Correct IPv6 Address Range parsing

Previously, such ranges were required to be of the form [<addr1>-<addr2>]
rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
(and in nat actions), the latter form was actually flagged as an error
while in other contexts, it resulted in a less obvious error being raised.

With this change, both forms are accepted.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
@@ -109,6 +109,9 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
+	    alt|basealt|altlinux)
+		vendor=alt
+		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -132,6 +135,8 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+	    elif [ -f /etc/altlinux-release ] ; then
+		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat

Shorewall-core/configure.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -74,6 +74,8 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
+	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -117,6 +119,9 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
+    } elsif ( -f '/etc/altlinux-release' ){
+	$vendor = 'alt';
+	$rcfilename = 'shorewallrc.alt';
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';

Shorewall-core/install.sh

@@ -172,6 +172,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -180,6 +183,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -238,7 +243,7 @@ case "$HOST" in
     apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
 	;;
     *)
 	fatal_error "Unknown HOST \"$HOST\""

Shorewall-core/lib.cli

@@ -1201,11 +1201,17 @@ show_saves_command() {
     echo
 
     for f in ${VARDIR}/*-iptables; do
+	case $f in
+	    *\**)
+	        ;;
+	    *)
 		fn=$(basename $f)
 		fn=${fn%-iptables}
 		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
 		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
 		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
     done
 
     echo
@@ -2760,7 +2766,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)
 
 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
     fi
 
@@ -3769,7 +3775,7 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
     else
 	too_many_arguments $4
@@ -3858,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
     if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
 # Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -411,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -419,7 +419,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
     elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +501,7 @@ ip_network() {
 
 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
     local x
@@ -751,6 +751,8 @@ mutex_on()
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
     local lockd
+    local lockbin
+    local openwrt
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
@@ -760,29 +762,33 @@ mutex_on()
 
 	[ -d "$lockd" ] || mkdir -p "$lockd"
 
+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
+	    elif [ -z "$openwrt" ]; then
-                return 0
+		if [ $lockpid -eq $$ ]; then
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
 		    rm -f ${lockf}
 		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 		fi
 	    fi
+	fi
 
-	if qt mywhich lockfile; then
+	if [ -n "$openwrt" ]; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall-core/lib.uninstaller

@@ -60,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
     if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
             rm -f $1
             echo "$1 Removed"
         fi
@@ -84,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
             if [ -d $f ] ; then
                 rm -rf $f
                 echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                 rm -f $f
                 echo "$f Removed"
             fi

Shorewall-core/manpages/shorewall.xml

@@ -1141,7 +1141,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>When no <replaceable>verbosity</replaceable> is specified,
           each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1162,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>Each instance of this option causes 1 to be subtracted from
           the effective verbosity.</para>
@@ -1199,7 +1199,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
           A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
@@ -1214,7 +1214,7 @@
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5)) allows a single ipset to
           handle entries for multiple interfaces. When that option is
           specified for a zone, the <command>add</command> command has the
           alternative syntax in which the <replaceable>zone</replaceable> name
@@ -1332,7 +1332,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1440,7 +1440,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1458,7 +1458,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are a host or network address.</para>
 
@@ -1466,7 +1466,7 @@
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
           allows a single ipset to handle entries for multiple interfaces.
           When that option is specified for a zone, the
           <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1493,7 @@
           command removes any routes added from <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
           any traffic shaping configuration for the interface.</para>
         </listitem>
       </varlistentry>
@@ -1554,7 +1554,7 @@
           adds any route specified in <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
           and installs the interface's traffic shaping configuration, if
           any.</para>
         </listitem>
@@ -1599,7 +1599,7 @@
           given then the file specified by RESTOREFILE in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -1684,7 +1684,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,7 +1700,7 @@
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
           and produces an audible alarm when new Shorewall messages are
           logged. The <emphasis role="bold">-m</emphasis> option causes the
           MAC address of each packet source to be displayed if that
@@ -1723,7 +1723,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1878,13 +1878,13 @@
                 INLINE_MATCHES is set to Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>
 
                 <para>The <option>-C</option> option was added in Shorewall
                 4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 If an existing firewall script is used and if that script was
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
@@ -2006,7 +2006,7 @@
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2071,8 +2071,8 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2104,7 +2104,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -2144,8 +2144,8 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2177,7 +2177,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2304,7 +2304,7 @@
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <caution>
             <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2460,7 @@
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>The <option>-C</option> option, added in Shorewall 4.6.5,
           causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2477,7 @@
           the SAVE_IPSETS option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command may be used to proactively save your ipset contents in
           the event that a system failure occurs prior to issuing a
           <command>stop</command> command.</para>
@@ -2645,7 +2645,7 @@
                 accounting counters (<ulink
                 url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                 (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -2669,7 +2669,7 @@
                 file specified by the LOGFILE option in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 The <emphasis role="bold">-m</emphasis> option causes the MAC
                 address of each packet source to be displayed if that
                 information is available.</para>
@@ -2851,7 +2851,7 @@
                   in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                   will be restored if that saved configuration exists and has
                   been modified more recently than the files in
                   /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2862,7 @@
                   option was added to <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When LEGACY_FASTSTART=No, the modification times of files in
                   /etc/shorewall are compared with that of
                   /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2881,7 @@
                   overriding the AUTOMAKE setting in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When both <option>-f</option> and <option>-c</option>are
                   present, the result is determined by the option that appears
                   last.</para>
@@ -2897,7 +2897,7 @@
                   INLINE_MATCHES is set to Yes in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
                   <para>The <option>-C</option> option was added in Shorewall
                   4.6.5 and is only meaningful when the <option>-f</option>
@@ -3216,30 +3216,38 @@
   <refsect1>
     <title>FILES</title>
 
-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall/*</para>
 
-    <para>/etc/shorewall6/</para>
+    <para>/etc/shorewall6/*</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
-    <para><ulink
+    <simplelist>
-    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+      <member><ulink
+      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
+      - Describes operational aspects of Shorewall.</member>
 
-    <para>shorewall-accounting(5), shorewall-actions(5),
+      <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+      Describes the various configuration files along with features and
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+      conventions common to those files.</member>
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+      <member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+      Describes naming of objects within a Shorewall configuration.</member>
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+      <member><ulink
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+      url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
-    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+      Describes how to specify addresses within a Shorewall
-    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+      configuration.</member>
-    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+
-    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+      <member><ulink
-    shorewall-zones(5)</para>
+      url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
+      Describes how to exclude certain hosts and/or networks from matching a
+      rule.</member>
+
+      <member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
+      - Describes how to nest one Shorewall zone inside another.</member>
+    </simplelist>
   </refsect1>
 </refentry>

Shorewall-core/shorewall

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)

Shorewall-core/shorewallrc.alt

@@ -0,0 +1,25 @@
+#
+# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=alt
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
+PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
+INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf

Shorewall-core/wait4ifup

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-init/init.alt.sh

@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+NAME="Shorewall-init firewall"
+PROG="shorewall-init"
+SHOREWALL="$SBINDIR/$PROG"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+LOCKFILE=/var/lock/subsys/shorewall-init
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]; then
+		echo "No PRODUCTS configured"
+		exit 6
+	fi
+else
+	echo "/etc/sysconfig/shorewall-init not found"
+	exit 6
+fi
+
+RETVAL=0
+
+# set the STATEDIR variable
+setstatedir() {
+	local statedir
+	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+	fi
+
+	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+	if [ -x ${STATEDIR}/firewall ]; then
+		return 0
+	elif [ $PRODUCT = shorewall ]; then
+		${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/shorewall -6 compile
+	else
+		return 1
+	fi
+}
+
+start() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Initializing \"Shorewall-based firewalls\": "
+
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+		ipset -R < "$SAVE_IPSETS"
+	fi
+
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Clearing \"Shorewall-based firewalls\": "
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" ]; then
+		mkdir -p $(dirname "$SAVE_IPSETS")
+		if ipset -S > "${SAVE_IPSETS}.tmp"; then
+			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+		else
+			rm -f "${SAVE_IPSETS}.tmp"
+		fi
+	fi
+
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart|reload|condrestart|condreload)
+	    # "Not implemented"
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    status "$PROG"
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall-init/init.debian.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-init/init.openwrt.sh

@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)

Shorewall-init/init.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-init/init.suse.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-init/install.sh

@@ -181,6 +181,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -191,6 +194,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -253,6 +258,9 @@ case "$HOST" in
     openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
     linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;

Shorewall-init/shorewall-init

@@ -1,5 +1,5 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/init.alt.sh

@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall-Lite init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall-Lite firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -l"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
+
+LOCKFILE="/var/lock/subsys/${PROG}-lite"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall-lite/init.openwrt.sh

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)

Shorewall-lite/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-lite/install.sh

@@ -190,6 +190,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -198,6 +201,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -266,6 +271,9 @@ case "$HOST" in
     openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
     linux)
 	;;
     *)
@@ -418,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi
 
 if [ -f helpers ]; then
@@ -425,11 +438,6 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #

Shorewall-lite/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Macros/IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Macros/macro.Bitcoin

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinZMQ

@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332

Shorewall/Macros/macro.Cockpit

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Cockpit
+#
+# This macro handles Time protocol (RFC868).
+# Unless you are supporting extremely old hardware or software,
+# you shouldn't be using this.  NTP is a superior alternative.
+#
+#		By Eric Teeter
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	9090

Shorewall/Macros/macro.IPFS-API

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001

Shorewall/Macros/macro.IPFS-gateway

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080

Shorewall/Macros/macro.IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Macros/macro.ONCRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.Tor

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorSocks

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
+	} elsif ( $action ne 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,13 +47,13 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;
+our $export;          # True when compiling for export
 
-our $test;
+our $test;            # True when running regression tests
 
-our $family;
+our $family;          # IP address family (4 or 6)
 
-our $have_arptables;
+our $have_arptables;  # True if we have arptables rules
 
 #
 # Initilize the package-globals in the other modules
@@ -269,7 +269,12 @@ sub generate_script_2() {
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
+	emit( 'if chain_exists DOCKER-ISOLATION; then',
+	      '    g_dockernetwork=One',
+	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
+	      '    g_dockernetwork=Two',
+	      'fi' );
     }
 
     pop_indent;
@@ -379,10 +384,10 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -396,7 +396,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -465,7 +465,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
-		 MARK_ANYWHERE   => 'Mark in the filter table',
+		 MARK_ANYWHERE   => 'Mark in the filter and nat tables',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
@@ -523,13 +523,17 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
-
+#
+# Keeps track of which capabilities were used or required - Key is capability name
+#
 our %used;
 
 use constant {
                USED     => 1,
 	       REQUIRED => 2 };
-
+#
+# Common Protocols
+#
 use constant {
 	       ICMP                => 1,
 	       TCP                 => 6,
@@ -541,7 +545,7 @@ use constant {
 	       UDPLITE             => 136,
 	     };
 #
-# Optimization masks
+# Optimization masks (OPTIMIZE option)
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
@@ -550,7 +554,9 @@ use constant {
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	     };
-
+#
+# Map helpers to protocols
+#
 our %helpers = ( amanda          => UDP,
 		 ftp             => TCP,
 		 irc             => TCP,
@@ -625,7 +631,7 @@ our %config_files = ( #accounting      => 1,
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
-# Directories to search for configuration files
+# Directories to search for configuration files (CONFIG_PATH option)
 #
 our @config_path;
 #
@@ -648,10 +654,12 @@ our %compiler_params;
 # Action parameters
 #
 our %actparams;
-our $parmsmodified;
+our $parmsmodified;          # True of the current action has modified its parameters
-our $usedcaller;
+our $usedcaller;             # True if $CALLER has been acceseed in the current action
-our $inline_matches;
+our $inline_matches;         # Inline matches from the current rule
-
+#
+# File handling
+#
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
@@ -669,6 +677,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $ulogcount;              # Used to suppress duplicate warnings about ULOG support
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -734,6 +743,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    MODULE_SUFFIX     => 1,
 		    MAPOLDACTIONS     => 1,
 		    INLINE_MATCHES    => 1,
+		    LOAD_HELPERS_ONLY => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -747,10 +757,11 @@ our $ifstack;
 #    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
 #    [1] - True if the outermost IF evaluated to false
 #    [2] - True if the the last unterminated IF evaluated to false
+#    [3] = The line number of the directive
 #
 # From .shorewallrc
 #
-our ( %shorewallrc, %shorewallrc1 );
+our ( %shorewallrc, %shorewallrc1 ); # Shorewallrc setting from local system and from remote firewall respectively
 #
 # read_a_line options
 #
@@ -828,6 +839,7 @@ sub initialize( $;$$$) {
     $comment       = '';
     $sr_comment    = '';
     $warningcount  = 0;
+    $ulogcount     = 0;
     #
     # Misc Globals
     #
@@ -969,7 +981,6 @@ sub initialize( $;$$$) {
 	  OPTIMIZE_ACCOUNTING => undef,
 	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
-	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
 	  FORWARD_CLEAR_MARK => undef,
 	  COMPLETE => undef,
@@ -1291,7 +1302,7 @@ sub initialize( $;$$$) {
     $compiletime =~ s/ +/ /g;
 }
 
-my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
+my @moabbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 
 sub add_ipset( $ ) {
     $ipsets{$_[0]} = 1;
@@ -1391,7 +1402,7 @@ sub info_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1419,7 +1430,7 @@ sub warning_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1544,7 +1555,7 @@ sub fatal_error	{
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $confess ) {
 	    print $log longmess( "   ERROR: @_$currentlineinfo\n" );
@@ -1567,6 +1578,9 @@ sub fatal_error	{
     }
 }
 
+#
+# This one is used for reporting syntax errors in embedded Perl code
+#
 sub fatal_error1 {
     handle_first_entry if $first_entry;
 
@@ -1574,7 +1588,7 @@ sub fatal_error1 {
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $debug ) {
 	    print $log longmess( "   ERROR: @_\n" );
@@ -1684,7 +1698,7 @@ sub emit {
 
     if ( $script || $debug ) {
 	#
-	# 'compile' as opposed to 'check'
+	# 'compile' (as opposed to 'check') or debugging (CLI 'trace' command)
 	#
 	for ( @_ ) {
 	    unless ( /^\s*$/ ) {
@@ -1845,12 +1859,15 @@ sub progress_message {
 
 	    @localtime = localtime unless $havelocaltime;
 
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
     }
 }
 
+#
+# This one doesn't compress out superfluous white space
+#
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
@@ -1864,7 +1881,7 @@ sub progress_message_nocompress {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1885,7 +1902,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1906,7 +1923,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -2077,7 +2094,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2094,8 +2111,12 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+#
+# Search the CONFIG_PATH for a file that is writable. Ignore directories where sample/default files are installed,
+# because users have a bad habit of including those in the CONFIG_PATH
+#
 sub find_writable_file($) {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2117,6 +2138,9 @@ sub supplied( $ ) {
     defined $val && $val ne '';
 }
 
+#
+# This one is used for determining if an action argument has been passed (excludes '-')
+#
 sub passed( $ ) {
     my $val = shift;
 
@@ -2135,7 +2159,7 @@ sub split_list( $$;$ ) {
 }
 
 #
-# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+# This version handles parenthetical list elements containing embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
     my ($list, $type, $keepparens ) = @_;
@@ -2519,7 +2543,7 @@ sub split_line2( $$;$$$ ) {
 }
 
 #
-# Same as above, only it splits the raw current line
+# Same as above, only it splits the raw current line (line prior to variable expansion)
 #
 sub split_rawline2( $$;$$$ ) {
     my $savecurrentline = $currentline;
@@ -2529,6 +2553,10 @@ sub split_rawline2( $$;$$$ ) {
     # Delete trailing comment
     #
     $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
 
     my @result = &split_line2( @_ );
 
@@ -2623,6 +2651,7 @@ sub do_open_file( $ ) {
 # - Maximum value allowed in ?FORMAT directives
 # - ?COMMENT allowed in this file
 # - Ignore ?COMMENT in ths file
+# - Default file format
 #
 sub open_file( $;$$$$ ) {
     my ( $fname, $mf, $ca, $nc, $cf ) = @_;
@@ -2715,7 +2744,7 @@ sub clear_currentfilename() {
 }
 
 #
-# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
+# Utility functions for processing compiler directives
 #
 
 #
@@ -2742,7 +2771,7 @@ sub directive_warning( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 
@@ -2767,7 +2796,7 @@ sub directive_info( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 
@@ -2829,7 +2858,7 @@ sub evaluate_expression( $$$$ ) {
     }
 
     #                         $1      $2   $3                     -     $4
-    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
 	if ( $var =~ /^\d+$/ ) {
@@ -2846,7 +2875,7 @@ sub evaluate_expression( $$$$ ) {
 
     if ( $chain ) {
 	#                         $1      $2   $3                     -     $4
-	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $expression =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
@@ -2857,7 +2886,7 @@ sub evaluate_expression( $$$$ ) {
     }
 
     #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) __(\{)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);
 
 	if ( exists $capdesc{$cap} ) {
@@ -3519,7 +3548,7 @@ sub shorewall {
 # We do this processing in read_a_line() rather than in the higher-level routines because
 # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
 # until we get back to the caller of read_a_line(), we could issue error messages about parsing and
-# running scripts in the file before we'd even indicated that we are processing it.
+# running scripts in the file before we'd even reported that we are processing it.
 #
 sub first_entry( $ ) {
     $first_entry = shift;
@@ -3696,6 +3725,7 @@ sub push_action_params( $$$$$$ ) {
 # Return:
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
+#   3 if both
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
@@ -3706,6 +3736,10 @@ sub pop_action_params( $ ) {
     $return;
 }
 
+#
+# This is called when a DEFAULTS line is found in an action body. It supplies default values
+# for those paramaters that were not passed, or that were passed as '-'.
+#
 sub default_action_params {
     my $action = shift;
     my ( $val, $i );
@@ -3719,6 +3753,9 @@ sub default_action_params {
     fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }
 
+#
+# This function allows embedded Perl in actions to retreive the action paramaters
+#
 sub get_action_params( $ ) {
     my $num = shift;
 
@@ -3734,6 +3771,9 @@ sub get_action_params( $ ) {
     @return;
 }
 
+#
+# Helper for A_* actions
+#
 sub setup_audit_action( $ ) {
     my ( $action ) = @_;
 
@@ -3753,26 +3793,44 @@ sub get_action_logging() {
     @actparams{ 'loglevel', 'logtag' };
 }
 
+#
+# Allow embedded Perl in Actions to get the name of the action chain
+#
 sub get_action_chain() {
     $actparams{0};
 }
 
+#
+# Get the action name from an action file
+#
 sub get_action_chain_name() {
     $actparams{chain};
 }
-
+#
+# This allows an action to make subsequent log messages refer to the invoker of the action rather than the 
+# action itself
+#
 sub set_action_name_to_caller() {
     $actparams{chain} = $actparams{caller};
 }
 
+#
+# Get the current action's disposition
+#
 sub get_action_disposition() {
     $actparams{disposition};
 }
 
+#
+# Set the current action disposition for subsequent logging
+#
 sub set_action_disposition($) {
     $actparams{disposition} = $_[0];
 }
 
+#
+# Alter the value of one of the current actions parameters
+#
 sub set_action_param( $$ ) {
     my $i = shift;
 
@@ -3787,7 +3845,7 @@ sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     my $chain = $actparams{chain};
     #                         $1      $2   $3                   -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
@@ -3826,7 +3884,7 @@ sub expand_variables( \$ ) {
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
-	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $$lineref =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
@@ -3839,10 +3897,13 @@ sub expand_variables( \$ ) {
     }
 }
 
+#
+# Expand variables from shorewallrc in the current passed line
+#
 sub expand_shorewallrc_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
@@ -3882,7 +3943,7 @@ sub handle_first_entry() {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
-#   - Handle ?IF, ?ELSE, ?ENDIF
+#   - Handle ?SECTION
 #
 
 sub read_a_line($) {
@@ -4005,18 +4066,23 @@ sub read_a_line($) {
     }
 }
 
+#
+# Process the passed shorewallrc file, populating %shorewallrc
+#
 sub process_shorewallrc( $$ ) {
     my ( $shorewallrc , $product ) = @_;
 
     $shorewallrc{PRODUCT} = $product;
+    $variables{PRODUCT}   = $product;
 
     if ( open_file $shorewallrc ) {
-	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK | EXPAND_VARIABLES ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_shorewallrc_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
+		$variables{$var}   = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
@@ -4025,6 +4091,12 @@ sub process_shorewallrc( $$ ) {
 	fatal_error "Failed to open $shorewallrc: $!";
     }
 
+    #
+    # Older files may contain VARDIR= rather than VARLIB= to specify the directory
+    # where each product maintains its own state directory. This was confusing,
+    # because in the shell context, VARDIR points to the current product's state
+    # directory.
+    #
     if ( supplied $shorewallrc{VARDIR} ) {
 	if ( ! supplied $shorewallrc{VARLIB} ) {
 	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
@@ -4087,12 +4159,19 @@ sub default_yes_no ( $$;$ ) {
     $result;
 }
 
+#
+# This one is used for options that are supported by IPv4 but not IPv6. It issues a
+# warning message if the option is specified in shorewall6.conf.
+#
 sub default_yes_no_ipv4 ( $$ ) {
     my ( $var, $val ) = @_;
     default_yes_no( $var, $val );
     warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 
+#
+# This function handles options that have a numeric value.
+#
 sub numeric_option( $$$ ) {
     my ( $option, $default, $min ) = @_;
 
@@ -4110,6 +4189,9 @@ sub numeric_option( $$$ ) {
     $config{$option} = $val;
 }
 
+#
+# Returns a 32-bit value with the low order n bits set, where n is the passed argument.
+#
 sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
@@ -4210,6 +4292,10 @@ sub validate_level( $;$ ) {
 	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
 	    my $olevel  = $value;
 
+	    if ( $value eq 'ULOG' ) {
+		warning_message "ULOG is deprecated in favor of NFLOG. Support for ULOG will be removed in a future release" unless $ulogcount++;
+	    }
+
 	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
 		my @options = split /,/, $1;
 		my $prefix  = lc $olevel;
@@ -4285,7 +4371,7 @@ sub default_log_level( $$ ) {
 }
 
 #
-# Check a tri-valued variable
+# Check a tri-valued option ("on", "of" and "keep")
 #
 sub check_trivalue( $$ ) {
     my ( $var, $default) = @_;
@@ -4367,7 +4453,7 @@ sub load_kernel_modules( ) {
 	push @moduledirectories, $_ if -d $_;
     }
 
-    if ( $moduleloader &&  @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    if ( $moduleloader &&  @moduledirectories && open_file( 'helpers' ) ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -4421,7 +4507,8 @@ sub determine_kernelversion() {
 }
 
 #
-# Capability Reporting and detection.
+# Capability Reporting and detection. Each of the following functions detect the
+# availability of the related capability.
 #
 sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
@@ -5136,7 +5223,7 @@ sub have_capability( $;$ ) {
 
     $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting;
 
-    $used{$capability} = $required ? 2 : 1 if $setting;
+    $used{$capability} = $required ? REQUIRED : USED if $setting;
 
     $setting;
 }
@@ -5165,111 +5252,6 @@ sub determine_capabilities() {
 	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
-
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
-	#
-	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
-	# functions but it ensures that %detect_capability is initialized properly.
-	#
-	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
-	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
-	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
-	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
-	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
-	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
-	} else {
-	    $capabilities{NEW_CONNTRACK_MATCH} = '';
-	    $capabilities{OLD_CONNTRACK_MATCH} = '';
-	}
-
-	$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
-	$capabilities{EMULTIPORT}   = detect_capability( 'EMULTIPORT' );
-	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
-
-	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
-	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
-	} else {
-	    $capabilities{PHYSDEV_BRIDGE} = '';
-	}
-
-	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
-	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
-	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
-	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
-	$capabilities{OWNER_NAME_MATCH}
-                                       = detect_capability( 'OWNER_NAME_MATCH' );
-	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
-	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
-	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
-	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
-	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
-	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
-	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
-	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
-	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
-	$capabilities{MARK}            = detect_capability( 'MARK' );
-	$capabilities{XMARK}           = detect_capability( 'XMARK' );
-	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
-	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
-	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
-	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
-	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
-	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
-	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
-	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
-	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
-	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
-	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
-	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
-	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
-	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
-	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
-	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
-	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
-	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
-	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
-	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
-	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
-	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
-	$capabilities{BASIC_EMATCH}    = detect_capability( 'BASIC_EMATCH' );
-	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
-	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
-	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
-	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
-	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
-	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
-	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
-	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
-	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
-	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
-	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
-	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
-	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
-	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );
-
-	unless ( have_capability 'CT_TARGET' ) {
-	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-	}
-
-    }
 }
 
 #
@@ -5333,6 +5315,9 @@ sub ensure_config_path() {
     }
 
     if ( $shorewall_dir ) {
+	#
+	# A directory has been specified -- place it at the front of the CONFIG_PATH
+	#
 	$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
@@ -5367,7 +5352,8 @@ sub conditional_quote( $ ) {
 }
 
 #
-# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+# 'update' default values are sometimes different from the normal defaut value, to provide
+# backward compatibility.
 #
 sub update_default($$) {
     my ( $var, $val ) = @_;
@@ -5388,6 +5374,9 @@ sub transfer_permissions( $$ ) {
     }
 }
 
+#
+# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+#
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -5452,6 +5441,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5459,7 +5449,7 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
     }
 
-    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
@@ -5786,7 +5776,7 @@ sub unsupported_yes_no_warning( $ ) {
 }
 
 #
-# Process the params file
+# Process the params file. Actually processing is done by the 'getparams' program in $LIBEXECDIR/shorewall/.
 #
 sub get_params( $ ) {
     my $export = $_[0];
@@ -5921,7 +5911,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' || $_ eq 'SW_CONFDIR' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -6256,11 +6246,6 @@ sub get_configuration( $$$ ) {
 
     unshift @INC, @config_path;
 
-    #
-    # get_capabilities requires that the true settings of these options be established
-    #
-    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
-
     if ( ! $export && $> == 0 ) {
 	get_capabilities($have_capabilities);
     }
@@ -6313,8 +6298,6 @@ sub get_configuration( $$$ ) {
 	$capabilities{$_}    = 0 for grep /_HELPER/ , keys %capabilities;
     }
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
     #
     # Now initialize the used capabilities hash
     #
@@ -6599,7 +6582,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
     default_yes_no 'USE_NFLOG_SIZE'             , '';
 
-    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
     }
 
@@ -7052,8 +7035,6 @@ sub get_configuration( $$$ ) {
     }
 
     convert_to_version_5_2 if $update;
-
-    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
 
 #
@@ -7192,6 +7173,9 @@ sub generate_aux_config() {
     finalize_aux_config;
 }
 
+#
+# Generate a report of the fwmark layout
+#
 sub dump_mark_layout() {
     sub dumpout( $$$$$ ) {
 	my ( $name, $bits, $min, $max, $mask ) = @_;

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -66,6 +66,9 @@ sub initialize( $ ) {
     $family = shift;
 }
 
+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -145,6 +148,9 @@ sub setup_ecn()
     }
 }
 
+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -402,6 +408,9 @@ EOF
     }
 }
 
+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -662,13 +671,26 @@ sub process_stoppedrules() {
     $result;
 }
 
+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
     add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
+    add_commands( $chainref ,
+		  '',
+		  'case "$g_dockernetwork" in',
+		  '    One)',
+		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
+		  '        ;;',
+		  '    Two)',
+		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
+		  '        ;;',
+		  'esac' );
 
     if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
@@ -693,6 +715,9 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -810,7 +835,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1273,6 +1298,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -1714,9 +1746,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );
 
-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1726,9 +1758,9 @@ sub add_interface_jumps {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
 	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
 
-	    if ( use_output_chain $interface, $outputref ) {
+	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1917,7 +1949,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
     my @zone_interfaces   = keys %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2051,7 +2083,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
     my @source            = imatch_source_net $net;
     my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 
-    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or
@@ -2444,6 +2476,9 @@ sub generate_matrix() {
     }
 }
 
+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,25 +60,63 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_interfaces;
+our @load_providers;
 
-our $balancing;
+our $balancing;               # True, if there are balanced providers
-our $fallback;
+our $fallback;                # True, if there are fallback providers
-our $balanced_providers;
+our $balanced_providers;      # Count of balanced providers
-our $fallback_providers;
+our $fallback_providers;      # Count of fallback providers
-our $metrics;
+our $metrics;                 # True, if using statistical balancing
-our $first_default_route;
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
-our $first_fallback_route;
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
-our $maxload;
+our $maxload;                 # Sum of 'load' values
-our $tproxies;
+our $tproxies;                # Count of tproxy providers
 
-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }
 
-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 
 
-our $family;
+our $family;       # Address family
 
-our $lastmark;
+our $lastmark;     # Highest assigned mark
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -99,7 +137,7 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_interfaces        = ();
+    @load_providers         = ();
     $balancing              = 0;
     $balanced_providers     = 0;
     $fallback_providers     = 0;
@@ -132,7 +170,6 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -163,8 +200,8 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 
 		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
+		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
@@ -185,16 +222,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
     }
 
-    if ( @load_interfaces ) {
+    if ( @load_providers ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
 
-	for my $physical ( @load_interfaces ) {
+	for my $provider ( @load_providers ) {
 
-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
 
 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 
@@ -446,7 +483,7 @@ sub process_a_provider( $ ) {
     fatal_error 'NAME must be specified' if $table eq '-';
 
     unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
 
 	my $num = numeric_value $number;
 
@@ -636,6 +673,7 @@ sub process_a_provider( $ ) {
     }
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
+    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;
 
     unless ( $pseudo ) {
 	if ( $local ) {
@@ -676,7 +714,6 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
@@ -779,7 +816,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
     }
 
-    push @load_interfaces, $physical if $load;
+    push @load_providers, $table if $load;
 
     push @providers, $table;
 
@@ -941,8 +978,9 @@ sub add_a_provider( $$ ) {
 	}
     }
 
-    emit( "echo $load > \${VARDIR}/${physical}_load",
+    emit( "echo $load > \${VARDIR}/${table}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
+	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
 
     emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1097,7 +1135,7 @@ CEOF
 	    $weight = 1;
 	}
 
-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+	emit ( "distribute_load $maxload @load_providers" ) if $load;
 
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1244,7 +1282,7 @@ CEOF
 	}
 
 	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
+	       "distribute_load $maxload @load_providers" ) if $load;
 
 	if ( $persistent ) {
 	    emit ( '',
@@ -1615,7 +1653,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
-	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1909,24 +1947,24 @@ sub setup_providers() {
 	pop_indent;
 	emit 'fi';
 
-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_providers;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
+	emit "undo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
 
 	if ( $config{NULL_ROUTE_RFC1918} ) {
+	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}
@@ -2485,7 +2523,7 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers || @load_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
@@ -2493,9 +2531,9 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_providers" ,
 	   ''
-	 ) if @load_interfaces;
+	 ) if @load_providers;
 }
 
 1;

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -292,6 +292,8 @@ our $mangle;
 
 our $sticky;
 
+our $excludefw;
+
 our $divertref; # DIVERT chain
 
 our %validstates = ( NEW                => 0,
@@ -365,6 +367,10 @@ sub initialize( $ ) {
     #
     %actions           = ();
     #
+    # Count of 'all[+]=' encountered
+    #
+    $excludefw         = 0;
+    #
     # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
@@ -605,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
+sub handle_nfqueue( $ ) {
-    my ($params, $allow_bypass ) = @_;
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -619,7 +625,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -647,7 +652,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -672,14 +676,42 @@ sub process_a_policy1($$$$$$$) {
 
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
-    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+    my $clientwild = ( "\L$client" =~ /^all(\+)?(?:!(.+))?$/ );
+    my $clientexclude;
+    my %clientexcluded;
 
-    $intrazone  ||= $clientwild && $1;
+    if ( $clientwild ) {
+	$intrazone ||= $1;
+
+	if ( $clientexclude = $2 ) {
+	    for my $client ( split_list( $clientexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($client)" unless defined_zone( $client );
+		$clientexcluded{$client} = 1;
+	    }
+
+	    $client = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
-    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
+    my $serverwild = ( "\L$server" =~ /^all(\+)?(?:!(.+))?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    my $serverexclude;
+    my %serverexcluded;
+
+
+    if ( $serverwild ) {
+	$intrazone ||= $1;
+
+	if ( $serverexclude = $2 ) {
+	    for my $server ( split_list( $serverexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($server)" unless defined_zone( $server );
+		$serverexcluded{$server} = 1;
+	    }
+
+	    $server = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -687,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -702,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
+	$policy = handle_nfqueue( $queue );
-				  0 # Don't allow 'bypass'
-	    );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -762,20 +798,20 @@ sub process_a_policy1($$$$$$$) {
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
-	    for my $zone ( @zonelist ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, @zonelist ) ) {
-		for my $zone1 ( @zonelist ) {
+		for my $zone1 ( grep( ! $serverexcluded{zone}, @zonelist ) ) {
 		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
-	    for my $zone ( all_zones ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, all_zones ) ) {
 		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
-	for my $zone ( @zonelist ) {
+	for my $zone ( grep( ! $serverexcluded{$_}, @zonelist ) ) {
 	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
@@ -802,11 +838,15 @@ sub process_a_policy() {
 
     my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $clientlist = ( $clients =~ /,/ ) ) {
+    if ( $clients =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
 	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $serverlist = ( $servers =~ /,/ ) ) {
+    if ( $servers =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
 	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
@@ -816,12 +856,14 @@ sub process_a_policy() {
 
     if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
     } else {
-	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
     }
 }
 
@@ -1564,8 +1606,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
+    my @supparts = split_list2( $superior ,    'Action' );
-    my @subparts = split /:/, $subordinate;
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 
@@ -2609,7 +2651,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -2658,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
+	$action = handle_nfqueue( $param );
-				  1 # Allow 'bypass'
-	    );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2781,7 +2821,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 
 	      HELPER => sub { 
-		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER requires that a helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,
 
@@ -3137,13 +3177,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
-	# don't apply rate limiting twice
 	#
 	$rule .= join( '',
 		       do_proto($proto, $ports, $sports),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_user( $user ) ,
 		       do_test( $mark , $globals{TC_MASK} ) ,
 		       do_connlimit( $connlimit ),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
@@ -3239,12 +3280,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
+	#   - don't apply rate limiting twice
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '',
 			  $matches,
 			  do_proto( $proto, $ports, $sports ),
-			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
 			  do_condition( $condition , $chain ),
@@ -3658,6 +3699,7 @@ sub next_section() {
 #
 sub build_zone_list( $$$\$\$ ) {
     my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $original_input = $input;
     my $any = ( $input =~ s/^any/all/ );
     my $exclude;
     my $rest;
@@ -3686,9 +3728,25 @@ sub build_zone_list( $$$\$\$ ) {
 	    if ( $input eq 'all+' ) {
 		$$intrazoneref = 1;
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
+		    } else {
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
+		    }
+		}
+
 		$$intrazoneref = 1;
 		$exclude{$fw} = 1;
 	    } elsif ( $input eq 'all-' ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
+		    } else {
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+		    }
+		}
+
 		$exclude{$fw} = 1;
 	    } else {
 		fatal_error "Invalid $which ($input)";
@@ -4077,6 +4135,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	O => OUTPUT,
 	T => POSTROUTING,
 	R => REALPREROUTING,
+	NP => REALPREROUTING,
+	NI => REALINPUT,
+	NO => REALOUTPUT,
+	NT => REALPOSTROUTING
 	);
 
     my %chainlabels = ( 1  => 'PREROUTING',
@@ -4093,6 +4155,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		       32   => 'sticky',
 		       64   => 'sticko',
 		       128  => 'PREROUTING',
+		       256  => 'INPUT',
+		       512  => 'OUTPUT',
+		       1024 => 'POSTROUTING',
 	);
 
     my $inchain        = defined $chainref;
@@ -4116,6 +4181,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     my $actiontype;
     my $commandref;
     my $prerule        = '';
+    my $table          = 'mangle';
+    my $tabletype      = MANGLE_TABLE;
     #
     # Subroutine for handling MARK and CONNMARK. We use an enclosure so as to keep visibility of the
     # function's local variables without making them static. process_mangle_rule1() is called
@@ -4157,7 +4224,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 
 	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
 
-	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
+	    my $chainref = ensure_chain( $table, $chain = $chainnames{$chain} );
 
 	    $restriction |= $chainref->{restriction};
 
@@ -4476,7 +4543,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
-		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & $tabletype;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
@@ -4492,7 +4559,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
-		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & $tabletype;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
@@ -4564,7 +4631,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | REALPREROUTING | REALINPUT | REALOUTPUT | REALPOSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -4600,7 +4667,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | REALPREROUTING | REALINPUT | REALOUTPUT | REALPOSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -4846,6 +4913,14 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	fatal_error "A chain designator may not be specified in an action body" if $inaction;
 	my $temp = $designators{$designator};
 	fatal_error "Invalid chain designator ( $designator )" unless $temp;
+
+	if ( $designator =~ /^N/ ) {
+	    fatal_error "Only MARK, CONNMARK, SAVE and RESTORE may be used in the nat table" unless $cmd =~ /^(?:(?:(?:CONN)MARK)|SAVE|RESTORE)[(]?/;
+	    require_capability('MARK_ANYWHERE', "The $designator designator", 's');
+	    $table = 'nat';
+	    $tabletype = NAT_TABLE;
+	}
+
 	$designator = $temp;
     }
 
@@ -4871,21 +4946,30 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
 
     if ( $source ne '-' ) {
 	if ( $source eq $fw ) {
-	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
+	    if ( $designator ) {
+		fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' unless $designator & ( OUTPUT | REALOUTPUT );
+		$chain = $designator;
+	    } else {
 		$chain = OUTPUT;
+	    }
+
 	    $source = '-';
 	} elsif ( $source =~ s/^($fw):// ) {
-	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
+	    if ( $designator ) {
+		fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' unless $designator & ( OUTPUT | REALOUTPUT );
+		$chain = $designator;
+	    } else {
 		$chain = OUTPUT;
 	    }
 	}
+    }
 
     if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
@@ -4953,11 +5037,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
-	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+	    unless ( $chain & ( OUTPUT | POSTROUTING | REALOUTPUT | REALPOSTROUTING ) ) {
 		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 	    }
 
-	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
+	    $chainref = ensure_chain( $table, $chainnames{$chain} );
 	}
 
 	$restriction |= $chainref->{restriction};
@@ -5547,6 +5631,15 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}
 
+	if ( $chainref->{complete} ) {
+	    if ( $interface ) {
+		warning_message( "Interface $interface entry generated no $toolname rule" );
+	    } else {
+		warning_message( "Entry generated no $toolname rule" );
+	    }
+	    next;
+	}
+
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	#
 	# Handle IPSEC options, if any
@@ -5674,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;
 
 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -222,6 +222,9 @@ use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };
 
+#
+# Zone types
+#
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -231,6 +234,9 @@ use constant { FIREWALL => 1,
 	       LOCAL    => 64,
 	   };
 
+#
+# Interface option classification
+#
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
 	       ENUM_IF_OPTION     => 3,
@@ -247,11 +253,17 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 
+#
+# 'ignore' option flags
+#
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
 our %validinterfaceoptions;
 
+#
+# Interface options that are implemented in /proc
+#
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
@@ -263,6 +275,9 @@ our %procinterfaceoptions=( accept_ra   => 1,
 			    sourceroute => 1,
 			  );
 
+#
+# Options that are not allowed with unmanaged interfaces
+#
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -281,10 +296,15 @@ our %prohibitunmanaged = (
 			  upnp           => 1,
 			  upnpclient     => 1,
 			 );
-
+#
+# Default values for options that admit an optional value
+#
 our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
+#
+# Maximum value for options that accept a range of values
+#
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 300 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
 
 our %validhostoptions;
 
@@ -701,7 +721,7 @@ sub determine_zones()
 }
 
 #
-# Return true of we have any ipsec zones
+# Return true If we have any ipsec zones
 #
 sub haveipseczones() {
     for my $zoneref ( values %zones ) {
@@ -872,6 +892,9 @@ sub single_interface( $ ) {
     @keys == 1 ? $keys[0] : '';
 }
 
+#
+# This function adds an interface:network pair to a zone
+#
 sub add_group_to_zone($$$$$$)
 {
     my ($zone, $type, $interface, $networks, $options, $inherit_options) = @_;
@@ -976,6 +999,9 @@ sub find_zone( $ ) {
     $zoneref;
 }
 
+#
+# Access functions for zone members
+#
 sub zone_type( $ ) {
     find_zone( $_[0] )->{type};
 }
@@ -990,26 +1016,44 @@ sub zone_mark( $ ) {
     $zoneref->{mark};
 }
 
+#
+# Returns the zone table entry for the passed zone name
+#
 sub defined_zone( $ ) {
     $zones{$_[0]};
 }
 
+#
+# Returns a list of all defined zones
+#
 sub all_zones() {
     @zones;
 }
 
+#
+# Returns a list of zones in the firewall itself (the firewall zone and vserver zones)
+#
 sub on_firewall_zones() {
    grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall and vserver zones
+#
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall zones
+#
 sub non_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }
 
+#
+# Returns the list of zones that don't contain sub-zones
+#
 sub all_parent_zones() {
     #
     # Although the firewall zone is technically a parent zone, we let the caller decide
@@ -1018,22 +1062,37 @@ sub all_parent_zones() {
     grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 
+#
+# Returns a list of complex zones (ipsec or with multiple interface:subnets)
+#
 sub complex_zones() {
     grep( $zones{$_}{complex} , @zones );
 }
 
+#
+# Returns a list of vserver zones
+#
 sub vserver_zones() {
     grep ( $zones{$_}{type} & VSERVER, @zones );
 }
 
+#
+# Returns the name of the firewall zone
+#
 sub firewall_zone() {
     $firewall_zone;
 }
 
+#
+# Returns a list of loopback zones
+#
 sub loopback_zones() {
     @loopback_zones;
 }
 
+#
+# Returns a list of local zones
+#
 sub local_zones() {
     @local_zones;
 }

Shorewall/Perl/compiler.pl

@@ -34,6 +34,8 @@
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
+#         --test                      # Used by the regression library to omit versions and time/dates
+#                                     # from the generated script
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #         --shorewallrc=<path>        # Path to global shorewallrc file.

Shorewall/Perl/getparams

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V5.2
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -601,26 +601,29 @@ interface_enabled() {
 }
 
 distribute_load() {
+    local provider
     local interface
-    local currentload # Total load of enabled interfaces
+    local currentload # Total load of enabled providers
-    local load        # Specified load of an enabled interface
+    local load        # Specified load of an enabled provider
-    local mark        # Mark of an enabled interface
+    local mark        # Mark of an enabled provider
-    local totalload   # Total load of all interfaces - usually 1.000000
+    local totalload   # Total load of all providers - usually 1.000000
-    local nload       # Normalized load of an enabled interface
+    local nload       # Normalized load of an enabled provider
-    local var         # Interface name to embed in a variable name
 
     totalload=$1
     shift
 
     currentload=0
 
-    for interface in $@; do
+    for provider in $@; do
+
+	interface=$(cat ${VARDIR}/${provider}_interface)
+	eval ${provider}_interface=$interface
+
 	if interface_enabled $interface; then
-	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    load=$(cat ${VARDIR}/${provider}_load)
-	    load=$(cat ${VARDIR}/${interface}_load)
+	    eval ${provider}_load=$load
-	    eval ${var}_load=$load
+	    mark=$(cat ${VARDIR}/${provider}_mark)
-	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${provider}_mark=$mark
-	    eval ${var}_mark=$mark
 	    currentload=$( bc <<EOF
 scale=8
 $currentload + $load
@@ -630,12 +633,13 @@ EOF
     done
 
     if [ $currentload ]; then
-	for interface in $@; do
+	for provider in $@; do
-	    qt $g_tool -t mangle -F ~$interface
+	    eval interface=\$${provider}_interface
 
-	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    qt $g_tool -t mangle -F ~$provider
-	    eval load=\$${var}_load
+
-	    eval mark=\$${var}_mark
+	    eval load=\$${provider}_load
+	    eval mark=\$${provider}_mark
 
 	    if [ -n "$load" ]; then
 		nload=$(bc <<EOF
@@ -651,10 +655,10 @@ EOF
 
 		case $nload in
 		    .*|0.*)
-			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -m statistic --mode random --probability $nload -j MARK --set-mark $mark
 			;;
 		    *)
-			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -j MARK --set-mark $mark
 			;;
 		esac
 	    fi
@@ -675,7 +679,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -893,6 +897,14 @@ detect_dynamic_gateway() { # $1 = interface
 	fi
     done
 
+    if [ -z "$gateway" -a -n "$(mywhich nmcli)" ]; then
+	if [ $g_family = 4 ]; then
+	    gateway=$(nmcli --fields DHCP4.OPTION,IP4.GATEWAY device show ${1} 2> /dev/null | sed -rn '/( routers = |IP4.GATEWAY:.*[1-9])/{s/.* //;p;q}')
+	else
+	    gateway=$(nmcli --terse --fields IP6.GATEWAY device show ${1} 2> /dev/null | cut -f2- -d':')
+	fi
+    fi
+
     [ -n "$gateway" ] && echo $gateway
 }
 
@@ -959,7 +971,7 @@ add_gateway() # $1 = Delta $2 = Table Number
     local delta
     local dev
 
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/linkdown//g; s/[\]//g'`
 
     if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
@@ -993,7 +1005,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
     local gateway
     local dev
 
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/linkdown//g; s/[\]//g'`
     gateway=$1
 
     if [ -n "$route" ]; then
@@ -1101,7 +1113,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?

Shorewall/Samples/Universal/shorewall.conf

@@ -191,8 +191,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/one-interface/shorewall.conf

@@ -202,8 +202,6 @@ IP_FORWARDING=Off
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -199,8 +199,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -202,8 +202,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/configfiles/shorewall.conf

@@ -191,8 +191,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/helpers

@@ -16,25 +16,6 @@
 
 # Helpers
 #
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-#
-# 2.6.20+ helpers
-#
 loadmodule nf_conntrack_ftp
 loadmodule nf_conntrack_h323
 loadmodule nf_conntrack_irc
@@ -67,5 +48,4 @@ loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
-loadmodule ipt_ULOG
 loadmodule nfnetlink_log

Shorewall/init.alt.sh

@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/$PROG
+
+LOCKFILE=/var/lock/subsys/shorewall
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloading $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005, 2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/install.sh

@@ -197,6 +197,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -205,6 +208,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -269,6 +274,9 @@ case "$HOST" in
     openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
     linux)
 	;;
     *)
@@ -458,17 +466,6 @@ if [ -z "$first_install" ]; then
     fi
 fi
 
-#
-# Install the Modules file
-#
-run_install $OWNERSHIP -m 0644 modules ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules
-echo "Modules file installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules"
-
-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f
-    echo "Modules file $f installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f"
-done
-
 #
 # Install the Module Helpers file
 #
@@ -1244,6 +1241,14 @@ if [ $PRODUCT = shorewall ]; then
     rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
 fi
 
+#
+# Remove unneeded modules files
+#
+
+if [ -n "$first_install" ]; then
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules*
+fi
+
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then

Shorewall/lib.cli-std

@@ -300,19 +300,6 @@ get_config() {
 	    ;;
     esac
 
-    case $LOAD_HELPERS_ONLY in
-	Yes|yes)
-	    ;;
-	No|no)
-	    LOAD_HELPERS_ONLY=
-	    ;;
-	*)
-	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
-		fatal_error "Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)"
-	    fi
-	    ;;
-    esac
-
     if [ -n "$WORKAROUNDS" ]; then
 	case $WORKAROUNDS in
 	    [Yy]es)
@@ -412,10 +399,14 @@ uptodate() {
 	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ $AUTOMAKE = recursive ]; then
+	elif [ "$AUTOMAKE" = recursive ]; then
 	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
 		return 1;
 	    fi
+	elif [ -z "$AUTOMAKE" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
 	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
@@ -452,6 +443,16 @@ compiler() {
 
     ensure_root
     #
+    # Let params and the compiler know the base configuration directory
+    #
+    if [ -n "$g_shorewalldir" ]; then
+	SW_CONFDIR="$g_shorewalldir"
+    else
+	SW_CONFDIR="$g_confdir"
+    fi
+
+    export SW_CONFDIR
+    #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
     [ -n "$g_haveconfig" ] || ensure_config_path
@@ -1063,6 +1064,41 @@ restart_command() {
     return $rc
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Safe-start/safe-reload/safe-restart Command Executor
 #
@@ -1652,7 +1688,7 @@ remote_commands() # $* = original arguments less the command.
     #
     # Handle nonstandard remote VARDIR
     #
-    progress_message2 "Getting VARDIR on system $system..."
+    progress_message3 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"

Shorewall/manpages/shorewall-addresses.xml

@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-addresses</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>addresses</refname>
+
+    <refpurpose>Specifying addresses within a Shorewall
+    configuration</refpurpose>
+  </refnamediv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>In both Shorewall and Shorewall6, there are two basic types of
+    addresses:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>Host Address</term>
+
+        <listitem>
+          <para>This address type refers to a single host.</para>
+
+          <para>In IPv4, the format is <emphasis>i.j.k.l</emphasis> where
+          <emphasis>i</emphasis> through <emphasis>l</emphasis> are decimal
+          numbers between 1 and 255.</para>
+
+          <para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
+          where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
+          of 1 to 4 hexadecimal digits (leading zeros may be omitted). a
+          single series of 0 addresses may be omitted. For example
+          2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Network Address</term>
+
+        <listitem>
+          <para>A network address refers to 1 or more hosts and consists of a
+          host address followed by a slash ("/") and a <firstterm>Variable
+          Length Subnet Mask</firstterm> (VLSM). This is known as
+          <firstterm>Classless Internet Domain Routing</firstterm> (CIDR)
+          notation.</para>
+
+          <para>The VLSM is a decimal number. For IPv4, it is in the range 0
+          through 32. For IPv6, the range is 0 through 128. The number
+          represents the number of leading bits in the address that represent
+          the network address; the remainder of the bits are a host address
+          and are generally given as zero.</para>
+
+          <para>Examples:</para>
+
+          <para>IPv4: 192.168.1.0/24</para>
+
+          <para>IPv6: 2001:227:e857:1:0:0:0:0:1/64</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>In the Shorewall documentation and manpages, we have tried to make
+    it clear which type of address is accepted in each specific case.</para>
+
+    <para>Because Shorewall uses a colon (":") as a separator in many
+    contexts, IPv6 addresses are best written using the standard convention in
+    which the address itself is enclosed in square brackets:</para>
+
+    <simplelist>
+      <member>[2001:227:e857:1::1]</member>
+
+      <member>[2001:227:e857:1::]/64</member>
+    </simplelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Specifying SOURCE and DEST</title>
+
+    <para>Entries in Shorewall configuration files often deal with the source
+    (SOURCE) and destination (DEST) of connections and Shorewall implements a
+    uniform way for specifying them.</para>
+
+    <para>A SOURCE or DEST consists of one to three parts separated by colons
+    (":"):</para>
+
+    <orderedlist>
+      <listitem>
+        <para>ZONE — The name of a zone declared in
+        <filename>/etc/shorewall/zones</filename> or
+        <filename>/etc/shorewall6/zones</filename>. This part is only
+        available in the rules file
+        (<filename>/etc/shorewall/rules</filename>,
+        <filename>/etc/shorewall/blrules</filename>,<filename>
+        /etc/shorewall6/rules</filename> and
+        <filename>/etc/shorewall6/blrules</filename>).</para>
+      </listitem>
+
+      <listitem>
+        <para>INTERFACE — The name of an interface that matches an entry in
+        <filename>/etc/shorewall/interfaces</filename>
+        (<filename>/etc/shorewall6/interfaces</filename>).</para>
+
+        <para>Beginning with Shorweall 5.2.1, the
+        <replaceable>interface</replaceable> may be preceded with '!' which
+        matches all interfaces except the one specified.</para>
+      </listitem>
+
+      <listitem>
+        <para>ADDRESS LIST — A list of one or more addresses (host or network)
+        or address ranges, separated by commas. In an IPv6 configuration, this
+        list must be included in square or angled brackets ("[...]" or
+        "&lt;...&gt;"). The list may have exclusion.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Examples.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>All hosts in the <emphasis role="bold">net</emphasis> zone —
+        <emphasis role="bold">net</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Subnet 192.168.1.0/29 in the <emphasis
+        role="bold">loc</emphasis> zone — <emphasis
+        role="bold">loc:192.168.1.0/29</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts in the net zone connecting through <filename
+        class="devicefile">ppp0</filename> — <emphasis
+        role="bold">net:ppp0</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts interfaced by <filename
+        class="devicefile">eth3</filename> — <emphasis
+        role="bold">eth3</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Subnet 10.0.1.0/24 interfacing through <filename><filename
+        class="devicefile">eth2</filename></filename> — <emphasis
+        role="bold">eth2:10.0.1.0/24</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
+        role="bold">loc</emphasis> zone — <emphasis
+        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>The primary IP address of eth0 in the $FW zone - <emphasis
+        role="bold">$FW:&amp;eth0</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts in Vatican City - <emphasis
+        role="bold">net:^VA</emphasis> (Requires the <emphasis>GeoIP
+        Match</emphasis> capability).</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
+  <refsect1>
+    <title>IP Address Ranges</title>
+
+    <para>If you kernel and iptables have <emphasis>IP Range match
+    support</emphasis>, you may use IP address ranges in Shorewall
+    configuration file entries; IP address ranges have the syntax
+    &lt;<emphasis>low IP address</emphasis>&gt;-&lt;<emphasis>high IP
+    address</emphasis>&gt;.</para>
+
+    <para>Example: 192.168.1.5-192.168.1.12.</para>
+  </refsect1>
+
+  <refsect1>
+    <title/>
+
+    <para/>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>For more information about addressing, see the<ulink
+    url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-blrules.xml

@@ -280,9 +280,9 @@
         <term>IPv4 Example 1:</term>
 
         <listitem>
-          <para>Drop Teredo packets from the net.</para>
+          <para>Drop 6to4 packets from the net.</para>
 
-          <programlisting>DROP          net:[2001::/32]            all</programlisting>
+          <programlisting>DROP          net:192.88.99.1            all</programlisting>
         </listitem>
       </varlistentry>
 
@@ -290,10 +290,10 @@
         <term>IPv4 Example 2:</term>
 
         <listitem>
-          <para>Don't subject packets from 2001:DB8::/64 to the remaining
+          <para>Don't subject packets from 70.90.191.120/29 to the remaining
           rules in the file.</para>
 
-          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
+          <programlisting>WHITELIST     net:70.90.191.120/29       all</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-files.xml

@@ -0,0 +1,967 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-files</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>files</refname>
+
+    <refpurpose>Shorewall Configuration Files</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall[6]/*</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The following are the Shorewall[6] configuration files:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink
+        url="shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>
+        and <filename>/etc/shorewall6/shorewall6.conf</filename></ulink> -
+        used to set global firewall parameters.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-params.html">/etc/shorewall[6]/params</ulink></filename>
+        - use this file to set shell variables that you will expand in other
+        files. It is always processed by /bin/sh or by the shell specified
+        through SHOREWALL_SHELL in
+        <filename>/etc/shorewall/shorewall.conf.</filename></para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-zones.html">/etc/shorewall[6]/zones</ulink></filename>
+        - partition the firewall's view of the world into zones.</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="shorewall-policy.html"><filename>/etc/shorewall[6]/policy</filename></ulink>
+        - establishes firewall high-level policy.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/initdone</filename> - An optional
+        Perl script that will be invoked by the Shorewall rules compiler when
+        the compiler has finished it's initialization.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-interfaces.html">/etc/shorewall[6]/interfaces</ulink></filename>
+        - describes the interfaces on the firewall system.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-hosts.html">/etc/shorewall[6]/hosts</ulink></filename>
+        - allows defining zones in terms of individual hosts and
+        subnetworks.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-masq.html">/etc/shorewall[6]/masq</ulink></filename> -
+        directs the firewall where to use many-to-one (dynamic) Network
+        Address Translation (a.k.a. Masquerading) and Source Network Address
+        Translation (SNAT). Superseded by /etc/shorewall[6]/snat in Shorewall
+        5.0.14 and not supported in Shorewall 5.1.0 and later versions.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-mangle.html">/etc/shorewall[6]/mangle</ulink></filename>
+        - supersedes <filename>/etc/shorewall/tcrules</filename> in Shorewall
+        4.6.0. Contains rules for packet marking, TTL, TPROXY, etc.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-rules.html">/etc/shorewall[6]/rules</ulink></filename>
+        - defines rules that are exceptions to the overall policies
+        established in /etc/shorewall/policy.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-nat.html">/etc/shorewall[6]/nat</ulink></filename> -
+        defines one-to-one NAT rules.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-proxyarp.html">/etc/shorewall6/proxyarp</ulink></filename>
+        - defines use of Proxy ARP.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-proxyndp.html">/etc/shorewall6/proxyndp</ulink></filename>
+        - defines use of Proxy NDP.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/routestopped</filename> - defines
+        hosts accessible when Shorewall is stopped. Superseded in Shorewall
+        4.6.8 by <filename>/etc/shorewall/stoppedrules</filename>. Not
+        supported in Shorewall 5.0.0 and later versions.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-tcrules.html">/etc/shorewall[6]/tcrules</ulink>
+        </filename>- The file has a rather unfortunate name because it is used
+        to define marking of packets for later use by both traffic
+        control/shaping and policy routing. This file is superseded by
+        <filename>/etc/shorewall/mangle</filename> in Shorewall 4.6.0. Not
+        supported in Shorewall 5.0.0 and later releases.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-tos.html">/etc/shorewall[6]/tos</ulink></filename> -
+        defines rules for setting the TOS field in packet headers. Superseded
+        in Shorewall 4.5.1 by the TOS target in
+        <filename>/etc/shorewall/tcrules</filename> (which file has since been
+        superseded by <filename>/etc/shorewall/mangle</filename>). Not
+        supported in Shorewall 5.0.0 and later versions.</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="shorewall-tunnels.html"><filename>/etc/shorewall[6]/tunnels</filename></ulink>
+        - defines tunnels (VPN) with end-points on the firewall system.</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="shorewall-blacklist.html"><filename>/etc/shorewall[6]/blacklist</filename></ulink>
+        - Deprecated in favor of <filename>/etc/shorewall/blrules</filename>.
+        Lists blacklisted IP/subnet/MAC addresses. Not supported in Shorewall
+        5.0.0 and later releases.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/blrules</filename> — Added in
+        Shorewall 4.5.0. Define blacklisting and whitelisting. Supersedes
+        <filename>/etc/shorewall/blacklist</filename>.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/init</filename> - shell commands
+        that you wish to execute at the beginning of a <quote>shorewall
+        start</quote>, "shorewall reload" or <quote>shorewall
+        restart</quote>.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/start</filename> - shell commands
+        that you wish to execute near the completion of a <quote>shorewall
+        start</quote>, "shorewall reload" or <quote>shorewall
+        restart</quote></para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/started</filename> - shell commands
+        that you wish to execute after the completion of a <quote>shorewall
+        start</quote>, "shorewall reload" or <quote>shorewall
+        restart</quote></para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/stop </filename>- commands that you
+        wish to execute at the beginning of a <quote>shorewall
+        stop</quote>.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/etc/shorewall[6]/stopped</filename> - shell commands
+        that you wish to execute at the completion of a <quote>shorewall
+        stop</quote>.</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="shorewall-ecn.html">/etc/shorewall/ecn</ulink> -
+        disable Explicit Congestion Notification (ECN - RFC 3168) to remote
+        hosts or networks. Superseded by ECN entries in
+        <filename>/etc/shorewall/mangle</filename> in Shorewall 5.0.6.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-accounting.html">/etc/shorewall/accounting</ulink></filename>
+        - define IP traffic accounting rules</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-actions.html">/etc/shorewall[6]/actions</ulink></filename>
+        and <filename>/usr/share/shorewall[6]/action.template</filename> allow
+        user-defined actions.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="???">/etc/shorewall[6]/providers</ulink></filename> - defines
+        alternate routing tables.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-rtrules.html">/etc/shorewall[6]/rtrules</ulink></filename>
+        - Defines routing rules to be used in conjunction with the routing
+        tables defined in
+        <filename>/etc/shorewall/providers</filename>.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-tcdevices.html">/etc/shorewall[6]/tcdevices</ulink></filename>,
+        <filename><ulink
+        url="shorewall-tcclasses.html">/etc/shorewall[6]/tcclasses</ulink></filename>,
+        <filename><ulink
+        url="shorewall-tcfilters.html">/etc/shorewall[6]/tcfilters</ulink></filename>
+        - Define complex traffic shaping.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-tcrules.html">/etc/shorewall[6]/tcrules</ulink></filename>
+        - Mark or classify traffic for traffic shaping or multiple providers.
+        Deprecated in Shorewall 4.6.0 in favor of
+        <filename>/etc/shorewall/mangle</filename>. Not supported in Shorewall
+        5.0.0 and later releases.</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="shorewall-tcinterfaces.html"><filename>/etc/shorewall[6]/tcinterfaces</filename></ulink>
+        and <filename><ulink
+        url="shorewall-tcpri.html">/etc/shorewall[6]/tcpri</ulink></filename>
+        - Define simple traffic shaping.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-secmarks.html">/etc/shorewall[6]/secmarks</ulink></filename>
+        - Added in Shorewall 4.4.13. Attach an SELinux context to selected
+        packets.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-vardir.html">/etc/shorewall[6]/vardir</ulink></filename>
+        - Determines the directory where Shorewall maintains its state.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-arprules.html">/etc/shorewall/arprules</ulink></filename>
+        — Added in Shorewall 4.5.12. Allows specification of arptables
+        rules.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-mangle.html">/etc/shorewall/mangle</ulink></filename>
+        -- Added in Shorewall 4.6.0. Supersedes<filename>
+        /etc/shorewall/tcrules</filename>.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename><ulink
+        url="shorewall-snat.html">/etc/shorewall[6]/snat</ulink></filename> -
+        directs the firewall where to use many-to-one (dynamic) Network
+        Address Translation (a.k.a. Masquerading) and Source Network Address
+        Translation (SNAT). Superseded /etc/shorewall[6]/masq in Shorewall
+        5.0.14</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/usr/share/shorewall[6]/actions.std</filename> -
+        Actions defined by Shorewall.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/usr/share/shorewall[6]/action.*</filename> - Details
+        of actions defined by Shorewall.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/usr/share/shorewall[6]/macro.*</filename> - Details
+        of macros defined by Shorewall.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/usr/share/shorewall[6]/modules</filename> — Specifies
+        the kernel modules to be loaded during shorewall start/restart.</para>
+      </listitem>
+
+      <listitem>
+        <para><filename>/usr/share/shorewall[6]/helpers</filename> — Added in
+        Shorewall 4.4.7. Specifies the kernel modules to be loaded during
+        shorewall start/restart when LOAD_HELPERS_ONLY=Yes in
+        <filename>shorewall.conf</filename>.</para>
+      </listitem>
+    </itemizedlist>
+  </refsect1>
+
+  <refsect1>
+    <title>CONFIG_PATH</title>
+
+    <para>The CONFIG_PATH option in <ulink
+    url="???">shorewall[6].conf(5)</ulink> determines where the compiler
+    searches for configuration files. The default setting is
+    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
+    compiler first looks in /etc/shorewall and if it doesn't find the file, it
+    then looks in /usr/share/shorewall.</para>
+
+    <para>You can change this setting to have the compiler look in different
+    places. For example, if you want to put your own versions of standard
+    macros in /etc/shorewall/Macros, then you could set
+    CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and
+    the compiler will use your versions rather than the standard ones.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Comments</title>
+
+    <para>You may place comments in configuration files by making the first
+    non-whitespace character a pound sign (<quote>#</quote>). You may also
+    place comments at the end of any line, again by delimiting the comment
+    from the rest of the line with a pound sign.</para>
+
+    <example id="comment">
+      <title>Comments in a Configuration File</title>
+
+      <programlisting># This is a comment
+ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</programlisting>
+    </example>
+
+    <important>
+      <para>Except in <ulink
+      url="shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
+      url="shorewall-params.html">params(5)</ulink>, if a comment ends with a
+      backslash ("\"), the next line will also be treated as a comment. See
+      <link linkend="Continuation">Line Continuation</link> below.</para>
+    </important>
+  </refsect1>
+
+  <refsect1>
+    <title>Blank Lines</title>
+
+    <para>Most of the configuration files are organized into space-separated
+    columns. If you don't want to supply a value in a column but want to
+    supply a value in a following column, simply enter '-' to make the column
+    appear empty.</para>
+
+    <para>Example:<programlisting>#INTERFACE         BROADCAST            OPTIONS
+br0                -                    routeback</programlisting></para>
+  </refsect1>
+
+  <refsect1>
+    <title id="Continuation">Line Continuation</title>
+
+    <para>Lines may be continued using the usual backslash (<quote>\</quote>)
+    followed immediately by a new line character (Enter key).</para>
+
+    <programlisting>ACCEPT  net     $FW      tcp \↵
+smtp,www,pop3,imap  #Services running on the firewall</programlisting>
+
+    <important>
+      <para>What follows does NOT apply to <ulink
+      url="manpages/shorewall-params.html">shorewall-params(5)</ulink> and
+      <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+    </important>
+
+    <para>In certain cases, leading white space is ignored in continuation
+    lines:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The continued line ends with a colon (":")</para>
+      </listitem>
+
+      <listitem>
+        <para>The continued line ends with a comma (",")</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
+
+    <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
+ACCEPT      net:\
+            206.124.146.177,\
+            206.124.146.178,\
+            206.124.146.180\
+                            dmz             tcp             873</programlisting>
+
+    <para>The leading white space on the first through third continuation
+    lines is ignored so the SOURCE column effectively contains
+    "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
+    continuation line does not end with a comma or colon, the leading white
+    space in the last line is not ignored.</para>
+
+    <important>
+      <para>A trailing backslash is not ignored in a comment. So the continued
+      rule above can be commented out with a single '#' as follows:</para>
+
+      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
+<emphasis role="bold">#</emphasis>ACCEPT     net:\
+            206.124.146.177,\
+            206.124.146.178,\
+            206.124.146.180\
+                            dmz             tcp             873</programlisting>
+    </important>
+  </refsect1>
+
+  <refsect1>
+    <title>Alternative Specification of Column Values</title>
+
+    <para>Some of the configuration files now have a large number of columns.
+    That makes it awkward to specify a value for one of the right-most columns
+    as you must have the correct number of intervening '-' columns.</para>
+
+    <para>This problem is addressed by allowing column values to be specified
+    as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
+    pairs.</para>
+
+    <para>There is considerable flexibility in how you specify the
+    pairs:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>At any point, you can enter a left curly bracket ('{') followed
+        by one or more specifications of the following forms:</para>
+
+        <simplelist>
+          <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>=<replaceable>&gt;value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
+        </simplelist>
+
+        <para>The pairs must be followed by a right curly bracket
+        ("}").</para>
+
+        <para>The value may optionally be enclosed in double quotes.</para>
+
+        <para>The pairs must be separated by white space, but you can add a
+        comma adjacent to the <replaceable>values</replaceable> for
+        readability as in:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">{ proto=&gt;udp, port=1024
+          }</emphasis></member>
+        </simplelist>
+      </listitem>
+
+      <listitem>
+        <para>You can also separate the pairs from columns by using a
+        semicolon:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">; proto:udp,
+          port:1024</emphasis></member>
+        </simplelist>
+      </listitem>
+    </itemizedlist>
+
+    <para>In Shorewall 5.0.3, the sample configuration files and the man pages
+    were updated to use the same column names in both the column headings and
+    in the alternate specification format. The following table shows the
+    column names for each of the table-oriented configuration files.</para>
+
+    <note>
+      <para>Column names are <emphasis
+      role="bold">case-insensitive</emphasis>.</para>
+    </note>
+
+    <informaltable>
+      <tgroup cols="2">
+        <tbody>
+          <row>
+            <entry><emphasis role="bold">File</emphasis></entry>
+
+            <entry><emphasis role="bold">Column names</emphasis></entry>
+          </row>
+
+          <row>
+            <entry>accounting</entry>
+
+            <entry>action,chain, source, dest, proto, dport, sport, user,
+            mark, ipsec, headers</entry>
+          </row>
+
+          <row>
+            <entry>conntrack</entry>
+
+            <entry>action,source,dest,proto,dport,sport,user,switch</entry>
+          </row>
+
+          <row>
+            <entry>blacklist</entry>
+
+            <entry>networks,proto,port,options</entry>
+          </row>
+
+          <row>
+            <entry>blrules</entry>
+
+            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
+          </row>
+
+          <row>
+            <entry>ecn</entry>
+
+            <entry>interface,hosts. Beginning with Shorewall 4.5.4, 'host' is
+            a synonym for 'hosts'.</entry>
+          </row>
+
+          <row>
+            <entry>hosts</entry>
+
+            <entry>zone,hosts,options. Beginning with Shorewall 4.5.4, 'host'
+            is a synonym for 'hosts'.</entry>
+          </row>
+
+          <row>
+            <entry>interfaces</entry>
+
+            <entry>zone,interface,broadcast,options</entry>
+          </row>
+
+          <row>
+            <entry>maclist</entry>
+
+            <entry>disposition,interface,mac,addresses</entry>
+          </row>
+
+          <row>
+            <entry>mangle</entry>
+
+            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+          </row>
+
+          <row>
+            <entry>masq</entry>
+
+            <entry>interface,source,address,proto,port,ipsec,mark,user,switch</entry>
+          </row>
+
+          <row>
+            <entry>nat</entry>
+
+            <entry>external,interface,internal,allints,local</entry>
+          </row>
+
+          <row>
+            <entry>netmap</entry>
+
+            <entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>notrack</entry>
+
+            <entry>source,dest,proto,dport,sport,user</entry>
+          </row>
+
+          <row>
+            <entry>policy</entry>
+
+            <entry>source,dest,policy,loglevel,limit,connlimit</entry>
+          </row>
+
+          <row>
+            <entry>providers</entry>
+
+            <entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
+          </row>
+
+          <row>
+            <entry>proxyarp and proxyndp</entry>
+
+            <entry>address,interface,external,haveroute,persistent</entry>
+          </row>
+
+          <row>
+            <entry>rtrules</entry>
+
+            <entry>source,dest,provider,priority</entry>
+          </row>
+
+          <row>
+            <entry>routes</entry>
+
+            <entry>provider,dest,gateway,device</entry>
+          </row>
+
+          <row>
+            <entry>routestopped</entry>
+
+            <entry>interface,hosts,options,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>rules</entry>
+
+            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
+          </row>
+
+          <row>
+            <entry>secmarks</entry>
+
+            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
+          </row>
+
+          <row>
+            <entry>tcclasses</entry>
+
+            <entry>interface,mark,rate,ceil,prio,options</entry>
+          </row>
+
+          <row>
+            <entry>tcdevices</entry>
+
+            <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
+          </row>
+
+          <row>
+            <entry>tcfilters</entry>
+
+            <entry>class,source,dest,proto,dport,sport,tos,length</entry>
+          </row>
+
+          <row>
+            <entry>tcinterfaces</entry>
+
+            <entry>interface,type,in_bandwidth,out_bandwidth</entry>
+          </row>
+
+          <row>
+            <entry>tcpri</entry>
+
+            <entry>band,proto,port,address,interface,helper</entry>
+          </row>
+
+          <row>
+            <entry>tcrules</entry>
+
+            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers.
+            Beginning with Shorewall 4.5.3, 'action' is a synonym for
+            'mark'.</entry>
+          </row>
+
+          <row>
+            <entry>tos</entry>
+
+            <entry>source,dest,proto,dport,sport,tos,mark</entry>
+          </row>
+
+          <row>
+            <entry>tunnels</entry>
+
+            <entry>type,zone,gateway,gateway_zone. Beginning with Shorewall
+            4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with
+            Shorewall 4.5.4, 'gateway_zones' is a synonym for
+            'gateway_zone'.</entry>
+          </row>
+
+          <row>
+            <entry>zones</entry>
+
+            <entry>zone,type,options,in_options,out_options</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+
+    <para>Example (rules file):</para>
+
+    <programlisting>#ACTION         SOURCE            DEST            PROTO   DPORT
+DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>
+
+    <para>Here's the same line in several equivalent formats:</para>
+
+    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
+; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
+DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
+
+    <para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
+    to individual rules using the <option>comment</option> keyword.</para>
+
+    <para>Example from the rules file:</para>
+
+    <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
+
+    <para>As shown in that example, when the comment contains whitespace, it
+    must be enclosed in double quotes and any embedded double quotes must be
+    escaped using a backslash ("\").</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Time Columns</title>
+
+    <para>Several of the files include a TIME column that allows you to specify
+    times when the rule is to be applied. Contents of this column is a list of
+    <replaceable>timeelement</replaceable>s separated by apersands
+    (&amp;).</para>
+
+    <para>Each <replaceable>timeelement</replaceable> is one of the
+    following:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the starting time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the ending time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>contiguous</term>
+
+        <listitem>
+          <para>Added in Shoreawll 5.0.12. When <emphasis
+          role="bold">timestop</emphasis> is smaller than <emphasis
+          role="bold">timestart</emphasis> value, match this as a single time
+          period instead of distinct intervals. See the Examples below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>utc</term>
+
+        <listitem>
+          <para>Times are expressed in Greenwich Mean Time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>localtz</term>
+
+        <listitem>
+          <para>Deprecated by the Netfilter team in favor of <emphasis
+          role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
+          Time (default).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>kerneltz</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
+          Time (requires iptables 1.4.12 or later).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>weekdays=ddd[,ddd]...</term>
+
+        <listitem>
+          <para>where <replaceable>ddd</replaceable> is one of
+          <option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
+          <option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
+          <option>Sun</option></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>monthdays=dd[,dd],...</term>
+
+        <listitem>
+          <para>where <replaceable>dd</replaceable> is an ordinal day of the
+          month</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the starting date and time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the ending date and time.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Examples:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>To match on weekends, use:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Sat,Sun</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Or, to match (once) on a national holiday block:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24&amp;datestop=2016-12-27</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Since the stop time is actually inclusive, you would need the
+        following stop time to not match the first second of the new
+        day:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24T17:00&amp;datestop=2016-12-27T23:59:59</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>During Lunch Hour</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>The fourth Friday in the month:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Fri&amp;monthdays=22,23,24,25,26,27,28</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Matching across days might not do what is expected. For
+        instance,</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Mon&amp;timestart=23:00&amp;timestop=01:00</para>
+
+          <para>Will match Monday, for one hour from midnight to 1 a.m., and
+          then again for another hour from 23:00 onwards. If this is unwanted,
+          e.g. if you would like 'match for two hours from Montay 23:00
+          onwards' you need to also specify the <emphasis
+          role="bold">contiguous</emphasis> option in the example
+          above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Switches</title>
+
+    <para>here are times when you would like to enable or disable one or more
+    rules in the configuration without having to do a <command>shorewall
+    reload</command> or <command>shorewall restart</command>. This may be
+    accomplished using the SWITCH column in <ulink
+    url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
+    url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5). Using
+    this column requires that your kernel and iptables include
+    <firstterm>Condition Match Support</firstterm> and you must be running
+    Shorewall 4.4.24 or later. See the output of <command>shorewall show
+    capabilities</command> and <command>shorewall version</command> to
+    determine if you can use this feature.</para>
+
+    <para>The SWITCH column contains the name of a
+    <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
+    role="bold">off</emphasis> position. You can turn on the switch named
+    <emphasis>switch1</emphasis> by:</para>
+
+    <simplelist>
+      <member><command>echo 1 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>You can turn it off again by:</para>
+
+    <simplelist>
+      <member><command>echo 0 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>If you simply include the switch name in the SWITCH column, then the
+    rule is enabled only when the switch is <emphasis
+    role="bold">on</emphasis>. If you precede the switch name with ! (e.g.,
+    !switch1), then the rule is enabled only when the switch is <emphasis
+    role="bold">off</emphasis>. Switch settings are retained over
+    <command>shorewall restart</command>.</para>
+
+    <para>Shorewall requires that switch names:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>begin with a letter and be composed of letters, digits,
+        underscore ('_') or hyphen ('-'); and</para>
+      </listitem>
+
+      <listitem>
+        <para>be 30 characters or less in length.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Multiple rules can be controlled by the same switch.</para>
+
+    <para>Example:</para>
+
+    <blockquote>
+      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
+      on.</para>
+
+      <programlisting>#ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          <emphasis
+          role="bold">primary_down</emphasis>  </programlisting>
+    </blockquote>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall[6]/*</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-init.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/init.d/shorewall-init</command>
+      <command>shorewall-init</command>
 
       <arg>start|stop</arg>
     </cmdsynopsis>
@@ -149,7 +149,7 @@
     want to make both interfaces optional and set the REQUIRE_INTERFACE option
     to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
     </ulink>(5) or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
+    url="/manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). This
     causes the firewall to remain stopped until at least one of the interfaces
     comes up.</para>
   </refsect1>

Shorewall/manpages/shorewall-interfaces.xml

@@ -155,7 +155,7 @@ loc     eth2            -</programlisting>
           <para>Beginning with Shorewall 4.5.17, if you specify a zone for the
           'lo' interface, then that zone must be defined as type
           <option>local</option> in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5).</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-logging.xml

@@ -276,7 +276,7 @@
 
     <para>By setting the LOGTAGONLY option to Yes in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+    url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
     disposition ('DROP' in the above example) will be omitted. Consider the
     following rule:</para>
 
@@ -373,7 +373,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     <para>Beginning with Shorewall 4.6.4, you can configure the backend using
     the LOG_BACKEND option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-mangle.xml

@@ -90,8 +90,44 @@
                 <para>INPUT chain.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>NP</term>
+
+              <listitem>
+                <para>PREROUTING chain in the nat table.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>NI</term>
+
+              <listitem>
+                <para>INPUT chain in the nat table.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>NO</term>
+
+              <listitem>
+                <para>OUTPUT chain in the nat table.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>NT</term>
+
+              <listitem>
+                <para>POSTROUTING chain in the nat table.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
 
+          <para>The nat table designators were added in Shorewall 5.2.1. When
+          a nat table designator is given, only the CONNMARK, MARK, SAVE and
+          RESTORE commands may be used.</para>
+
           <para>Unless otherwise specified for the particular
           <replaceable>command</replaceable>, the default chain is PREROUTING
           when MARK_IN_FORWARD_CHAIN=No in <ulink
@@ -821,15 +857,20 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <variablelist>
             <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+              <term>[!]<replaceable>interface</replaceable></term>
 
               <listitem>
                 <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
+                logical name of an <replaceable>interface</replaceable>
+                defined in <ulink
                 url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                 Matches packets entering the firewall from the named
                 interface. May not be used in CLASSIFY rules or in rules using
                 the :T chain qualifier.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces except the one specified.</para>
               </listitem>
             </varlistentry>
 
@@ -863,23 +904,31 @@ Normal-Service       =&gt; 0x00</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
+              <term>[!]<replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
 
               <listitem>
                 <para>This form combines the preceding two forms and matches
                 when both the incoming interface and source IP address
                 match.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces except the one specified.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+              <term>[!]<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
 
               <listitem>
                 <para>This form matches packets arriving through the named
                 <replaceable>interface</replaceable> and whose source IP
                 address does not match any of the addresses in the
                 <replaceable>exclusion</replaceable>.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces except the one specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-modules.xml

@@ -38,6 +38,12 @@
     <filename>helpers</filename> file is used when
     LOAD_HELPERS_ONLY=Yes</para>
 
+    <important>
+      <para>Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option has
+      been removed and the behavior is the same as if LOAD_HELPERS_ONLY=Yes
+      was specified.</para>
+    </important>
+
     <para>Each record in the files has the following format:</para>
 
     <cmdsynopsis>

Shorewall/manpages/shorewall-names.xml

@@ -0,0 +1,310 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-names</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>names</refname>
+
+    <refpurpose>Shorewall object names</refpurpose>
+  </refnamediv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>When you define an object in Shorewall (<ulink
+    url="manpages/shorewall-zones.html">Zone</ulink>, <link
+    linkend="Logical">Logical Interface</link>, <ulink
+    url="ipsets.html">ipsets</ulink>, <ulink
+    url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
+    names start with a letter and consist of letters, digits or underscores
+    ("_"). Except for Zone names, Shorewall does not impose a limit on name
+    length.</para>
+
+    <para>When an ipset is referenced, the name must be preceded by a plus
+    sign ("+").</para>
+
+    <para>The last character of an interface may also be a plus sign to
+    indicate a wildcard name.</para>
+
+    <para>Physical interface names match names shown by 'ip link ls'; if the
+    name includes an at sign ("@"), do not include that character or any
+    character that follows. For example, "sit1@NONE" is referred to as simply
+    'sit1".</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Zone and Chain Names</title>
+
+    <para>For a pair of zones, Shorewall creates two Netfilter chains; one for
+    connections in each direction. The names of these chains are formed by
+    separating the names of the two zones by either "2" or "-".</para>
+
+    <para>Example: Traffic from zone A to zone B would go through chain A2B
+    (think "A to B") or "A-B".</para>
+
+    <para>In Shorewall 4.6, the default separator is "-" but you can override
+    that by setting ZONE_SEPARATOR="2" in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+
+    <note>
+      <para>Prior to Shorewall 4.6, the default separator was "2".</para>
+    </note>
+
+    <para>Zones themselves have names that begin with a letter and are
+    composed of letters, numerals, and "_". The maximum length of a name is
+    dependent on the setting of LOGFORMAT in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). See <ulink
+    url="manpages/shorewall-zones.html">shorewall-zones</ulink> (5) for
+    details.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Using DNS Names</title>
+
+    <caution>
+      <para>I personally recommend strongly against using DNS names in
+      Shorewall configuration files. If you use DNS names and you are called
+      out of bed at 2:00AM because Shorewall won't start as a result of DNS
+      problems then don't say that you were not forewarned.</para>
+    </caution>
+
+    <para>Host addresses in Shorewall configuration files may be specified as
+    either IP addresses or DNS Names.</para>
+
+    <para>DNS names in iptables rules aren't nearly as useful as they first
+    appear. When a DNS name appears in a rule, the iptables utility resolves
+    the name to one or more IP addresses and inserts those addresses into the
+    rule. So changes in the DNS-&gt;IP address relationship that occur after
+    the firewall has started have absolutely no effect on the firewall's rule
+    set.</para>
+
+    <para>For some sites, using DNS names is very risky. Here's an
+    example:</para>
+
+    <programlisting>teastep@ursa:~$ dig pop.gmail.com
+
+; &lt;&lt;&gt;&gt; DiG 9.4.2-P1 &lt;&lt;&gt;&gt; pop.gmail.com
+;; global options:  printcmd
+;; Got answer:
+;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 1774
+;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;pop.gmail.com.               IN A
+
+;; ANSWER SECTION:
+pop.gmail.com.          <emphasis role="bold">300</emphasis>   IN CNAME gmail-pop.l.google.com.
+gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.201.109
+gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.201.111</programlisting>
+
+    <para>Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five
+    minutes later, the answer may change!</para>
+
+    <para>So this rule may work for five minutes then suddently stop
+    working:</para>
+
+    <programlisting>#ACTION        SOURCE               DEST              PROTO             DPORT
+POP(ACCEPT)    loc                  net:pop.gmail.com</programlisting>
+
+    <para>There are two options in <ulink
+    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink> that
+    affect the use of DNS names in Shorewall[6] config files:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
+        compile time; when set to Yes, DNS Names are resolved at
+        runtime.</para>
+      </listitem>
+
+      <listitem>
+        <para>AUTOMAKE - When set to Yes, <command>start</command>,
+        <command>restart</command> and <command>reload</command> only result
+        in compilation if one of the files on the CONFIG_PATH has changed
+        since the the last compilation.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
+    will only take place at boot time if a change had been make to the config
+    but no <command>restart</command> or <command>reload</command> had taken
+    place. This is clearly spelled out in the shorewall.conf manpage. So with
+    these settings, so long as a 'reload' or 'restart' takes place after the
+    Shorewall configuration is changes, there should be no DNS-related
+    problems at boot time.</para>
+
+    <important>
+      <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
+      makes it necessary to recompile an existing firewall script, the
+      <option>-c</option> option must be used with the
+      <command>reload</command> or <command>restart</command> command to force
+      recompilation.</para>
+    </important>
+
+    <para>If your firewall rules include DNS names then, even if
+    DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>If your <filename>/etc/resolv.conf </filename>is wrong then your
+        firewall may not start.</para>
+      </listitem>
+
+      <listitem>
+        <para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
+        your firewall may not start.</para>
+      </listitem>
+
+      <listitem>
+        <para>If your Name Server(s) is(are) down then your firewall may not
+        start.</para>
+      </listitem>
+
+      <listitem>
+        <para>If your startup scripts try to start your firewall before
+        starting your DNS server then your firewall may not start.</para>
+      </listitem>
+
+      <listitem>
+        <para>Factors totally outside your control (your ISP's router is down
+        for example), can prevent your firewall from starting.</para>
+      </listitem>
+
+      <listitem>
+        <para>You must bring up your network interfaces prior to starting your
+        firewall, or the firewall may not start.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Each DNS name must be fully qualified and include a minimum of two
+    periods (although one may be trailing). This restriction is imposed by
+    Shorewall to insure backward compatibility with existing configuration
+    files.</para>
+
+    <example id="validdns">
+      <title>Valid DNS Names</title>
+
+      <itemizedlist>
+        <listitem>
+          <para>mail.shorewall.net</para>
+        </listitem>
+
+        <listitem>
+          <para>shorewall.net. (note the trailing period).</para>
+        </listitem>
+      </itemizedlist>
+    </example>
+
+    <example id="invaliddns">
+      <title>Invalid DNS Names</title>
+
+      <itemizedlist>
+        <listitem>
+          <para>mail (not fully qualified)</para>
+        </listitem>
+
+        <listitem>
+          <para>shorewall.net (only one period)</para>
+        </listitem>
+      </itemizedlist>
+    </example>
+
+    <para>DNS names may not be used as:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>The server address in a DNAT rule (/etc/shorewall/rules
+        file)</para>
+      </listitem>
+
+      <listitem>
+        <para>In the ADDRESS column of an entry in /etc/shorewall/masq.</para>
+      </listitem>
+
+      <listitem>
+        <para/>
+      </listitem>
+
+      <listitem>
+        <para>In the <filename>/etc/shorewall/nat</filename> file.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>These restrictions are imposed by Netfilter and not by
+    Shorewall.</para>
+  </refsect1>
+
+  <refsect1>
+    <title id="Logical">Logical Interface Names</title>
+
+    <para>When dealing with a complex configuration, it is often awkward to
+    use physical interface names in the Shorewall configuration.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>You need to remember which interface is which.</para>
+      </listitem>
+
+      <listitem>
+        <para>If you move the configuration to another firewall, the interface
+        names might not be the same.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.4.4, you can use logical interface names
+    which are mapped to the actual interface using the
+    <option>physical</option> option in <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+    (5).</para>
+
+    <para>Here is an example:</para>
+
+    <programlisting>#ZONE  INTERFACE  OPTIONS
+net    <emphasis role="bold">COM_IF </emphasis>    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
+        role="bold">physical=eth0</emphasis>
+net    <emphasis role="bold">EXT_IF</emphasis>     dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
+        role="bold">physical=eth2</emphasis>
+loc    <emphasis role="bold">INT_IF </emphasis>    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
+        role="bold">physical=eth1</emphasis>
+dmz    <emphasis role="bold">VPS_IF </emphasis>    logmartians=1,routefilter=0,routeback,<emphasis
+        role="bold">physical=venet0</emphasis>
+loc    <emphasis role="bold">TUN_IF</emphasis>     <emphasis role="bold">physical=tun+</emphasis></programlisting>
+
+    <para>In this example, COM_IF is a logical interface name that refers to
+    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
+    a logical interface name that refers to Ethernet interface <filename
+    class="devicefile">eth2</filename>, and so on.</para>
+
+    <para>Here are a couple of more files from the same configuration:</para>
+
+    <para><ulink url="manpages/shorewall-masq.html">shorewall-masq</ulink>
+    (5):</para>
+
+    <programlisting>#INTERFACE SOURCE                    ADDRESS
+
+COMMENT Masquerade Local Network
+<emphasis role="bold">COM_IF</emphasis>     0.0.0.0/0
+<emphasis role="bold">EXT_IF </emphasis>    !206.124.146.0/24         206.124.146.179:persistent</programlisting>
+
+    <para><ulink
+    url="manpages/shorewall-providers.html">shorewall-providers</ulink>
+    (5)</para>
+
+    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
+Avvanta 1        0x10000 main       <emphasis role="bold">EXT_IF </emphasis>    206.124.146.254 loose,fallback        <emphasis
+        role="bold">INT_IF,VPS_IF,TUN_IF</emphasis>
+Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>     detect          balance               <emphasis
+        role="bold">INT_IF,VPS_IF,TUN_IF</emphasis></programlisting>
+
+    <para>Note in particular that Shorewall translates TUN_IF to <filename
+    class="devicefile">tun*</filename> in the COPY column.</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-nat.xml

@@ -35,7 +35,7 @@
       in many cases, Proxy ARP (<ulink
       url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
       or Proxy-NDP(<ulink
-      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
+      url="/manpages/shorewall-proxyndp.html">shorewall6-proxyndp</ulink>(5))
       is a better solution that one-to-one NAT.</para>
     </warning>
 

Shorewall/manpages/shorewall-policy.xml

@@ -68,32 +68,35 @@
         <term><emphasis role="bold">SOURCE</emphasis> -
         <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
+        role="bold">all[+][!<replaceable>ezone</replaceable>[,...]]</emphasis></term>
-        role="bold">all+</emphasis></term>
 
         <listitem>
           <para>Source zone. Must be the name of a zone defined in <ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           $FW, "all" or "all+".</para>
 
-          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
+          <para>Support for <emphasis role="bold">all+</emphasis> was added in
-          not override the implicit intra-zone ACCEPT policy while "all+"
+          Shorewall 4.5.17. <emphasis role="bold">all</emphasis> does not
-          does.</para>
+          override the implicit intra-zone ACCEPT policy while <emphasis
+          role="bold">all+</emphasis> does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
           separated by commas. As above, if '+' is specified after two or more
           zone names, then the policy overrides the implicit intra-zone ACCEPT
           policy if the same <replaceable>zone</replaceable> appears in both
           the SOURCE and DEST columns.</para>
+
+          <para>Beginning with Shorewall 5.2.3, a comma-separated list of
+          excluded zones preceded by "!" may follow <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">all+.</emphasis></para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
         <emphasis>zone</emphasis>[,...[+]]|<emphasis
-        role="bold">$FW</emphasis>|<emphasis
+        role="bold">$FW</emphasis>|all[+][!<replaceable>ezone</replaceable>[,...]]</term>
-        role="bold">all</emphasis>|<emphasis
-        role="bold">all+</emphasis></term>
 
         <listitem>
           <para>Destination zone. Must be the name of a zone defined in <ulink
@@ -112,6 +115,11 @@
           zone names, then the policy overrides the implicit intra-zone ACCEPT
           policy if the same <replaceable>zone</replaceable> appears in both
           the SOURCE and DEST columns.</para>
+
+          <para>Beginning with Shorewall 5.2.3, a comma-separated list of
+          excluded zones preceded by "!" may follow <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">all+</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -123,7 +131,7 @@
         role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
         role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
         role="bold">None</emphasis>}]</term>
@@ -228,7 +236,18 @@
                 given queues. This is useful for multicore systems: start
                 multiple instances of the userspace program on queues x, x+1,
                 .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                connection are put into the same nfqueue. Beginning with
+                Shorewall 5.1.0, queuenumber2 may be followed by the letter
+                'c' to indicate that the CPU ID will be used as an index to
+                map packets to the queues. The idea is that you can improve
+                performance if there's a queue per CPU. Requires the NFQUEUE
+                CPU Fanout capability in your kernel and iptables.</para>
+
+                <para>Beginning with Shorewall 4.6.10, the keyword <emphasis
+                role="bold">bypass</emphasis> can be given. By default, if no
+                userspace program is listening on an NFQUEUE, then all packets
+                that are to be queued are dropped. When this option is used,
+                the NFQUEUE rule behaves like ACCEPT instead.</para>
               </listitem>
             </varlistentry>
 
@@ -295,21 +314,21 @@
           <para>where limit is one of:</para>
 
           <simplelist>
-            <member>[<emphasis
+            <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
-            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[[<replaceable>name</replaceable>][(ht-buckets,ht-max)]:]]]<emphasis>rate</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
             role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
 
-            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            <member>[<replaceable>name</replaceable>1:]<emphasis>rate1</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2:]<emphasis>rate2</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
@@ -331,7 +350,14 @@
           role="bold">shorewall</emphasis> is assumed. Where more than one
           POLICY or rule specifies the same name, the connections counts for
           the policies are aggregated and the individual rates apply to the
-          aggregated count.</para>
+          aggregated count. Beginning with Shorewall 5.2.1, the <emphasis
+          role="bold">s</emphasis> or <emphasis role="bold">d</emphasis> may
+          be followed by a slash ("/") and an integer
+          <replaceable>vlsm</replaceable>. When a
+          <replaceable>vlsm</replaceable> is specified, all source or
+          destination addresses encountered will be grouped according to the
+          given prefix length and the so-created subnet will be subject to the
+          rate limit.</para>
 
           <para>Beginning with Shorewall 4.6.5, two<replaceable>
           limit</replaceable>s may be specified, separated by a comma. In this
@@ -342,6 +368,17 @@
 
           <para>Example: <emphasis
           role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+
+          <para>Beginning with Shorewall 5.2.1, the table name, if any, may be
+          followed by two integers separated by commas and enclosed in
+          parentheses. The first integer
+          (<replaceable>ht-buckets</replaceable>) specifies the number of
+          buckets in the generated hash table. The second integer
+          (<replaceable>ht-max</replaceable>) specifies the maximum number of
+          entries in the hash table.</para>
+
+          <para>Example: <emphasis
+          role="bold">s:client(1024,65536):10/sec</emphasis></para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -387,8 +387,10 @@
                 distributions but <emphasis role="bold">nohostroute</emphasis>
                 (below) is appropriate for recent distributions. <emphasis
                 role="bold">hostroute</emphasis> may interfere with Zebra's
-                ability to add routes on some distributions such as Debian
+                ability to add routes on some distributions such as Debian 7.
-                7.</para>
+                This option defaults to on when BALANCE_PROVIDERS=Yes, in
+                <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -404,7 +406,9 @@
                 older distributions but is appropriate for recent
                 distributions. <emphasis role="bold">nohostroute</emphasis>
                 allows Zebra's to correctly add routes on some distributions
-                such as Debian 7.</para>
+                such as Debian 7. This option defaults to off when
+                BALANCE_PROVIDERS=Yes, in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -446,7 +450,7 @@
                 </note>
 
                 <important>
-                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
+                  <para>RESTORE_DEFAULT_ROUTE=Yes in shorewall[6].conf is not
                   recommended when the <option>persistent</option> option is
                   used, as restoring default routes to the main routing table
                   can prevent link status monitors such as foolsm from

Shorewall/manpages/shorewall-rules.xml

@@ -461,8 +461,7 @@
               <listitem>
                 <para>Added in Shorewall 4.5.16. This action allows you to
                 construct most of the rule yourself using iptables syntax. The
-                part that you specify must follow two semicolons (';;')
+                part that you specify must follow two semicolons (';;') and is
-		and is
                 completely free-form. If the target of the rule (the part
                 following 'j') is something that Shorewall supports in the
                 ACTION column, then you may enclose it in parentheses (e.g.,
@@ -546,7 +545,7 @@
                 the<replaceable>
                 ip6tables-</replaceable><replaceable>target</replaceable> as a
                 builtin action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
 
                 <important>
                   <para>If you specify REJECT as the
@@ -675,15 +674,15 @@
                 the keyword <emphasis role="bold">bypass</emphasis> can be
                 given. By default, if no userspace program is listening on an
                 NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
+                When this option is used, the NFQUEUE rule behaves like ACCEPT
-                bypassed instead. The packet will move on to the next rule.
+                instead. Also beginning in Shorewall 4.6.10, a second queue
-                Also beginning in Shorewall 4.6.10, a second queue number
+                number (<replaceable>queuenumber2</replaceable>) may be
-                (<replaceable>queuenumber2</replaceable>) may be specified.
+                specified. This specifies a range of queues to use. Packets
-                This specifies a range of queues to use. Packets are then
+                are then balanced across the given queues. This is useful for
-                balanced across the given queues. This is useful for multicore
+                multicore systems: start multiple instances of the userspace
-                systems: start multiple instances of the userspace program on
+                program on queues x, x+1, .. x+n and use "x:x+n". Packets
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
+                belonging to the same connection are put into the same
-                the same connection are put into the same nfqueue.</para>
+                nfqueue.</para>
 
                 <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
                 followed by the letter 'c' to indicate that the CPU ID will be
@@ -994,19 +993,18 @@
 
                 <variablelist>
                   <varlistentry>
-                    <term>all[+][-]</term>
+                    <term>all[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
+                      "-" means "All Zones, including the firewall zone".
-                      the "-" is included, the firewall zone is omitted.
                       Normally all omits intra-zone traffic, but intra-zone
                       traffic can be included specifying "+".</para>
                     </listitem>
                   </varlistentry>
 
                   <varlistentry>
-                    <term>any[+][-]</term>
+                    <term>any[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">any</emphasis> is equivalent
@@ -1046,7 +1044,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
+              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable></term>
 
               <listitem>
                 <para>When this form is used,
@@ -1059,6 +1057,11 @@
                 Only packets from hosts in the <replaceable>zone</replaceable>
                 that arrive through the named interface will match the
                 rule.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces associated with the zone except
+                the one specified.</para>
               </listitem>
             </varlistentry>
 
@@ -1255,6 +1258,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>all+!$FW</term>
+
+              <listitem>
+                <para>All but the firewall zone and applies to intrazone
+                traffic.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>net:^CN</term>
 
@@ -1345,19 +1357,18 @@
 
                 <variablelist>
                   <varlistentry>
-                    <term>all[+][-]</term>
+                    <term>all[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
+                      "-" means "All Zones, including the firewall zone".
-                      the "-" is included, the firewall zone is omitted.
                       Normally all omits intra-zone traffic, but intra-zone
                       traffic can be included specifying "+".</para>
                     </listitem>
                   </varlistentry>
 
                   <varlistentry>
-                    <term>any[+][-]</term>
+                    <term>any[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">any</emphasis> is equivalent
@@ -1397,7 +1408,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
+              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable></term>
 
               <listitem>
                 <para>When this form is used,
@@ -1410,6 +1421,11 @@
                 Only packets to hosts in the <replaceable>zone</replaceable>
                 that are sent through the named interface will match the
                 rule.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces associated with the zone except
+                the one specified.</para>
               </listitem>
             </varlistentry>
 
@@ -1463,12 +1479,17 @@
             </varlistentry>
 
             <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
+              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
 
               <listitem>
                 <para>This form combines the preceding two and requires that
                 both the outgoing interface and destinationaddress
                 match.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces associated with the zone except
+                the one specified.</para>
               </listitem>
             </varlistentry>
 
@@ -1483,7 +1504,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
 
               <listitem>
                 <para>This form matches packets to the named
@@ -1491,6 +1512,11 @@
                 <replaceable>interface</replaceable> where the destination
                 address does not match any entry in the
                 <replaceable>exclusion</replaceable>.</para>
+
+                <para>Beginning with Shorweall 5.2.1, the
+                <replaceable>interface</replaceable> may be preceded with '!'
+                which matches all interfaces associated with the zone except
+                the one specified.</para>
               </listitem>
             </varlistentry>
 
@@ -1554,7 +1580,7 @@
           <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
           then either:<orderedlist numeration="loweralpha">
               <listitem>
-                <para>the SOURCE must be <option>all[+][-]</option>, or</para>
+                <para>the SOURCE must be <option>all[+]</option>, or</para>
               </listitem>
 
               <listitem>
@@ -1881,19 +1907,21 @@
           <simplelist>
             <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
             role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[<replaceable>name</replaceable>[(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
             role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
 
-            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            <member>[<emphasis
+            role="bold">s</emphasis>[/<replaceable>vlsm1</replaceable>]:][<replaceable>name</replaceable>1[(<replaceable>ht-buckets1</replaceable>,<replaceable>ht-max1</replaceable>)]:]<emphasis>rate1</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<emphasis
+            role="bold">d</emphasis>[/<replaceable>vlsm2</replaceable>:][<replaceable>name</replaceable>2[(<replaceable>ht-buckets2</replaceable>,<replaceable>ht-max2</replaceable>)]:]<emphasis>rate2</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
@@ -1921,7 +1949,16 @@
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,
           the connections counts for the rules are aggregated and the
-          individual rates apply to the aggregated count.</para>
+          individual rates apply to the aggregated count. Beginning with
+          Shorewall 5.2.1, the <emphasis role="bold">s</emphasis> or <emphasis
+          role="bold">d</emphasis> may be followed by a slash ("/") and an
+          integer <replaceable>vlsm</replaceable>. When a
+          <replaceable>vlsm</replaceable> is specified, all source or
+          destination addresses encountered will be grouped according to the
+          given prefix length and the so-created subnet will be subject to the
+          rate limit.</para>
+
+          <para>Example: <emphasis role="bold">s/24::10/sec</emphasis></para>
 
           <para>Beginning with Shorewall 4.6.5, two<replaceable>
           limit</replaceable>s may be specified, separated by a comma. In this
@@ -1938,6 +1975,17 @@
           name for the hash table that tracks the per-destination
           limit.</para>
 
+          <para>Beginning with Shorewall 5.2.1, the table name, if any, may be
+          followed by two integers separated by commas and enclosed in
+          parentheses. The first integer
+          (<replaceable>ht-buckets</replaceable>) specifies the number of
+          buckets in the generated hash table. The second integer
+          (<replaceable>ht-max</replaceable>) specifies the maximum number of
+          entries in the hash table.</para>
+
+          <para>Example: <emphasis
+          role="bold">s:netfw(1024,65536):10/sec</emphasis></para>
+
           <para>This column was formerly labelled RATE LIMIT.</para>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall.conf.xml

@@ -500,7 +500,7 @@
           each listed directory is to be searched. AUTOMAKE=1 only searches
           each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
           will search each directory and its immediate sub-directories;
-          AUTOMAKE=3 will search each diretory, each of its immediate
+          AUTOMAKE=3 will search each directory, each of its immediate
           sub-directories, and each of their immediate sub-directories,
           etc.</para>
         </listitem>
@@ -1382,7 +1382,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           of modules loaded by shorewall to those listed in
           <filename>/var/lib/shorewall[6]/helpers</filename> and those that
           are actually used. When not set, or set to the empty value,
-          LOAD_HELPERS_ONLY=No is assumed.</para>
+          LOAD_HELPERS_ONLY=No is assumed in Shorewall versions 5.2.2 and
+          earlier. Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY
+          option is removed, and the behavior is as if LOAD_HELPERS_ONLY=Yes
+          had been specified.</para>
         </listitem>
       </varlistentry>
 

Shorewall/modules

@@ -1,39 +0,0 @@
-#
-# Shorewall version 5 - Modules File
-#
-# /usr/share/shorewall/modules
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-INCLUDE modules.essential
-#
-# Other xtables modules
-#
-INCLUDE modules.xtables
-#
-# Helpers
-#
-INCLUDE helpers
-#
-# Ipset
-#
-INCLUDE modules.ipset
-#
-# Traffic Shaping
-#
-INCLUDE modules.tc
-#
-# Extensions
-#
-INCLUDE modules.extensions

Shorewall/modules.essential

@@ -1,32 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.essential
-#
-# Essential Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-loadmodule nfnetlink
-loadmodule x_tables
-loadmodule ip_tables
-loadmodule iptable_filter
-loadmodule iptable_mangle
-loadmodule ip_conntrack
-loadmodule nf_conntrack
-loadmodule nf_conntrack_ipv4
-loadmodule iptable_nat
-loadmodule nf_nat
-loadmodule nf_nat_ipv4
-loadmodule iptable_raw
-loadmodule xt_state
-loadmodule xt_tcpudp

Shorewall/modules.extensions

@@ -1,59 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.extensions
-#
-# Extensions Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule ipt_addrtype
-loadmodule ipt_ah
-loadmodule ipt_CLASSIFY
-loadmodule ipt_CLUSTERIP
-loadmodule ipt_comment
-loadmodule ipt_connmark
-loadmodule ipt_CONNMARK
-loadmodule ipt_conntrack
-loadmodule ipt_dscp
-loadmodule ipt_DSCP
-loadmodule ipt_ecn
-loadmodule ipt_ECN
-loadmodule ipt_esp
-loadmodule ipt_hashlimit
-loadmodule ipt_helper
-loadmodule ipt_ipp2p
-loadmodule ipt_iprange
-loadmodule ipt_length
-loadmodule ipt_limit
-loadmodule ipt_mac
-loadmodule ipt_mark
-loadmodule ipt_MARK
-loadmodule ipt_MASQUERADE
-loadmodule ipt_multiport
-loadmodule ipt_NETMAP
-loadmodule ipt_NOTRACK
-loadmodule ipt_owner
-loadmodule ipt_physdev
-loadmodule ipt_pkttype
-loadmodule ipt_policy
-loadmodule ipt_realm
-loadmodule ipt_recent
-loadmodule ipt_REDIRECT
-loadmodule ipt_REJECT
-loadmodule ipt_SAME
-loadmodule ipt_sctp
-loadmodule ipt_set
-loadmodule ipt_state
-loadmodule ipt_tcpmss
-loadmodule ipt_TCPMSS
-loadmodule ipt_tos
-loadmodule ipt_TOS
-loadmodule ipt_ttl
-loadmodule ipt_TTL

Shorewall/modules.ipset

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.ipset
-#
-# IP Set Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_set
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_ipporthash
-loadmodule ip_set_iptree
-loadmodule ip_set_iptreemap
-loadmodule ip_set_macipmap
-loadmodule ip_set_nethash
-loadmodule ip_set_portmap
-loadmodule ipt_SET
-loadmodule ipt_set

Shorewall/modules.tc

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.tc
-#
-# Traffic Shaping Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule sch_sfq
-loadmodule sch_ingress
-loadmodule sch_hfsc
-loadmodule sch_htb
-loadmodule sch_prio
-loadmodule sch_tbf
-loadmodule sch_fq_codel
-loadmodule cls_u32
-loadmodule cls_fw
-loadmodule cls_flow
-loadmodule cls_basic
-loadmodule act_police

Shorewall/modules.xtables

@@ -1,53 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.xtables
-#
-# Xtables Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_AUDIT
-loadmodule xt_CLASSIFY
-loadmodule xt_connmark
-loadmodule xt_CONNMARK
-loadmodule xt_conntrack
-loadmodule xt_dccp
-loadmodule xt_dscp
-loadmodule xt_DSCP
-loadmodule xt_hashlimit
-loadmodule xt_helper
-loadmodule xt_ipp2p
-loadmodule xt_iprange
-loadmodule xt_length
-loadmodule xt_limit
-loadmodule xt_mac
-loadmodule xt_mark
-loadmodule xt_MARK
-loadmodule xt_multiport
-loadmodule xt_nat
-loadmodule xt_NFQUEUE
-loadmodule xt_owner
-loadmodule xt_physdev
-loadmodule xt_pkttype
-loadmodule xt_policy
-loadmodule xt_sctp
-loadmodule xt_tcpmss
-loadmodule xt_TCPMSS
-loadmodule xt_time
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
-#
-# From xtables-addons
-#
-loadmodule xt_condition
-loadmodule xt_geoip
-loadmodule xt_ipp2p
-loadmodule xt_LOGMARK
-loadmodule xt_RAWNAT

Shorewall/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}

Shorewall6-lite/init.alt.sh

@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall6-Lite init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall6
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall6-Lite firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -6l"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}6-lite
+
+LOCKFILE="/var/lock/subsys/${PROG}6-lite"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall6-lite/init.openwrt.sh

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)

Shorewall6-lite/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall6-lite/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -179,8 +179,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/three-interfaces/rules

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
+# Shorewall6 version 5.2 - Sample Rules File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/three-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4 - Sample Zones File for three-interface configuration.
+# Shorewall6 version 5.2 - Sample Zones File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/Samples6/two-interfaces/rules

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
+# Shorewall6 version 5.2 - Sample Rules File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/two-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
+# Shorewall6 version 5.2 - Sample Zones File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/configfiles/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/init.alt.sh

@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall6 init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall6
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall6 firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -6"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}6
+
+LOCKFILE="/var/lock/subsys/${PROG}6"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall6/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #