit sequence number.
+# a 1- or 2-digit sequence number. In the functions that follow,
+# the $chain, $level and $tag variables serve as arguments to the user's
+# exit. We call the exit corresponding to the name of the action but we
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -1730,6 +1696,34 @@ sub isolate_basic_target( $ ) {
     $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
 
+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -2055,10 +2049,9 @@ sub process_actions() {
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 
 	    my $state = '';
-	    my $proto = 0;
 
 	    if ( $action =~ /:/ ) {
-		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
+		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
 
@@ -2072,9 +2065,6 @@ sub process_actions() {
 			} else {
 			    fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
 			}
-		    } elsif ( /^proto=(.+)$/ ) {
-			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
-			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2095,11 +2085,9 @@ sub process_actions() {
 			next;
 		    }
 
-		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
-		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2109,8 +2097,6 @@ sub process_actions() {
 	    }
 
 	    if ( $opts & BUILTIN_OPT ) {
-		warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
-
 		my $actiontype = USERBUILTIN | OPTIONS;
 		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
 		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
@@ -2143,7 +2129,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state );
 	    }
 	}
     }
@@ -2181,7 +2167,7 @@ sub process_reject_action() {
     #
     # This gets called very early in the compilation process so we fake the section
     #
-    $section = POLICYACTION_SECTION;
+    $section = DEFAULTACTION_SECTION;
 
     if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
@@ -2515,7 +2501,7 @@ sub verify_audit($;$$) {
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
-# reference is also passed when rules are being generated during processing of a macro used as a policy action.
+# reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -2618,6 +2604,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
+    if ( $config{ MAPOLDACTIONS } ) {
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
+    }
+
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
     $usergenerated = $actiontype & IPTABLES;
@@ -2983,7 +2973,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
-	$chainref = ensure_rules_chain ${sourcezone}, ${destzone};
+	$chainref = ensure_rules_chain $chain;
 	#
 	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
 	#
@@ -2993,7 +2983,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	    unless ( $auxref ) {
 		my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain, $log_functions{$section}->( $sourcezone, $destzone );
+		$auxref = new_chain 'filter', $auxchain;
 		$auxref->{blacklistsection} = 1 if $blacklist;
 
 		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
@@ -3022,10 +3012,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
-	#
-	# Verify action 'proto', if any
-	#
-	$proto = determine_action_protocol( $basictarget, $proto );
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3176,7 +3162,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     );
     }
 
-    unless ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ||
+    unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
 	     $inaction ||
 	     $blacklist ||
 	     $basictarget eq 'dropInvalid' ) {
@@ -3312,7 +3298,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
-	    unless unreachable_warning( $wildcard || $section == POLICYACTION_SECTION, $chainref );
+	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
     $generated = 1;
@@ -3390,7 +3376,7 @@ sub check_state( $ ) {
 	}
     }
 
-    if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
+    if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
 	if ( $state eq 'NEW' ) {
 	    #
 	    # If an INVALID or UNTRACKED rule would be emitted then we must include the state match
@@ -3931,7 +3917,7 @@ sub process_rules() {
     #
     # No need to finish the NEW section since no rules need to be generated
     #
-    $section = $next_section = POLICYACTION_SECTION;
+    $section = $next_section = DEFAULTACTION_SECTION;
 }
 
 sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -4750,10 +4736,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
-	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
-	    #
 	    # Create the action:level:tag:param tuple.
 	    #
 	    my $normalized_target = normalize_action( $cmd, '', $params );
@@ -5485,6 +5467,22 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$interfaces    = $dest;
     }
     #
+    # Handle IPSEC options, if any
+    #
+    if ( $ipsec ne '-' ) {
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+
+	if ( $ipsec =~ /^yes$/i ) {
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	} elsif ( $ipsec =~ /^no$/i ) {
+	    $baserule .= do_ipsec_options 'out', 'none', '';
+	} else {
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	}
+    } elsif ( have_ipsec ) {
+	$baserule .= '-m policy --pol none --dir out ';
+    }
+    #
     # Handle Protocol, Ports and Condition
     #
     $baserule .= do_proto( $proto, $ports, '' );
@@ -5495,9 +5493,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     $baserule .= do_user( $user )                    if $user ne '-';
     $baserule .= do_probability( $probability )      if $probability ne '-';
 
-    my @interfaces = split_list( $interfaces, 'interface' );
+    for my $fullinterface ( split_list( $interfaces, 'interface' ) ) {
-
-    for my $fullinterface ( @interfaces ) {
  
 	my $rule = '';
 	my $saveaddresses = $addresses;
@@ -5505,21 +5501,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
 
-	if ( $inaction ) {
+	$interface =~ s/:.*//;   #interface name may include 'alias'
-	    $interface =~ s/:.*// if $family == F_IPV4;   #interface name may include 'alias'
-	} else {
-	    if ( $interface eq firewall_zone ) {
-		if ( @interfaces == 1 ) {
-		    fatal_error q('+' not valid when the DEST is $FW) if $pre_nat;
-		    fatal_error q('MASQUERADE' not allowed when DEST is $FW) if $action eq 'MASQUERADE';
-		    require_capability 'NAT_INPUT_CHAIN', '$FW in the DEST column', 's';
-		    $interface = '';
-		} else {
-		    fatal_error q($FW may not appear in a list of interfaces);
-		}
-	    } else {
-		$interface =~ s/:.*// if $family == F_IPV4;   #interface name may include 'alias'
 
+	unless ( $inaction ) {
 	    if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
 		$interface    = $1;
 		my $provider  = $2;
@@ -5542,34 +5526,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		$rule .= match_dest_dev( $interface );
 		$interface = $interfaceref->{name};
 	    }
-	    }
 
-	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
+	    $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 	}
 
 	$baserule .= do_condition( $condition , $chainref->{name} );
-	#
-	# Handle IPSEC options, if any
-	#
-	if ( $ipsec ne '-' ) {
-	    fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
-
-	    my $dir = $interface ? 'out' : 'in';
-
-	    if ( $ipsec =~ /^yes$/i ) {
-		$baserule .= do_ipsec_options $dir, 'ipsec', '';
-	    } elsif ( $ipsec =~ /^no$/i ) {
-		$baserule .= do_ipsec_options $dir, 'none', '';
-	    } else {
-		$baserule .= do_ipsec_options $dir, 'ipsec', $ipsec;
-	    }
-	} elsif ( have_ipsec ) {
-	    if ( $interface ) {
-		$baserule .= '-m policy --pol none --dir out ';
-	    } else {
-		$baserule .= '-m policy --pol none --dir in ';
-	    }
-	}
 
 	my $detectaddress = 0;
 	my $exceptionrule = '';
@@ -5577,7 +5538,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	if ( $action eq 'SNAT' ) {
 	    if ( $addresses eq 'detect' ) {
-		fatal_error q('detect' not allowed when the destination is $FW) unless $interface;
 		my $variable = get_interface_address $interface;
 		$target .= " --to-source $variable";
 
@@ -5704,7 +5664,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		$target .= $addrlist;
 	    }
 	} elsif ( $action eq 'MASQUERADE' ) {
-	    fatal_error q('MASQUERADE' not allowed when the destination is $FW') unless $interface;
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
@@ -5722,7 +5681,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 $params,
 				 $loglevel,
 				 $source,
-				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
+				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
 				 $ipsec,
@@ -5735,10 +5694,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
-		#
-		$proto = determine_action_protocol( $target, $proto );
-		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
 		#
@@ -5787,7 +5742,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $destnets = ALLIP unless supplied $destnets && $destnets ne '-';
 
 	    expand_rule( $chainref ,
-			 $interface ? POSTROUTE_RESTRICT : INPUT_RESTRICT ,
+			 POSTROUTE_RESTRICT ,
 			 $prerule ,
 			 $baserule . $inlinematches . $rule ,
 			 $source ,
@@ -5802,7 +5757,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
-	    if ( $interface && $add_snat_aliases && $addresses ) {
+	    if ( $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5851,15 +5806,23 @@ sub process_snat( )
 }
 
 #
-# Process the snat file. Convert the masq file if found and non-empty
+# Process the masq or snat file
 #
-sub setup_snat()
+sub setup_snat( $ ) # Convert masq->snat if true
 {
     my $fn;
+    my $have_masq;
 
-    unless ( convert_masq ) {
+    if ( $_[0] ) {
+	convert_masq();
+    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
+    }
+
+    unless ( $have_masq ) {
 	#
-	# Masq file was empty or didn't exist
+	# Masq file empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
     if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
     } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
+		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
+		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
 
-	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
+	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
+	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
 	$gateways = ALLIP if $gateways eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,6 +90,7 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
+		    find_interfaces_by_option1
 		    get_interface_option
 		    get_interface_origin
 		    interface_has_option
@@ -252,17 +253,6 @@ use constant { NO_UPDOWN   => 1,
 
 our %validinterfaceoptions;
 
-our %procinterfaceoptions=( accept_ra   => 1,
-			    arp_filter  => 1,
-			    arp_ignore  => 1,
-			    forward     => 1,
-			    logmartians => 1,
-			    proxyarp    => 1,
-			    proxyndp    => 1,
-			    routefilter => 1,
-			    sourceroute => 1,
-			  );
-
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -327,7 +317,7 @@ sub initialize( $$ ) {
     %mapbase = ();
     %mapbase1 = ();
     $baseseq = 0;
-    $minroot = undef;
+    $minroot = 0;
     $loopback_interface = '';
 
     %validzoneoptions = ( mss            => NUMERIC,
@@ -349,7 +339,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -373,9 +363,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION,
+				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -400,7 +390,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -412,18 +402,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION,
+				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -724,7 +714,7 @@ sub interface_match( $$ ) {
     return 1 if $piface eq $cifaceref->{bridge};
     return 1 if $ciface eq $pifaceref->{bridge};
 
-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
@@ -1214,16 +1204,15 @@ sub process_interface( $$ ) {
     }
 
     my $wildcard = 0;
-    my $physwild = 0;
     my $root;
 
     if ( $interface =~ /\+$/ ) {
-	$wildcard = $physwild = 1; # Default physical name is the logical name
+	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
 
-	if ( defined $minroot ) {
+	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1269,6 +1258,8 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 
 	for my $option (split_list1 $options, 'option' ) {
+	    next if $option eq '-';
+
 	    ( $option, my $value ) = split /=/, $option;
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1305,6 +1296,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1328,6 +1320,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1379,9 +1372,7 @@ sub process_interface( $$ ) {
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
-		    $physwild = ( $value =~ /\+$/ );
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
-
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1409,14 +1400,6 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 
-	for my $option ( keys %options ) {
-	    if ( $root ) {
-		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
-	    } else {
-		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
-	    }
-	}
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1475,7 +1458,6 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1634,7 +1616,7 @@ sub known_interface($)
 
     my $iface = $interface;
 
-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
@@ -1875,8 +1857,7 @@ sub find_interfaces_by_option( $;$ ) {
     for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
-	next unless $interfaceref->{root};                                   # Don't return '+' interface
+	next unless $interfaceref->{root};
-	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
 
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1891,6 +1872,35 @@ sub find_interfaces_by_option( $;$ ) {
     \@ints;
 }
 
+#
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
+#
+sub find_interfaces_by_option1( $ ) {
+    my $option = $_[0];
+    my @ints = ();
+    my $wild = 0;
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+
+	next unless defined $interfaceref->{physical};
+
+	my $optionsref = $interfaceref->{options};
+
+	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= $interfaceref->{wildcard};
+	    push @ints , $interface
+	}
+    }
+
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
+}
+
 #
 # Return the value of an option for an interface
 #
@@ -2021,7 +2031,6 @@ sub verify_required_interfaces( $ ) {
 
 	emit( "esac\n" );
 
-	$returnvalue = 1;
     }
 
     $interfaces = find_interfaces_by_option( 'required' );
@@ -2031,7 +2040,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore)' );
+	    emit( 'start|reload|restore|refresh)' );
 	    push_indent;
 	}
 
@@ -2067,7 +2076,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( "esac\n" );
+	    emit( 'esac' );
 	}
 
 	$returnvalue = 1;

Shorewall/Perl/compiler.pl

@@ -32,6 +32,7 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
+#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -39,6 +40,7 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
+#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -62,6 +64,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --timestamp ]
     [ --debug ]
     [ --confess ]
+    [ --refresh=<chainlist> ]
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
@@ -72,6 +75,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --shorewallrc=<pathname> ]
     [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
+    [ --inline ]
 _EOF_
 
 exit shift @_;
@@ -86,6 +90,7 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
+my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -97,6 +102,7 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
+my $inline        = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -111,6 +117,8 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
+			'r=s'             => \$chains,
+			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -124,6 +132,7 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
+			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -138,6 +147,7 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
+	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -149,4 +159,5 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
+	  inline          => $inline,
 	);

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -1065,6 +1065,8 @@ clear_firewall() {
     run_iptables -F
     qt $IPTABLES -t raw -F
 
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
     if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,6 +1375,8 @@ clear_firewall() {
     run_iptables -F
     qt $IP6TABLES -t raw -F
 
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
     run_clear_exit
 
     set_state "Cleared"

Shorewall/Perl/prog.footer

@@ -1,23 +1,5 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
-#
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
-#
-#	This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#	Free Software Foundation, either version 2 of the license or, at your
-#	option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
 ###############################################################################
 #
 # Give Usage Information
@@ -286,10 +268,8 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    for table in raw mangle nat filter; do
+	    $g_tool -Z
-		qt $g_tool -t $table -Z
+	    $g_tool -t mangle -Z
-	    done
-
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -373,7 +353,6 @@ case "$COMMAND" in
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Samples/Universal/shorewall.conf

@@ -45,8 +45,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -79,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -185,6 +183,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -199,6 +199,8 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -217,8 +219,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=Yes
 
 RESTART=restart

Shorewall/Samples/one-interface/shorewall.conf

@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -90,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Off
@@ -210,6 +210,8 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -228,8 +230,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -53,8 +53,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -87,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -193,6 +191,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -207,6 +207,8 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -225,8 +227,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -90,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=Yes
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=On
@@ -210,6 +210,8 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MINIUPNPD=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -228,8 +230,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart

Shorewall/actions.std

@@ -8,8 +8,11 @@
 #
 ###############################################################################
 #ACTION
+A_AllowICMPs inline		# Audited version of AllowICMPs
+A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
+A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -23,18 +26,18 @@ Broadcast    inline,audit	# Handles Broadcast/Anycast
 ?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 ?endif
-DNSAmp	     proto=17		# Matches one-question recursive DNS queries
+DNSAmp				# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit,\	# Handles ACK,FIN packets
+FIN	     inline,audit	# Handles ACK,FIN,PSH packets
-	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
@@ -47,15 +50,14 @@ Multicast    inline,audit	# Handles Multicast
 Multicast    noinline,audit	# Handles Multicast
 ?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-	     proto=6
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
-rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit,\	# Handle packets with RST set
+RST	     inline,audit	# Handle packets with RST set
-	     proto=6
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handle bad flag combinations.
+TCPFlags			# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#

Shorewall/configfiles/masq

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /etc/shorewall/masq
+#
+# For information about entries in this file, type "man shorewall-masq"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-masq.html
+#
+###################################################################################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/configfiles/shorewall.conf

@@ -45,8 +45,6 @@ LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
 
-LOG_ZONE=Both
-
 LOGALLNEW=
 
 LOGFILE=/var/log/messages
@@ -79,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 
 ARPTABLES=
 
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
 
@@ -185,6 +183,8 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
+INLINE_MATCHES=No
+
 IPSET_WARNINGS=Yes
 
 IP_FORWARDING=Keep
@@ -199,6 +199,8 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
+MAPOLDACTIONS=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
@@ -217,8 +219,6 @@ PERL_HASH_SEED=0
 
 REJECT_ACTION=
 
-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No
 
 RESTART=restart
@@ -241,7 +241,7 @@ TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=Yes
+TRACK_PROVIDERS=No
 
 TRACK_RULES=No
 

Shorewall/configpath

@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

Shorewall/lib.cli-std

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli-std.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,10 +47,11 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$g_shorewalldir" ]; then
+    if [ "$(id -u)" -eq 0 ]; then
-	config="$g_shorewalldir/$PRODUCT.conf"
-    else
 	config=$(find_file ${PRODUCT}.conf)
+    else
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	config="$g_shorewalldir/$PRODUCT.conf"
     fi
 
     if [ -f $config ]; then
@@ -281,18 +282,10 @@ get_config() {
 
     case $AUTOMAKE in
 	Yes|yes)
-	    AUTOMAKE=1
 	    ;;
 	No|no)
 	    AUTOMAKE=
 	    ;;
-	[1-9])
-	    ;;
-	[1-9][0-9])
-	    ;;
-	[Rr]ecursive)
-	    AUTOMAKE=recursive
-	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
 		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
@@ -349,12 +342,8 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $COMMAND in
-	    blacklist|allow|drop|logdrop|reject)
 	setup_dbl
-		;;
-	esac
     fi
 
     if [ -z "$PERL_HASH_SEED" ]; then
@@ -374,17 +363,6 @@ get_config() {
     [ -f $lib ] && . $lib
 }
 
-#
-# Ensure that the effective UID is 0 or that we are dealing with a private configuration
-#
-ensure_root() {
-    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the default $PRODUCT configuration"
-	fi
-    fi
-}
-
 #
 # Determine if there are config files newer than the passed object
 #
@@ -392,35 +370,20 @@ uptodate() {
     [ -x $1 ] || return 1
 
     local dir
-    local busybox
+    local ifs
-    local find
 
-    find=$(mywhich find)
+    ifs="$IFS"
+    IFS=':'
 
-    [ -n "${find}" ] || return 1
+    for dir in $g_shorewalldir $CONFIG_PATH; do
-    [ -h "${find}" ] && busybox=Yes
+	if [ -n "$(find ${dir} -newer $1)" ]; then
-
+	    IFS="$ifs"
-    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
-	if [ -n "${busybox}" ]; then
-	    #
-	    # Busybox 'find' doesn't support -quit.
-	    #
-	    if [ $AUTOMAKE = recursive ]; then
-		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
-		    return 1;
-		fi
-	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
-		return 1;
-	    fi
-	elif [ $AUTOMAKE = recursive ]; then
-	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
     done
 
+    IFS="$ifs"
+
     return 0
 }
 
@@ -450,7 +413,11 @@ compiler() {
 
     pc=${LIBEXECDIR}/shorewall/compiler.pl
 
-    ensure_root
+    if [ $(id -u) -ne 0 ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	fi
+    fi
     #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
@@ -461,7 +428,7 @@ compiler() {
     get_config Yes
 
     case $COMMAND in
-	*start|try|reload|restart|safe-*)
+	*start|try|refresh|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -503,9 +470,11 @@ compiler() {
     [ -n "$g_test" ]           && options="$options --test"
     [ -n "$g_preview" ]        && options="$options --preview"
     [ "$g_debugging" = trace ] && options="$options --debug"
+    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
     [ -n "$g_confess" ]        && options="$options --confess"
     [ -n "$g_update" ]         && options="$options --update"
     [ -n "$g_annotate" ]       && options="$options --annotate"
+    [ -n "$g_inline" ]         && options="$options --inline"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -610,6 +579,10 @@ start_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
@@ -651,24 +624,24 @@ start_command() {
     esac
 
     if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate $g_firewall; then
+	if ! uptodate ${VARDIR}/firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
     fi
 
     if [ -n "$AUTOMAKE" ]; then
-	[ -n "$g_nolock" ] || mutex_on
+	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging start
+	run_it ${VARDIR}/firewall $g_debugging start
 	rc=$?
-	[ -n "$g_nolock" ] || mutex_off
+	[ -n "$nolock" ] || mutex_off
     else
 	g_file="${VARDIR}/.start"
-	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$g_nolock" ] || mutex_on
+	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.start $g_debugging start
 	    rc=$?
-	    [ -n "$g_nolock" ] || mutex_off
+	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product start failed"
@@ -720,6 +693,10 @@ compile_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			-)
 			    finished=1
 			    option=
@@ -740,7 +717,7 @@ compile_command() {
 
     case $# in
 	0)
-	    [ -n "$g_export" ] && g_file=firewall || g_file=$g_firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
 	    ;;
 	1)
 	    g_file=$1
@@ -814,6 +791,10 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -850,7 +831,7 @@ check_command() {
 
     g_doing="Checking"
 
-    compiler $g_debugging $g_nolock check
+    compiler $g_debugging $nolock check
 }
 
 #
@@ -898,11 +879,16 @@ update_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			a*)
 			    g_annotate=Yes
 			    option=${option#a}
 			    ;;
 			A*)
+			    g_inline=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -941,7 +927,7 @@ update_command() {
 
     g_doing="Updating"
 
-    compiler $g_debugging $g_nolock check
+    compiler $g_debugging $nolock check
 }
 
 #
@@ -992,6 +978,7 @@ restart_command() {
 			    option=${option#T}
 			    ;;
 			i*)
+			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
@@ -1037,27 +1024,114 @@ restart_command() {
     [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
 
     if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate $g_firewall && g_fast=Yes
+	uptodate ${VARDIR}/firewall && g_fast=Yes
     fi
 
     g_file="${VARDIR}/.${COMMAND}"
 
     if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$g_nolock" ] || mutex_on
+	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
 	    rc=$?
-	    [ -n "$g_nolock" ] || mutex_off
+	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
     else
-	[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
+	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
-	[ -n "$g_nolock" ] || mutex_on
+	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+	rc=$?
+	[ -n "$nolock" ] || mutex_off
+    fi
+
+    return $rc
+}
+
+#
+# Refresh Command Executor
+#
+refresh_command() {
+    local finished
+    finished=0
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			d*)
+			    g_debug=Yes
+			    option=${option#d}
+			    ;;
+			n*)
+			    g_noroutes=Yes
+			    option=${option#n}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
+			D)
+			    if [ $# -gt 1 ]; then
+				g_shorewalldir="$2"
+				option=
+				shift
+			    else
+				fatal_error "The -D option requires a directory name"
+			    fi
+			    ;;
+			*)
+			    option_error $option
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    if [ $# -gt 0 ]; then
+	g_refreshchains=$1
+	shift
+
+	while [ $# -gt 0 ]; do
+	    g_refreshchains="$g_refreshchains,$1"
+	    shift
+	done
+    else
+	g_refreshchains=:refresh:
+    fi
+
+    product_is_started || fatal_error "$g_product is not running"
+
+    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+
+    g_file="${VARDIR}/.refresh"
+
+    if compiler $g_debugging $nolock compile "$g_file"; then
+	[ -n "$nolock" ] || mutex_on
+	run_it ${VARDIR}/.refresh $g_debugging refresh
+	rc=$?
+	[ -n "$nolock" ] || mutex_off
+    else
 	rc=$?
-	[ -n "$g_nolock" ] || mutex_off
     fi
 
     return $rc
@@ -1185,7 +1259,7 @@ safe_commands() {
 	    ;;
     esac
 
-    [ -n "$g_nolock" ] || mutex_on
+    [ -n "$nolock" ] || mutex_on
 
     if run_it ${VARDIR}/.$command $g_debugging $command; then
 
@@ -1200,7 +1274,7 @@ safe_commands() {
 		run_it ${VARDIR}/.$command clear
 	    fi
 
-	    [ -n "$g_nolock" ] || mutex_off
+	    [ -n "$nolock" ] || mutex_off
 
 	    echo "New configuration has been rejected and the old one restored"
 	    exit 2
@@ -1208,7 +1282,7 @@ safe_commands() {
 
     fi
 
-    [ -n "$g_nolock" ] || mutex_off
+    [ -n "$nolock" ] || mutex_off
 }
 
 #
@@ -1298,7 +1372,7 @@ try_command() {
 
     g_file="${VARDIR}/.$command"
 
-    if ! compiler $g_debugging $g_nolock compile "$g_file"; then
+    if ! compiler $g_debugging $nolock compile "$g_file"; then
 	status=$?
 	exit $status
     fi
@@ -1318,7 +1392,7 @@ try_command() {
 	    ;;
     esac
 
-    [ -n "$g_nolock" ] || mutex_on
+    [ -n "$nolock" ] || mutex_on
 
     if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
@@ -1330,7 +1404,7 @@ try_command() {
 	fi
     fi
 
-    [ -n "$g_nolock" ] || mutex_off
+    [ -n "$nolock" ] || mutex_off
 
     return 0
 }
@@ -1348,163 +1422,10 @@ rcp_command() {
     eval $RCP_COMMAND
 }
 
-#
-# Remote-{getcaps|getrc} command executer
-#
-remote_capture() # $* = original arguments less the command.
-{
-    local verbose
-    verbose=$(make_verbose)
-    local finished
-    finished=0
-    local system
-    local getrc
-    getrc=
-    local getcaps
-    getcaps=
-    local remote_sw_dir_path
-    remote_sw_dir_path=
-    local root
-    root=root
-    local libexec
-    libexec=${LIBEXECDIR}
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			R*)
-			    getrc=Yes
-			    option=${option#R}
-			    ;;
-			c*)
-			    getcaps=Yes
-			    option=${option#c}
-			    ;;
-			r)
-			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
-			    root=$2
-			    option=
-			    shift
-			    ;;
-			D)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    g_shorewalldir=$2
-			    option=
-			    shift
-			    ;;
-			p)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    remote_sw_dir_path=$2
-			    option=
-			    shift
-			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
-			*)
-			    option_error $option
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
-	    ;;
-	1)
-	    g_shorewalldir="."
-	    system=$1
-	    ;;
-	2)
-	    g_shorewalldir=$1
-	    system=$2
-	    ;;
-	*)
-	    too_many_arguments $3
-	    ;;
-    esac
-
-    g_export=Yes
-
-    ensure_config_path
-
-    get_config Yes
-
-    g_haveconfig=Yes
-
-    if [ -z "$system" ]; then
-        system=$FIREWALL
-        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-    fi
-
-    case $COMMAND in
-        remote-getrc)
-            getrc=Yes
-            ;;
-        remote-getcaps)
-            getcaps=Yes
-            ;;
-    esac
-
-    [ -n "$getcaps" ] && getrc=Yes
-
-    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
-        progress_message2 "Getting shorewallrc file on system $system..."
-
-        if [ -n "$remote_sw_dir_path" ]; then
-            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
-                fatal_error "Capturing RC file on system $system failed"
-            fi
-        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
-            fatal_error "Capturing RC file on system $system failed"
-        fi
-    fi
-
-    remote_sw_dir_path=
-
-    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
-        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
-            . $g_shorewalldir/shorewallrc
-            libexec="$LIBEXECDIR"
-
-            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
-
-            progress_message2 "Getting Capabilities on system $system..."
-
-            if [ $g_family -eq 4 ]; then
-                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
-                    fatal_error "Capturing capabilities on system $system failed"
-                fi
-            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
-                fatal_error "Capturing capabilities on system $system failed"
-            fi
-        else
-            fatal_error "$g_shorewalldir/shorewallrc is not present."
-        fi
-    fi
-}
-
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_commands() # $* = original arguments less the command.
+remote_reload_command() # $* = original arguments less the command.
 {
     local verbose
     verbose=$(make_verbose)
@@ -1570,6 +1491,10 @@ remote_commands() # $* = original arguments less the command.
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -1617,9 +1542,14 @@ remote_commands() # $* = original arguments less the command.
 
     g_export=Yes
 
+    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+	if [ -f $g_shorewalldir/params ]; then
+	    . $g_shorewalldir/params
+	fi
+
 	ensure_config_path
 
-    get_config Yes
+	get_config No
 
 	g_haveconfig=Yes
 
@@ -1627,16 +1557,19 @@ remote_commands() # $* = original arguments less the command.
 	    system=$FIREWALL
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
+    else
+	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+    fi
 
     if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
+	[ -f $capabilities ] || getcaps=Yes
     fi
 
     if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
-	progress_message2 "Getting Capabilities on system $system..."
+	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1652,7 +1585,6 @@ remote_commands() # $* = original arguments less the command.
     #
     # Handle nonstandard remote VARDIR
     #
-    progress_message2 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"
@@ -1793,11 +1725,11 @@ export_command() # $* = original arguments less the command.
 }
 
 run_command() {
-    if [ -x $g_firewall ] ; then
+    if [ -x ${VARDIR}/firewall ] ; then
-	uptodate $g_firewall || echo "   WARNING: $g_firewall is not up to date" >&2
+	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
-	run_it $g_firewall $g_debugging $@
+	run_it ${VARDIR}/firewall $g_debugging $@
     else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
     fi
 }
 
@@ -1808,6 +1740,11 @@ compiler_command() {
 	    shift
 	    compile_command $@
 	    ;;
+	refresh)
+	    get_config Yes Yes
+	    shift
+	    refresh_command $@
+	    ;;
 	check|ck)
 	    shift
 	    check_command $@
@@ -1818,28 +1755,22 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_commands $@
+	    remote_reload_command $@
 	    ;;
 	export)
 	    shift
 	    export_command $@
 	    ;;
 	try)
-	    only_root
 	    get_config Yes
 	    shift
 	    try_command $@
 	    ;;
 	safe-reload|safe-restart|safe-start)
-	    only_root
 	    get_config Yes
 	    shift
 	    safe_commands $@
 	    ;;
-        remote-getrc|remote-getcaps)
-            shift
-            remote_capture $@
-            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;

Shorewall/manpages/shorewall-actions.xml

@@ -191,27 +191,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.1.10. Specifies that the action is
-                only usable with the specified
-                <replaceable>protocol</replaceable> (name or number). When the
-                action is invoked with no protocol specified in the PROTO
-                column, or if the action is used as a Policy Action, the named
-                <replaceable>protocol</replaceable> will be assumed. If a
-                protocol is specified in the PROTO column of an invocation,
-                then it must match the named
-                <replaceable>protocol</replaceable>.</para>
-
-                <para>The <option>proto</option> option has no effect if the
-                <option>inline</option> or <option>builtin</option> option is
-                specified. A warning is issued if <option>proto</option> is
-                specified along with <option>builtin</option>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><option>section</option></term>
 

Shorewall/manpages/shorewall-conntrack.xml

@@ -84,7 +84,7 @@
         role="bold">CT</emphasis>:<emphasis
         role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
         role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IP[6]TABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
           <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -272,32 +272,9 @@
               will also be logged at that level.</para>
             </listitem>
 
-            <listitem>
-              <para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
-
-              <para>IPv6 only.</para>
-
-              <para>Added in Shorewall 4.6.0. Allows you to specify any
-              iptables <replaceable>target</replaceable> with target options
-              (e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
-              recognized by Shorewall, the following error message will be
-              issued:</para>
-
-              <simplelist>
-                <member>ERROR: Unknown target
-                (<replaceable>target</replaceable>)</member>
-              </simplelist>
-
-              <para>This error message may be eliminated by adding
-              <replaceable>target</replaceable> as a builtin action in <ulink
-              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
-            </listitem>
-
             <listitem>
               <para><option>IPTABLES</option>(<replaceable>target</replaceable>)</para>
 
-              <para>IPv4 only.</para>
-
               <para>Added in Shorewall 4.6.0. Allows you to specify any
               iptables <replaceable>target</replaceable> with target options
               (e.g., "IPTABLES(AUDIT --type drop)"). If the target is not one
@@ -470,7 +447,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
+                both the incoming interace and source address match.</para>
               </listitem>
             </varlistentry>
 
@@ -566,7 +543,7 @@
 
               <listitem>
                 <para>This form combines the preceding two and requires that
-                both the outgoing interface and destination address
+                both the outgoing interace and destination address
                 match.</para>
               </listitem>
             </varlistentry>
@@ -602,23 +579,14 @@
 
         <listitem>
           <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number. tcp and 6 may be optionally followed by <emphasis
+          protocol number.</para>
-          role="bold">:syn </emphasis>to match only the SYN packet (first
-          packet in the three-way handshake).</para>
 
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          <para>Beginning with Shorewall 4.5.12, this column is labeled
-          comma-separated list of protocols and either <emphasis
+          <emphasis role="bold">PROTOS</emphasis> and can accept a
+          comma-separated list of protocols. Either <emphasis
           role="bold">proto</emphasis> or <emphasis
           role="bold">protos</emphasis> is accepted in the alternate input
           format.</para>
-
-          <para>Beginning with Shorewall 5.1.11, when <emphasis
-          role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
-          specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
-          compiler will default to <emphasis role="bold">:syn</emphasis>. If
-          you wish the rule to match packets with any valid combination of TCP
-          flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
-          <emphasis role="bold">6:all</emphasis>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-interfaces.xml

@@ -112,10 +112,7 @@ loc     eth2            -</programlisting>
           url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
           for a discussion of this problem.</para>
 
-          <para>Shorewall allows '+' as an interface name, but that usage is
+          <para>Shorewall allows '+' as an interface name.</para>
-          deprecated. A better approach is to specify
-          '<option>physical</option>=+' in the OPTIONS column (see
-          below).</para>
 
           <para>There is no need to define the loopback interface (lo) in this
           file.</para>
@@ -196,54 +193,6 @@ loc     eth2            -</programlisting>
           should have no embedded white-space.</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
-
-              <listitem>
-                <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>0</term>
-
-                    <listitem>
-                      <para>Do not accept Router Advertisements.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>1</term>
-
-                    <listitem>
-                      <para>Accept Route Advertisements if forwarding is
-                      disabled.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>2</term>
-
-                    <listitem>
-                      <para>Overrule forwarding behavior. Accept Route
-                      Advertisements even if forwarding is enabled.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>If the option is specified without a value, then the
-                value 1 is assumed.</para>
-
-                <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
 
@@ -260,12 +209,12 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
+                <para/>
+
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
-                  specified, a warning is issued and the option is
-                  ignored.</para>
                 </note>
               </listitem>
             </varlistentry>
@@ -294,14 +243,16 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
+                <para/>
+
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
-                  specified, a warning is issued and the option is
-                  ignored.</para>
                 </note>
 
+                <para/>
+
                 <warning>
                   <para>Do not specify <emphasis
                   role="bold">arp_ignore</emphasis> for any interface involved
@@ -479,25 +430,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
-
-              <listitem>
-                <para>IPv6 only Sets the
-                /proc/sys/net/ipv6/conf/interface/forwarding option to the
-                specified value. If no value is supplied, then 1 is
-                assumed.</para>
-
-                <note>
-                  <para>This option does not work with a wild-card <emphasis
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">ignore[=1]</emphasis></term>
 
@@ -564,11 +496,9 @@ loc     eth2            -</programlisting>
                 <para/>
 
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
-                  specified, a warning is issued and the option is
-                  ignored.</para>
                 </note>
 
                 <blockquote>
@@ -695,10 +625,7 @@ loc     eth2            -</programlisting>
 
                 <para>If the <emphasis>interface</emphasis> name is a wildcard
                 name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'. The physical
+                <emphasis>name</emphasis> must also end in '+'.</para>
-                <replaceable>name</replaceable> may end in '+' (or be exactly
-                '+') when the <replaceable>interface</replaceable> name is not
-                a wildcard name.</para>
 
                 <para>If <option>physical</option> is not specified, then it's
                 value defaults to the <emphasis>interface</emphasis>
@@ -720,13 +647,9 @@ loc     eth2            -</programlisting>
                 url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                 </ulink></para>
 
-                <note>
+                <para><emphasis role="bold">Note</emphasis>: This option does
-                  <para>This option does not work with a wild-card <emphasis
+                not work with a wild-card <replaceable>interface</replaceable>
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                name (e.g., eth0.+) in the INTERFACE column.</para>
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
 
                 <para>Only those interfaces with the <option>proxyarp</option>
                 option will have their setting changed; the value assigned to
@@ -742,13 +665,9 @@ loc     eth2            -</programlisting>
                 <para>IPv6 only. Sets
                 /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
 
-                <note>
+                <para><emphasis role="bold">Note</emphasis>: This option does
-                  <para>This option does not work with a wild-card <emphasis
+                not work with a wild-card <replaceable>interface</replaceable>
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                name (e.g., eth0.+) in the INTERFACE column.</para>
-                  Beginning with Shorewall 5.1.10, If this option is
-                  specified, a warning is issued and the option is
-                  ignored.</para>
-                </note>
 
                 <para>Only those interfaces with the <option>proxyndp</option>
                 option will have their setting changed; the value assigned to
@@ -812,11 +731,9 @@ loc     eth2            -</programlisting>
                 filtering.</para>
 
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
-                  specified, a warning is issued and the option is
-                  ignored.</para>
                 </note>
 
                 <para>This option can also be enabled globally via the
@@ -925,11 +842,9 @@ loc     eth2            -</programlisting>
                 specified (if any) or 1 if no value is given.</para>
 
                 <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
-                  specified, a warning is issued and the option is
-                  ignored.</para>
                 </note>
               </listitem>
             </varlistentry>

Shorewall/manpages/shorewall-logging.xml

@@ -362,7 +362,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     is 2 and AF_INET6 is 10).</para>
 
     <para>The name immediately following the number is the currently-selected
-    backend, and the ones in parentheses are the ones that are available. You
+    backend, and the ones in parantheses are the ones that are available. You
     can change the currently selected backend by echoing it's name into
     /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
 

Shorewall/manpages/shorewall-mangle.xml

@@ -374,8 +374,7 @@ DIVERTHA        -               -               tcp</programlisting>
 
               <listitem>
                 <para>Allows you to place your own ip[6]tables matches at the
-                end of the line following a semicolon (";") (deprecated) or
+                end of the line following a semicolon (";"). If an
-                two semicolons (";;") (preferred since Shoreall 5.0.0). If an
                 <replaceable>action</replaceable> is specified, the compiler
                 proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
@@ -392,10 +391,22 @@ DIVERTHA        -               -               tcp</programlisting>
 
                 <programlisting>2:P                   eth0              -         tcp 22
 INLINE(MARK(2)):P     eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -                 ;; -p tcp
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
-INLINE                eth0              -         tcp 22  ;; -j MARK --set-mark 2
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE                eth0              -                 ;; -p tcp -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
+
+                <para>If INLINE_MATCHES=Yes in <ulink
+                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+                then the third rule above can be specified as follows:</para>
+
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
+
+                <para>Beginning with Shorewall 5.0.0, the rule may also be
+                written this way, irrespective of the setting of
+                INLINE_MATCHES:</para>
+
+                <programlisting>MARK(2):P             eth0              -                 ;; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 
@@ -507,39 +518,12 @@ INLINE                eth0              -                 ;; -p tcp -j MARK --se
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis
-              role="bold">IP6TABLES({<replaceable>target</replaceable>
-              [<replaceable>option</replaceable> ...])</emphasis></term>
-
-              <listitem>
-                <para>IPv6 only.</para>
-
-                <para>This action allows you to specify an iptables target
-                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
-                If the target is not one recognized by Shorewall, the
-                following error message will be issued:</para>
-
-                <simplelist>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
-
-                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
-                <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">IPTABLES({<replaceable>target</replaceable>
               [<replaceable>option</replaceable> ...])</emphasis></term>
 
               <listitem>
-                <para>IPv4 only.</para>
-
                 <para>This action allows you to specify an iptables target
                 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
                 the target is not one recognized by Shorewall, the following
@@ -697,7 +681,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <listitem>
                 <para>Added in Shorewall 5.1.9. This target only applies to
                 TCP traffic and alters the MSS value in SYN packets. It may be
-                used in the FORWARD and POSTROUTING chains; the default is
+                used in the FOWARD and POSTROUTING chains; the default is
                 FORWARD.</para>
 
                 <para>The <replaceable>mss</replaceable> parameter may be

Shorewall/manpages/shorewall-masq.xml

@@ -0,0 +1,781 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-masq</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>masq</refname>
+
+    <refpurpose>Shorewall Masquerade/SNAT definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall[6]/masq</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT). While still supported, its use is deprecated in favor
+    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
+    introduced in Shorewall 5.0.14.</para>
+
+    <warning>
+      <para>The entries in this file are order-sensitive. The first entry that
+      matches a particular connection will be the one that is used.</para>
+    </warning>
+
+    <warning>
+      <para>If you have more than one ISP link, adding entries to this file
+      will <emphasis role="bold">not</emphasis> force connections to go out
+      through a particular link. You must use entries in <ulink
+      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
+      PREROUTING entries in <ulink
+      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
+      that.</para>
+    </warning>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
+        role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
+        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
+
+        <listitem>
+          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
+          comma-separated list of interface names. This is usually your
+          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
+          may add ":" and a <emphasis>digit</emphasis> to indicate that you
+          want the alias added with that name (e.g., eth0:0). This will allow
+          the alias to be displayed with ifconfig. <emphasis role="bold">That
+          is the only use for the alias name; it may not appear in any other
+          place in your Shorewall configuration.</emphasis></para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
+          internet provider share a single interface</ulink>, the provider is
+          specified by including the provider name or number in
+          parentheses:</para>
+
+          <programlisting>        eth0(Avvanta)</programlisting>
+
+          <para>In that case, you will want to specify the interface's address
+          for that provider in the ADDRESS column.</para>
+
+          <para>The interface may be qualified by adding the character ":"
+          followed by a comma-separated list of destination host or subnet
+          addresses to indicate that you only want to change the source IP
+          address for packets being sent to those particular destinations.
+          Exclusion is allowed (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
+          as are ipset names preceded by a plus sign '+';</para>
+
+          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
+          entry then include the ":" but omit the digit:</para>
+
+          <programlisting>        eth0(Avvanta):
+        eth2::192.0.2.32/27</programlisting>
+
+          <para>Normally Masq/SNAT rules are evaluated after those for
+          one-to-one NAT (defined in <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
+          want the rule to be applied before one-to-one NAT rules, prefix the
+          interface name with "+":</para>
+
+          <programlisting>        +eth0
+        +eth0:192.0.2.32/27
+        +eth0:2</programlisting>
+
+          <para>This feature should only be required if you need to insert
+          rules in this file that preempt entries in <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
+
+          <para>Comments may be attached to Netfilter rules generated from
+          entries in this file through the use of ?COMMENT lines. These lines
+          begin with ?COMMENT; the remainder of the line is treated as a
+          comment which is attached to subsequent rules until another ?COMMENT
+          line is found or until the end of the file is reached. To stop
+          adding comments to rules, use a line containing only
+          ?COMMENT.</para>
+
+          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+          With the exception of the leading '+', the interfacelist and
+          qualifiers may appear within the parentheses of <emphasis
+          role="bold">INLINE</emphasis>(...).</para>
+
+          <para>Example:</para>
+
+          <programlisting>        +INLINE(eth0)</programlisting>
+
+          <para>When this is done, you may augment the rule generated by
+          Shorewall with iptables matches of your own. These matches appear
+          after a semicolon (';') at the end of the line.</para>
+
+          <para>See example 8 below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
+        - Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+
+        <listitem>
+          <para>Set of hosts that you wish to masquerade. You can specify this
+          as an <emphasis>address</emphasis> (net or host) or as an
+          <emphasis>interface</emphasis> (use of an
+          <emphasis>interface</emphasis> is deprecated). If you give the name
+          of an interface, the interface must be up before you start the
+          firewall and the Shorewall rules compiler will warn you of that
+          fact. (Shorewall will use your main routing table to determine the
+          appropriate addresses to masquerade).</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
+        role="bold">:random</emphasis>][:persistent]|<emphasis
+        role="bold">detect</emphasis>|<emphasis
+        role="bold">random</emphasis>]</term>
+
+        <listitem>
+          <para>If you specify an address here, SNAT will be used and this
+          will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
+          in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
+          Shorewall will automatically add this address to the INTERFACE named
+          in the first column.</para>
+
+          <para>You may also specify a range of up to 256 IP addresses if you
+          want the SNAT address to be assigned from that range in a
+          round-robin fashion by connection. The range is specified by
+          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
+          You may follow the port range with<emphasis role="bold">
+          :random</emphasis> in which case assignment of ports from the list
+          will be random. <emphasis role="bold">random</emphasis> may also be
+          specified by itself in this column in which case random local port
+          assignments are made for the outgoing connections.</para>
+
+          <para>Example: 206.124.146.177-206.124.146.180</para>
+
+          <para>You may follow the port range (or <emphasis
+          role="bold">:random</emphasis>) with <emphasis
+          role="bold">:persistent</emphasis>. This is only useful when an
+          address range is specified and causes a client to be given the same
+          source/destination IP pair. This feature replaces the SAME modifier
+          which was removed from Shorewall in version 4.4.0. Unlike <emphasis
+          role="bold">random</emphasis>, <emphasis
+          role="bold">persistent</emphasis> may not be used by itself.</para>
+
+          <para>You may also use the special value "detect" which causes
+          Shorewall to determine the IP addresses configured on the interface
+          named in the INTERFACES column and substitute them in this
+          column.</para>
+
+          <para>Finally, you may also specify a comma-separated list of ranges
+          and/or addresses in this column.</para>
+
+          <para>This column may not contain DNS Names.</para>
+
+          <para>Normally, Netfilter will attempt to retain the source port
+          number. You may cause netfilter to remap the source port by
+          following an address or range (if any) by ":" and a port range with
+          the format
+          <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
+          is done, you must specify "tcp" or "udp" in the PROTO column.</para>
+
+          <para>Examples:</para>
+
+          <programlisting>        192.0.2.4:5000-6000
+        :4000-5000</programlisting>
+
+          <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
+          this column, no rewriting of the source IP address or port number
+          will be performed. This is useful if you want particular traffic to
+          be exempt from the entries that follow in the file.</para>
+
+          <para>If you want to leave this column empty but you need to specify
+          the next column then place a hyphen ("-") here.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If you wish to restrict this entry to a particular protocol
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
+        [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>If you specify a value other than "-" in this column, you must
+          be running kernel 2.6 and your kernel and iptables must include
+          policy match support.</para>
+
+          <para>Comma-separated list of options from the following. Only
+          packets that will be encrypted via an SA that matches these options
+          will have their source address changed.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated to match the rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>This column was formerly labelled USER/GROUP.</para>
+
+          <para>Only locally-generated connections will match if this column
+          is non-empty.</para>
+
+          <para>When this column is non-empty, the rule matches only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) Added in Shorewall 4.5.6. This column may be
+          included and may contain one or more addresses (host or network)
+          separated by commas. Address ranges are not allowed. When this
+          column is supplied, rules are generated that require that the
+          original destination address matches one of the listed addresses. It
+          is useful for specifying that SNAT should occur only for connections
+          that were acted on by a DNAT when they entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [<replaceable>probability</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>IPv4 Example 1:</term>
+
+        <listitem>
+          <para>You have a simple masquerading setup where eth0 connects to a
+          DSL or cable modem and eth1 connects to your local network with
+          subnet 192.168.0.0/24.</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #INTERFACE   SOURCE
+        eth0    192.168.0.0/24</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 2:</term>
+
+        <listitem>
+          <para>You add a router to your local network to connect subnet
+          192.168.1.0/24 which you also want to masquerade. You then add a
+          second entry for eth0 to this file:</para>
+
+          <programlisting>        #INTERFACE   SOURCE
+        eth0         192.168.1.0/24</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 3:</term>
+
+        <listitem>
+          <para>You have an IPSEC tunnel through ipsec0 and you want to
+          masquerade packets coming from 192.168.1.0/24 but only if these
+          packets are destined for hosts in 10.1.1.0/24:</para>
+
+          <programlisting>        #INTERFACE              SOURCE
+        ipsec0:10.1.1.0/24      196.168.1.0/24</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 4:</term>
+
+        <listitem>
+          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
+          to use source address 206.124.146.176 which is NOT the primary
+          address of eth0. You want 206.124.146.176 to be added to eth0 with
+          name eth0:0.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:0                  192.168.1.0/24  206.124.146.176</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 5:</term>
+
+        <listitem>
+          <para>You want all outgoing SMTP traffic entering the firewall from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.177. You want all other outgoing traffic from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.176.</para>
+
+          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
+        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
+        eth0         172.20.1.0/29    206.124.146.176</programlisting>
+
+          <warning>
+            <para>The order of the above two rules is significant!</para>
+          </warning>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 6:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:+myset[dst]        -               206.124.146.177</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 7:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/masq:
+
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 8:</term>
+
+        <listitem>
+          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
+          70.90.191.123. You want to use the iptables statistics match to
+          masquerade outgoing connections evenly between these two
+          addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(eth1)  0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
+       eth1          0.0.0.0/0      70.90.191.123 
+</programlisting>
+
+          <para>If INLINE_MATCHES=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
+          these rules may be specified as follows:</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       eth1          0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
+       eth1          0.0.0.0/0      70.90.191.123 
+</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>You have a simple 'masquerading' setup where eth0 connects to
+          a DSL or cable modem and eth1 connects to your local network with
+          subnet 2001:470:b:787::0/64</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
+        eth0         2001:470:b:787::0/64    -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2 
+</programlisting>
+
+          <para>If INLINE_MATCHES=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          then these rules may be specified as follows:</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/masq</para>
+
+    <para>/etc/shorewall6/masq</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8)</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-params.xml

@@ -26,8 +26,10 @@
     <title>Description</title>
 
     <para>Assign any shell variables that you need in this file. The file is
-    always processed by <filename>/bin/sh</filename> so the full range of
+    always processed by <filename>/bin/sh</filename> or by the shell specified
-    shell capabilities may be used.</para>
+    through SHOREWALL_SHELL in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
+    range of shell capabilities may be used.</para>
 
     <para>It is suggested that variable names begin with an upper case letter
     to distinguish them from variables used internally within the Shorewall

Shorewall/manpages/shorewall-providers.xml

@@ -84,8 +84,8 @@
 
           <para>If PROVIDER_OFFSET is non-zero in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
+          the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
-          the number of significant bits may not exceed PROVIDER_OFFSET +
+          number of significant bits may not exceed PROVIDER_OFFSET +
           PROVIDER_BITS.</para>
         </listitem>
       </varlistentry>
@@ -117,12 +117,6 @@
           specified unless <option>loose</option> is given in the OPTIONS
           column of this entry.</para>
 
-          <important>
-            <para>For IPv6, if the interface is an Ethernet device and an IP
-            address is supplied, it should be the upstream router's link-level
-            address, not its global address.</para>
-          </important>
-
           <para>Where more than one provider is serviced through a single
           interface, the <emphasis>interface</emphasis> must be followed by a
           colon and the IP <emphasis>address</emphasis> of the interface that

Shorewall/manpages/shorewall-rules.xml

@@ -461,13 +461,12 @@
               <listitem>
                 <para>Added in Shorewall 4.5.16. This action allows you to
                 construct most of the rule yourself using iptables syntax. The
-                part that you specify must follow two semicolons (';;')
+                part that you specify must follow a semicolon (';') and is
-		and is
                 completely free-form. If the target of the rule (the part
                 following 'j') is something that Shorewall supports in the
                 ACTION column, then you may enclose it in parentheses (e.g.,
                 INLINE(ACCEPT)). Otherwise, you can include it after the
-                semicolon(s). In this case, you must declare the target as a
+                semicolon. In this case, you must declare the target as a
                 builtin action in <ulink
                 url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
 
@@ -490,7 +489,7 @@
                     necessarily be at the end of the generated rule. For
                     example, if addresses are specified in the SOURCE and/or
                     DEST columns, their generated matches will appear after
-                    those specified using ';;' or ';'.</para>
+                    those specified using ';'.</para>
                   </listitem>
                 </itemizedlist>
               </listitem>

Shorewall/manpages/shorewall-snat.xml

@@ -97,7 +97,7 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>[-<replaceable>highport</replaceable>]][<option>random</option>])][:<replaceable>level</replaceable>]</term>
+              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])][:<replaceable>level</replaceable>]</term>
 
               <listitem>
                 <para>Causes matching outgoing packages to have their source
@@ -105,12 +105,11 @@
                 specified in the DEST column. if
                 <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
                 is given, that port range will be used to assign a source
-                port. If only <replaceable>lowport</replaceable> is given,
+                port. If option <option>random</option> is used then port
-                that port will be assigned, if possible. If option
+                mapping will be randomized. MASQUERADE should only be used
-                <option>random</option> is used then port mapping will be
+                when the DEST interface has a dynamic IP address. Otherwise,
-                randomized. MASQUERADE should only be used when the DEST
+                SNAT should be used and should specify the interface's static
-                interface has a dynamic IP address. Otherwise, SNAT should be
+                address.</para>
-                used and should specify the interface's static address.</para>
               </listitem>
             </varlistentry>
 
@@ -157,7 +156,7 @@
             <varlistentry>
               <term><emphasis
               role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-              role="bold">[-</emphasis><emphasis>highport</emphasis>]][<emphasis
+              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
               role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
               role="bold">detect</emphasis>)[:<replaceable>level</replaceable>]</term>
 
@@ -210,9 +209,6 @@
 
                 <programlisting>        192.0.2.4:5000-6000
         :4000-5000</programlisting>
-
-                <para>You may also specify a single port number, which will be
-                assigned to the outgoing connection, if possible.</para>
               </listitem>
             </varlistentry>
 
@@ -253,10 +249,10 @@
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this
           as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis>. Unless you want to perform SNAT in
+          <emphasis>interface</emphasis> (use of an
-          the INPUT chain (see DEST below), if you give the name of an
+          <emphasis>interface</emphasis> is deprecated). If you give the name
-          interface (deprecated), the interface must be up before you start
+          of an interface, the interface must be up before you start the
-          the firewall and the Shorewall rules compiler will warn you of that
+          firewall and the Shorewall rules compiler will warn you of that
           fact. (Shorewall will use your main routing table to determine the
           appropriate addresses to masquerade).</para>
 
@@ -267,18 +263,15 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> -
+        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
-        {<emphasis>interface</emphasis>[<emphasis
+        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
-        role="bold">:</emphasis><emphasis>digit][,</emphasis><emphasis>interface</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
-        role="bold">:</emphasis><emphasis>digit</emphasis>]]...|$FW}[<emphasis
         role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
 
         <listitem>
-          <para>Outgoing <emphasis>interface</emphasis>s and destination
+          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
-          networks. Multiple interfaces may be listed when the ACTION is
+          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          MASQUERADE, but this is usually just your internet interface. If
-          ADD_SNAT_ALIASES=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
           may add ":" and a <emphasis>digit</emphasis> to indicate that you
           want the alias added with that name (e.g., eth0:0). This will allow
@@ -286,10 +279,6 @@
           is the only use for the alias name; it may not appear in any other
           place in your Shorewall configuration.</emphasis></para>
 
-          <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
-          nat table's INPUT chain by specifying $FW rather than one or more
-          interfaces. </para>
-
           <para>Each interface must match an entry in <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
           Shorewall allows loose matches to wildcard entries in <ulink

Shorewall/manpages/shorewall-tcdevices.xml

@@ -112,7 +112,7 @@
           ppp interfaces, you need to put them all in here!</para>
 
           <para>If the device doesn't exist, a warning message will be issued
-          during "shorewall [re]start" and "shorewall reload" and traffic
+          during "shorewall [re]start" and "shorewall refresh" and traffic
           shaping configuration will be skipped for that device.</para>
 
           <para>Shorewall assigns a sequential <firstterm>interface
@@ -160,9 +160,7 @@
           how often the rate is estimated and how many samples are retained
           for estimating. Please see <ulink
           url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink>
-          for details. If not specified, the default
+          for details.</para>
-          <replaceable>interval</replaceable> is 250ms and the default
-          <replaceable>decay_interval</replaceable> is 4sec.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-tcinterfaces.xml

@@ -172,9 +172,7 @@
           how often the rate is estimated and how many samples are retained
           for estimating. Please see <ulink
           url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink>
-          for details. If not specified, the default
+          for details.</para>
-          <replaceable>interval</replaceable> is 250ms and the default
-          <replaceable>decay_interval</replaceable> is 4sec.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -463,8 +463,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-        role="bold">No</emphasis>|<option>recursive</option>|<replaceable>depth</replaceable>]</term>
 
         <listitem>
           <para>If set, the behavior of the <command>start</command>,
@@ -482,27 +481,6 @@
           <command>restart</command> command includes a directory name
           (e.g.,<command> shorewall restart
           /etc/shorewall.new</command>).</para>
-
-          <para>When AUTOMAKE=Yes, each directory in the CONFIG_PATH was
-          originally searched recursively for files newer than the compiled
-          script. That was changed in Shorewall 5.1.10.2 such that only the
-          listed directories themselves were searched. That broke some
-          configurations that played tricks with embedded SHELL such as
-          "<command>SHELL cat /etc/shorewall/rules.d/loc/*.rules".</command>
-          Prior to 5.1.10.2, a change to a file in or adding a file to
-          /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
-          with 5.1.10.2, such changes would not trigger recompilation.
-          Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
-          obtained by setting AUTOMAKE=recursive.</para>
-
-          <para>Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
-          numeric <replaceable>depth</replaceable> which specifies how deeply
-          each listed directory is to be searched. AUTOMAKE=1 only searches
-          each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
-          will search each directory and its immediate sub-directories;
-          AUTOMAKE=3 will search each diretory, each of its immediate
-          sub-directories, and each of their immediate sub-directories,
-          etc.</para>
         </listitem>
       </varlistentry>
 
@@ -587,12 +565,13 @@
           respectively and were added in Shorewall 4.4.20. They require
           AUDIT_TARGET in the kernel and iptables.</para>
 
-          <para>The BLACKLIST_DISPOSITION setting determines the disposition
+          <para>The BLACKLIST_DISPOSITION setting has no effect on entries in
-          of packets sent to the <emphasis role="bold">blacklog</emphasis>
+          the BLACKLIST section of <ulink
-          target of <ulink
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
+          determines the disposition of packets sent to the <emphasis
+          role="bold">blacklog</emphasis> target of <ulink
           url="/manpages/shorewall-blrules.html">shorewall-blrules
-          </ulink>(5), but otherwise does not affect entries in that
+          </ulink>(5).</para>
-          file.</para>
         </listitem>
       </varlistentry>
 
@@ -694,7 +673,7 @@
 
       <varlistentry>
         <term><emphasis
-        role="bold">CONFIG_PATH</emphasis>=[[:]<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
+        role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
 
         <listitem>
           <para>Specifies where configuration files other than
@@ -722,16 +701,6 @@
           /etc/shorewall:/usr/share/shorewall but your particular distribution
           may set it differently. See the output of shorewall show config for
           the default on your system.</para>
-
-          <para>Beginning with Shorewall 5.1.10, the CONFIG_PATH setting may
-          begin with a colon (":"), to signal that the first
-          <replaceable>directory</replaceable> listed will be skipped if the
-          user performing a compilation is not root or if the configuration is
-          being compiled for export (-e option specified or if running one of
-          the remote-* commands) . This prevents the compiler from looking in
-          <filename>/etc/shorewall[6]</filename>/ when compilation is being
-          done by a non-root user or if the generated script is to be sent to
-          a remote firewall system.</para>
         </listitem>
       </varlistentry>
 
@@ -751,14 +720,6 @@
           and <command>restart</command> commands will succeed even if no DNS
           server is reachable (assuming that the configuration hasn't changed
           since the compiled script was last generated).</para>
-
-          <important>
-            <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS
-            change makes it necessary to recompile an existing firewall
-            script, the <option>-c</option> option must be used with the
-            <command>reload</command> or <command>restart</command> command to
-            force recompilation.</para>
-          </important>
         </listitem>
       </varlistentry>
 
@@ -1163,6 +1124,36 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
+          semicolon separates column-oriented specifications on the left from
+          <ulink url="/configuration_file_basics.htm#Pairs">alternative
+          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
+          specified, the specifications on the right are interpreted as if
+          INLINE had been specified in the ACTION column. This also applies to
+          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
+          and <ulink
+          url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
+          which also support INLINE. If not specified or if specified as the
+          empty value, the value 'No' is assumed for backward
+          compatibility.</para>
+
+          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
+          set INLINE_MATCHES=Yes in order to be able to specify your own
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
+          Beginning with 5.0.0, you may simply preface your text with a pair
+          of semicolons (";;"). If alternate input is also specified in the
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
@@ -1340,9 +1331,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             running, you should remove the file
             <filename>/var/lib/shorewall/rt_tables</filename>
             (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>restore</command>,
+            your next <command>stop</command>, <command>refresh</command>,
-            <emphasis role="bold">reload</emphasis> or
+            <command>restore</command>, <emphasis
-            <command>restart</command> command.</para>
+            role="bold">reload</emphasis> or <command>restart</command>
+            command.</para>
           </blockquote>
 
           <para>IPv6:</para>
@@ -1356,9 +1348,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             is running, you should remove the file
             <filename>/var/lib/shorewall6/rt_tables</filename>
             (<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>restore</command>,
+            your next <command>stop</command>, <command>refresh</command>,
-            <emphasis role="bold">reload</emphasis> or
+            <command>restore</command>, <emphasis
-            <command>restart</command> command.</para>
+            role="bold">reload</emphasis> or <command>restart</command>
+            command.</para>
           </blockquote>
 
           <important>
@@ -1440,24 +1433,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">LOG_ZONE=</emphasis>[<emphasis
-        role="bold"><option>src</option>|<option>dst</option>|<option>both</option></emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.2.0. When a log message is issued from a
-          chain that relates to a pair of zones (e.g, 'fw-net'), the chain
-          name normally appears in the log message (unless LOGTAGONLY=Yes and
-          a log tag is specified). This can prevent OPTIMIZE category 8 from
-          combining chains which are identical except for the names of the
-          zones involved. LOG_ZONE allows for only the source or destination
-          zone to appear in the messages by setting LOG_ZONE to
-          <option>src</option> or <option>dest</option> respectively. If
-          LOG_ZONE=<option>both</option> (the default), then the full chain
-          name is included in log messages.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
@@ -1817,6 +1792,19 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>IPv4 only.</para>
+
+          <para>This option is included for compatibility with old Shorewall
+          configuration. New installs should always have
+          MAPOLDACTIONS=No.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2142,14 +2130,6 @@ LOG:info:,bar                        net                    fw</programlisting>
               <para>Optimization category 8 - Added in Shorewall 4.4.9. When
               set, causes chains with identical rules to be collapsed into a
               single chain.</para>
-
-              <warning>
-                <para>While Optimization category 8 can significantly reduce
-                the size of the generated iptables ruleset, it can also take
-                significant system resources during compilation. If you find
-                that compilation takes an unreasonably long time, try
-                disabling this category by setting OPTIMIZE=23.</para>
-              </warning>
             </listitem>
 
             <listitem>
@@ -2222,8 +2202,7 @@ LOG:info:,bar                        net                    fw</programlisting>
 
           <para>In versions prior to 5.1.0, the default value is zero which
           disables all optimizations. Beginning with Shorewall 5.1.0, the
-          default value is <emphasis role="bold">All</emphasis> which enables
+          default value is All which enables all optimizations.</para>
-          all optimizations.</para>
         </listitem>
       </varlistentry>
 
@@ -2469,20 +2448,6 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">RENAME_COMBINED=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.2.0. Traditionally, when OPTIMIZE
-          category 8 is enabled, identical chains are combined under a name
-          beginning with '~comb' or '~blacklist'. This behavior is maintained
-          under the default setting RENAME_COMBINED=Yes. If
-          RENAMED_COMBINED=No, the chains are combined under the original name
-          of one of the chains.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">REQUIRE_INTERFACE=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2782,6 +2747,7 @@ INLINE          -       -       -       ;; -j REJECT
           of each <emphasis role="bold">start</emphasis>, <emphasis
           role="bold">reload</emphasis>, <emphasis
           role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
           role="bold">try</emphasis>, and <emphasis
           role="bold">safe-</emphasis>* command. Logging verbosity is
           determined by the setting of LOG_VERBOSITY above.</para>

Shorewall/uninstall.sh

@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #