Add target file(s) 5.2.8-base

Signed-off-by: Tom Eastep <teastep@shorewall.net>

.gitattributes

@@ -0,0 +1 @@
+*targetname export-ignore

Shorewall-core/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall-core/Shorewall-core-targetname

@@ -0,0 +1 @@
+5.2.8-RC1

Shorewall-core/configure

@@ -1,10 +1,10 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -109,6 +109,9 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
+	    alt|basealt|altlinux)
+		vendor=alt
+		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -132,6 +135,8 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+	    elif [ -f /etc/altlinux-release ] ; then
+		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat

Shorewall-core/configure.pl

@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -74,6 +74,8 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
+	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -117,6 +119,9 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
+    } elsif ( -f '/etc/altlinux-release' ){
+	$vendor = 'alt';
+	$rcfilename = 'shorewallrc.alt';
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';

Shorewall-core/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -172,6 +172,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -180,6 +183,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -238,7 +243,7 @@ case "$HOST" in
     apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
 	;;
     *)
 	fatal_error "Unknown HOST \"$HOST\""

Shorewall-core/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.cli

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207
 
 if [ -z "$g_basedir" ]; then
     #
@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc1() {
+show_one_classifier() {
+    local class
 
+    qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
+    tc filter show dev $1
+    tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+	if [ -n "$class" ]; then
+	    echo
+	    echo Node $class
+	    tc filter show dev $device parent $class
+	fi
+    done
+    echo
+}
+
+show_classifier1() {
+    local device
+    local qdisc
+
+    device=${1%@*}
+    qdisc=$(tc qdisc list dev $device)
+    if [ -n "$qdisc" ]; then
+	echo Device $device:
+	show_one_classifier $device
+    fi
+}
+
+show_tc1() {
     show_one_tc() {
 	local device
+	local qdisc
+	local ingress
+
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 
@@ -260,6 +289,7 @@ show_tc1() {
 	    echo
 	    tc -s -d class show dev $device
 	    echo
+	    show_one_classifier $device "$qdisc"
 	fi
     }
 
@@ -270,7 +300,6 @@ show_tc1() {
 	    show_one_tc ${interface%:}
 	done
     fi
-
 }
 
 show_tc() {
@@ -291,28 +320,8 @@ show_tc() {
 #
 show_classifiers() {
 
-    show_one_classifier() {
-	local device
-	device=${1%@*}
-	qdisc=$(tc qdisc list dev $device)
-
-	if [ -n "$qdisc" ]; then
-	    echo Device $device:
-	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc filter show dev $device
-	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
-		if [ -n "$class" ]; then
-		    echo
-		    echo Node $class
-		    tc filter show dev $device parent $class
-		fi
-	    done
-	    echo
-	fi
-    }
-
     ip -o link list | while read inx interface details; do
-	show_one_classifier ${interface%:}
+	show_classifier1 ${interface%:}
     done
 
 }
@@ -937,11 +946,28 @@ show_events() {
     fi
 }
 
+sort_actions() {
+    local sep #separates sort keys from the action[.std] record
+    sep="##"
+
+    awk -v sep="$sep" \
+         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
+	  /^#/	  	  { next; };\
+	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
+	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
+			  { action = $1; };\
+	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
+			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
+}
+
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    local actions
+    actions=$(find_file actions)
+
+    if [ -f ${actions} ]; then
+	cat ${actions} ${g_sharedir}/actions.std | sort_actions
     else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
     fi
 }
 
@@ -1000,6 +1026,8 @@ show_mangle() {
 show_classifiers_command() {
     echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
     echo
+    echo "Warning: This command is deprecated in favor of the 'show tc' command"
+    echo
     show_classifiers
 }
 
@@ -1108,10 +1136,6 @@ show_blacklists() {
     show_bl;
 }
 
-show_actions_sorted() {
-    show_actions | sort
-}
-
 show_macros() {
     for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1567,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -1891,8 +1915,6 @@ do_dump_command() {
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
 	show_tc1
-	heading "TC Filters"
-	show_classifiers
 	fi
 }
 
@@ -2651,6 +2673,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
 
@@ -2667,6 +2690,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -2766,7 +2790,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)
 
 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
     fi
 
@@ -2863,6 +2887,7 @@ determine_capabilities() {
     NETMAP_TARGET=
     NFLOG_SIZE=
     RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -3230,6 +3255,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
     fi
 
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@@ -3373,6 +3402,7 @@ report_capabilities_unsorted() {
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
     report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3479,6 +3509,7 @@ report_capabilities_unsorted1() {
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
     report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3574,7 +3605,7 @@ status_command() {
 
     [ $# -eq 0 ] || missing_argument
 
-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
     [ -n "$interfaces" ] && show_interfaces
     exit $status
@@ -3622,6 +3653,7 @@ reject_command() {
 
 blacklist_command() {
     local family
+    local timeout
 
     [ $# -gt 0 ] || fatal_error "Missing address"
 
@@ -3639,10 +3671,17 @@ blacklist_command() {
 	    ;;
     esac
 
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3775,7 +3814,7 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
     else
 	too_many_arguments $4
@@ -3864,7 +3903,7 @@ noiptrace_command() {
 verify_firewall_script() {
     if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -3897,7 +3936,7 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 
@@ -3905,11 +3944,49 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
     esac
@@ -3942,9 +4019,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
     local config
     local lib
 
@@ -3964,7 +4047,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4093,7 +4176,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -4106,10 +4189,22 @@ get_config() {
     [ -f $lib ] && . $lib
 
 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
     local finished
     finished=0
 
@@ -4120,14 +4215,14 @@ start_command() {
 
 	if [ -x $g_firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
 
@@ -4196,10 +4291,21 @@ start_command() {
     do_it
 }
 
+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
     local finished
     finished=0
     local rc
@@ -4256,11 +4362,11 @@ restart_command() {
     [ -n "$g_nolock" ] || mutex_on
 
     if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $COMMAND
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
 
@@ -4268,9 +4374,20 @@ restart_command() {
     return $rc
 }
 
+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
     if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it $g_firewall $@
     else
 	fatal_error "$g_firewall does not exist or is not executable"
     fi
@@ -4287,14 +4404,20 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
     echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -4317,7 +4440,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
     fi
 
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
@@ -4335,7 +4457,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     if [ -z "$g_lite" ]; then
@@ -4351,7 +4473,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4366,12 +4488,11 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] {classifiers|filters)"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
     echo "   [ show | list | ls ] event [ <event> ...]"
     echo "   [ show | list | ls ] events"
-    echo "   [ show | list | ls ] filters"
     echo "   [ show | list | ls ] ip"
 
     if [ $g_family -eq 4 ]; then
@@ -4415,20 +4536,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
     g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
     if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
     fi
 
+    g_debugging=
     g_noroutes=
     g_purge=
     g_ipt_options="-nv"
@@ -4456,6 +4573,9 @@ shorewall_cli() {
     g_blacklistipset=
     g_disconnect=
     g_havemutex=
+    g_trace=
+    g_dbltimeout=
+    g_dbllog=
 
     VERBOSE=
     VERBOSITY=1
@@ -4587,6 +4707,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4622,7 +4753,7 @@ shorewall_cli() {
 	exit 1
     fi
 
-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
 
     COMMAND=$1
 
@@ -4639,7 +4770,7 @@ shorewall_cli() {
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
@@ -4648,7 +4779,7 @@ shorewall_cli() {
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
@@ -4661,12 +4792,12 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4712,7 +4843,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
@@ -4744,7 +4875,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)
@@ -4816,7 +4947,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument

Shorewall-core/lib.common

@@ -1,9 +1,9 @@
 #
 # Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
 
     case $COMMAND in
         start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
     esac
 
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
     local script
-    local options
+    local options='-'
 
     export VARDIR
 
     script=$1
     shift
 
-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	options="$1 -"
-	shift;
+
+    if [ "$g_debugging" = debug ]; then
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
     else
-	options='-'
+	options='-';
     fi
 
     [ -n "$g_noroutes" ]   && options=${options}n
@@ -411,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -419,7 +421,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
     elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +503,7 @@ ip_network() {
 
 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
     local x
@@ -736,8 +738,8 @@ truncate() # $1 = length
 
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
@@ -751,6 +753,8 @@ mutex_on()
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
     local lockd
+    local lockbin
+    local openwrt
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
@@ -760,29 +764,33 @@ mutex_on()
 
 	[ -d "$lockd" ] || mkdir -p "$lockd"
 
+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
+		    rm -f ${lockf}
+		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+		fi
 	    fi
 	fi
 
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall-core/lib.core

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -337,8 +337,15 @@ ensure_config_path() {
 	. $F
     fi
 
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    if [ -n "$g_shorewalldir" ] && [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ];then
+	case $CONFIG_PATH in
+	    :*)
+		CONFIG_PATH=${g_shorewalldir}${CONFIG_PATH}
+		;;
+	    *)
+		CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+		;;
+	esac
     fi
 }
 

Shorewall-core/lib.installer

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.uninstaller

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -60,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
     if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
             rm -f $1
             echo "$1 Removed"
         fi
@@ -84,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
             if [ -d $f ] ; then
                 rm -rf $f
                 echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                 rm -f $f
                 echo "$f Removed"
             fi

Shorewall-core/shorewall

@@ -1,11 +1,11 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/shorewallrc.alt

@@ -0,0 +1,25 @@
+#
+# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=alt
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
+PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
+INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf

Shorewall-core/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -134,6 +134,7 @@ fi
 
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall
 
 #
 # Report Success

Shorewall-core/wait4ifup

@@ -1,12 +1,12 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/ifupdown.debian.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
     *)
         #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
         #
 	INTERFACE="$IFACE"
 
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/ifupdown.fedora.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,7 +90,14 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *)
 		exit 0

Shorewall-init/ifupdown.suse.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,7 +120,14 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *if-up.d*)
 		COMMAND=up

Shorewall-init/init.alt.sh

@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+NAME="Shorewall-init firewall"
+PROG="shorewall-init"
+SHOREWALL="$SBINDIR/$PROG"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+LOCKFILE=/var/lock/subsys/shorewall-init
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]; then
+		echo "No PRODUCTS configured"
+		exit 6
+	fi
+else
+	echo "/etc/sysconfig/shorewall-init not found"
+	exit 6
+fi
+
+RETVAL=0
+
+# set the STATEDIR variable
+setstatedir() {
+	local statedir
+	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+	fi
+
+	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+	if [ -x ${STATEDIR}/firewall ]; then
+		return 0
+	elif [ $PRODUCT = shorewall ]; then
+		${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/shorewall -6 compile
+	else
+		return 1
+	fi
+}
+
+start() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Initializing \"Shorewall-based firewalls\": "
+
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+		ipset -R < "$SAVE_IPSETS"
+	fi
+
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Clearing \"Shorewall-based firewalls\": "
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" ]; then
+		mkdir -p $(dirname "$SAVE_IPSETS")
+		if ipset -S > "${SAVE_IPSETS}.tmp"; then
+			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+		else
+			rm -f "${SAVE_IPSETS}.tmp"
+		fi
+	fi
+
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart|reload|condrestart|condreload)
+	    # "Not implemented"
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    status "$PROG"
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall-init/init.debian.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/init.openwrt.sh

@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)

Shorewall-init/init.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-init/init.suse.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/install.sh

@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
 
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -181,6 +181,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -191,6 +194,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -253,6 +258,9 @@ case "$HOST" in
     openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
     linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;
@@ -349,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
     elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
     fi
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -380,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -409,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
-    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ "$HOST" = debian ]; then
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    else
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;

Shorewall-init/shorewall-init

@@ -1,12 +1,12 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
+
 setstatedir() {
     local statedir
     if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,6 +43,67 @@ setstatedir() {
     fi
 }
 
+# Initialize the firewalls
+
+shorewall_init_start () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Initializing \"Shorewall-based firewalls\": "
+
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
+	fi
+    done
+
+    return 0
+}
+
+# Clear the firewalls
+
+shorewall_init_stop () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Clearing \"Shorewall-based firewalls\": "
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} clear
+		fi
+	    )
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
+	fi
+    fi
+
+    return 0
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -59,62 +121,12 @@ else
     exit 1
 fi
 
-# Initialize the firewall
-shorewall_start () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
-    return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" ]; then
-	mkdir -p $(dirname "$SAVE_IPSETS")
-	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
-	fi
-    fi
-
-    return 0
-}
-
 case "$1" in
     start)
-	shorewall_start
+	shorewall_init_start
 	;;
     stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
     *)
 	echo "Usage: $0 {start|stop}"

Shorewall-lite/Shorewall-lite-targetname

@@ -0,0 +1 @@
+5.2.4.1

Shorewall-lite/init.alt.sh

@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall-Lite init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall-Lite firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -l"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
+
+LOCKFILE="/var/lock/subsys/${PROG}-lite"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL

Shorewall-lite/init.openwrt.sh

@@ -1,13 +1,13 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.sh

@@ -1,13 +1,13 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -190,6 +190,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -198,6 +201,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -266,6 +271,9 @@ case "$HOST" in
     openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
     linux)
 	;;
     *)
@@ -418,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi
 
 if [ -f helpers ]; then
@@ -425,11 +438,6 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #

Shorewall-lite/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -183,7 +183,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>
 
     <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),

Shorewall-lite/shorewall-lite.conf

@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable

Shorewall/Actions/action.A_REJECT

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.A_REJECT!

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Broadcast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.DNSAmp

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Established

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.FIN

@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.IfEvent

@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -114,8 +114,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
 
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
-
-    print "Resetting....\n";
     
     my $mark = $globals{EVENT_MARK};
     #

Shorewall/Actions/action.Invalid

@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Limit

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Multicast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.New

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.NotSyn

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.RST

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Related

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.ResetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.SetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 
 DEFAULTS -,ACCEPT,src

Shorewall/Actions/action.Untracked

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowInvalid

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowinUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcasts

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropInvalid

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.forwardUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.mangletemplate

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.

Shorewall/Actions/action.rejNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.template

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall/Macros/IPFS-swarm

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001

Shorewall/Macros/macro.Bitcoin

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinRegtest

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444

Shorewall/Macros/macro.BitcoinTestnet

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333

Shorewall/Macros/macro.BitcoinTestnetRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnetRPC
+#
+# Macro for handling Bitcoin RPC traffic (Testnet and Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18332

Shorewall/Macros/macro.BitcoinZMQ

@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332

Shorewall/Macros/macro.Cockpit

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Cockpit
+#
+# This macro handles Time protocol (RFC868).
+# Unless you are supporting extremely old hardware or software,
+# you shouldn't be using this.  NTP is a superior alternative.
+#
+#		By Eric Teeter
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	9090

Shorewall/Macros/macro.NFS

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd

Shorewall/Macros/macro.ONCRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.Tor

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorSocks

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/ARP.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -1,12 +1,12 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -47,19 +47,17 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;
+our $export;          # True when compiling for export
 
-our $test;
+our $family;          # IP address family (4 or 6)
 
-our $family;
-
-our $have_arptables;
+our $have_arptables;  # True if we have arptables rules
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+sub initialize_package_globals( $$$$ ) {
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2], $_[3]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -268,20 +266,28 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
     }
 
     pop_indent;
 
     emit "}\n"; # End of initialize()
 
+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);
 
     my $global_variables    = have_global_variables;
     my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -312,7 +318,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }
 
@@ -326,7 +332,7 @@ sub generate_script_2() {
 	}
 
 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
@@ -379,10 +385,10 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 
@@ -543,13 +549,13 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
         ;;
     reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
         ;;
     restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
         ;;
 esac
 EOF
@@ -586,7 +592,7 @@ sub compiler {
        ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
-    $test           = 0;
+    my $test        = 0;
     $have_arptables = 0;
 
     sub validate_boolean( $ ) {
@@ -639,18 +645,19 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
-
+    initialize_package_globals( $update, $test, $shorewallrc, $shorewallrc1 );
+    #
+    # Rather than continuing to extend the argument list of Config::initialize(),
+    # we use a set of small functions to export settings to the Config module.
+    #
     set_config_path( $config_path ) if $config_path;
-
     set_shorewall_dir( $directory ) if $directory ne '';
-
     $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
+    set_command( 'compile', 'Compiling', 'Compiled' );
     #
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
@@ -668,12 +675,7 @@ sub compiler {
     #
     # Create a temp file to hold the script
     #
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
+    create_temp_script( $scriptfilename , $export ) if $scriptfilename;
     #
     #                                     Z O N E   D E F I N I T I O N
     #                              (Produces no output to the compiled script)
@@ -862,13 +864,13 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
+	    # Optimize the ruleet
+	    #
+	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	}
 
 	enable_script;
@@ -911,7 +913,7 @@ sub compiler {
 	#
 	# Close, rename and secure the script
 	#
-	finalize_script ( $export );
+	finalize_script ( $export, $test );
 	#
 	# And generate the auxilary config file
 	#
@@ -932,16 +934,16 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }
 
 	    enable_script if $debug;
@@ -976,11 +978,7 @@ sub compiler {
 	#
 	report_used_capabilities;
 
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
+	progress_message3 "$Product configuration verified";
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use Shorewall::Proc;
+use sort 'stable';
 
 use strict;
 
@@ -66,6 +67,9 @@ sub initialize( $ ) {
     $family = shift;
 }
 
+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -94,7 +98,7 @@ sub setup_ecn()
     if ( my $fn = open_file 'ecn' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
@@ -127,7 +131,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sortkeysiftest %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -145,6 +149,9 @@ sub setup_ecn()
     }
 }
 
+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -329,7 +336,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.net/blacklisting_support.htm for additional
+# Please see https://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -402,6 +409,9 @@ EOF
     }
 }
 
+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -425,9 +435,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+# https://shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# See https://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -662,21 +672,28 @@ sub process_stoppedrules() {
     $result;
 }
 
+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
+    my $bridge = $config{DOCKER_BRIDGE};
+
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
-    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ]  && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]     && echo "-A FORWARD -j DOCKER-USER" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeriso" ]      && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
 
-    if ( my $dockerref = known_interface('docker0') ) {
+    if ( my $dockerref = known_interface( $bridge ) ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
-	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $chainref, j => 'DOCKER', o => $bridge );
+	add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 
@@ -693,6 +710,9 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -715,6 +735,7 @@ sub add_common_rules ( $ ) {
     my $dbl_tag;
     my $dbl_src_target;
     my $dbl_dst_target;
+    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -776,9 +797,10 @@ sub add_common_rules ( $ ) {
 
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -789,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -810,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1273,6 +1295,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -1296,7 +1325,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sortkeysiftest %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1382,7 +1411,7 @@ sub setup_mac_lists( $ ) {
 	#
 	# Generate jumps from the input and forward chains
 	#
-	for my $hostref ( @$maclist_hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$maclist_hosts : @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
@@ -1714,9 +1743,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );
 
-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1725,10 +1754,10 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
 
-	    if ( use_output_chain $interface, $outputref ) {
+	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1775,7 +1804,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sortkeysiftest %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1915,9 +1944,9 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
+    my @zone_interfaces   = sortkeysiftest %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2051,7 +2080,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
     my @source            = imatch_source_net $net;
     my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 
-    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or
@@ -2259,10 +2288,13 @@ sub generate_matrix() {
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	if ( @zones > 2 || $zoneref->{complex} ) {
-	    handle_complex_zone( $zone, $zoneref );
-	} else {
-	    new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
+
+	unless ( $zoneref->{type} == LOCAL ) {
+	    if ( @zones > 2 || $zoneref->{complex} ) {
+		handle_complex_zone( $zone, $zoneref );
+	    } else {
+		new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
+	    }
 	}
     }
     #
@@ -2287,9 +2319,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sortkeysiftest %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sortkeysiftest %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2374,9 +2406,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sortkeysiftest %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sortkeysiftest %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2444,6 +2476,9 @@ sub generate_matrix() {
     }
 }
 
+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
@@ -2505,6 +2540,7 @@ sub compile_stop_firewall( $$$$ ) {
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
     my $forward = $filter_table->{FORWARD};
+    my $absentminded = $config{ ADMINISABSENTMINDED };
 
     emit <<'EOF';
 #
@@ -2512,7 +2548,7 @@ sub compile_stop_firewall( $$$$ ) {
 #
 stop_firewall() {
 EOF
-    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
+    $output->{policy} = 'ACCEPT' if $absentminded;
 
     if ( $family == F_IPV4 ) {
 	emit <<'EOF';
@@ -2549,13 +2585,13 @@ EOF
     emit <<'EOF';
             case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                 enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
             esac
 
@@ -2671,7 +2707,7 @@ EOF
     #
     create_docker_rules if $config{DOCKER};
 
-    if ( $config{ADMINISABSENTMINDED} ) {
+    if ( $absentminded ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
     }
 
@@ -2680,7 +2716,7 @@ EOF
 	add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
 
-	unless ( $config{ADMINISABSENTMINDED} ) {
+	unless ( $absentminded ) {
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
 	}
@@ -2694,12 +2730,25 @@ EOF
     
     process_stoppedrules;
 
+    if ( $family == F_IPV6 ) {
+	my $chain = new_action_chain( 'filter', 'AllowICMPs' );
+
+	for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
+	    add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
+	}
+
+	for $chain ( $input, $output, $forward ) {
+	    next if $chain eq $output && $absentminded;
+	    add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
+	}
+    }
+
     if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
-	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
     } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
-	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
     }
 
     my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2709,7 +2758,7 @@ EOF
 
 	for my $interface ( @$interfaces ) {
 	    add_ijump $input,  j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
-	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED};
+	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
 	    #
 	    # This might be a bridge
 	    #
@@ -2765,7 +2814,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	}
 
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Proc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -60,25 +60,63 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_interfaces;
+our @load_providers;
 
-our $balancing;
-our $fallback;
-our $balanced_providers;
-our $fallback_providers;
-our $metrics;
-our $first_default_route;
-our $first_fallback_route;
-our $maxload;
-our $tproxies;
+our $balancing;               # True, if there are balanced providers
+our $fallback;                # True, if there are fallback providers
+our $balanced_providers;      # Count of balanced providers
+our $fallback_providers;      # Count of fallback providers
+our $metrics;                 # True, if using statistical balancing
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
+our $maxload;                 # Sum of 'load' values
+our $tproxies;                # Count of tproxy providers
 
-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }
 
-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 
 
-our $family;
+our $family;       # Address family
 
-our $lastmark;
+our $lastmark;     # Highest assigned mark
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -99,7 +137,7 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_interfaces        = ();
+    @load_providers         = ();
     $balancing              = 0;
     $balanced_providers     = 0;
     $fallback_providers     = 0;
@@ -132,7 +170,6 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -163,8 +200,8 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 
 		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
+			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
@@ -185,16 +222,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
     }
 
-    if ( @load_interfaces ) {
+    if ( @load_providers ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
 
-	for my $physical ( @load_interfaces ) {
+	for my $provider ( @load_providers ) {
 
-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
 
 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 
@@ -446,7 +483,7 @@ sub process_a_provider( $ ) {
     fatal_error 'NAME must be specified' if $table eq '-';
 
     unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
 
 	my $num = numeric_value $number;
 
@@ -557,7 +594,7 @@ sub process_a_provider( $ ) {
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -636,6 +673,7 @@ sub process_a_provider( $ ) {
     }
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
+    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;
 
     unless ( $pseudo ) {
 	if ( $local ) {
@@ -676,8 +714,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
@@ -779,7 +816,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
     }
 
-    push @load_interfaces, $physical if $load;
+    push @load_providers, $table if $load;
 
     push @providers, $table;
 
@@ -941,8 +978,9 @@ sub add_a_provider( $$ ) {
 	}
     }
 
-    emit( "echo $load > \${VARDIR}/${physical}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
+    emit( "echo $load > \${VARDIR}/${table}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
+	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
 
     emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1097,7 +1135,7 @@ CEOF
 	    $weight = 1;
 	}
 
-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+	emit ( "distribute_load $maxload @load_providers" ) if $load;
 
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1142,14 +1180,14 @@ CEOF
 	emit "fi\n";
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
+	    my $variable = get_interface_address( $interface );
 
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	    emit( "echo $variable > \${VARDIR}/${physical}.address" );
 	}
 
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	    my $variable = get_interface_gateway( $interface );
+	    emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
     } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -1244,7 +1282,7 @@ CEOF
 	}
 
 	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
+	       "distribute_load $maxload @load_providers" ) if $load;
 
 	if ( $persistent ) {
 	    emit ( '',
@@ -1615,7 +1653,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
-	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1854,8 +1892,8 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
-	if ( $providerref->{optional} ) {
+    for my $provider ( @providers ) {
+	if ( ( my $providerref=$providers{$provider} )->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
@@ -1909,24 +1947,24 @@ sub setup_providers() {
 	pop_indent;
 	emit 'fi';
 
-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_providers;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
+	emit "undo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
 
 	if ( $config{NULL_ROUTE_RFC1918} ) {
+	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}
@@ -2016,8 +2054,7 @@ sub compile_updown() {
 	    );
     }
 
-    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+    my @nonshared = ( grep $providers{$_}->{optional}, sortvaluesiftest %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2027,12 +2064,12 @@ sub compile_updown() {
 	push_indent;
 
 	emit( q(if [ "$state" = started ]; then) ,
-	      q(    if [ "$COMMAND" = up ]; then) , 
+	      q(    if [ "$COMMAND" = up ]; then) ,
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2073,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );
 
 	push_indent;
@@ -2208,9 +2245,11 @@ sub handle_optional_interfaces() {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
-	push @interfaces, $providerref->{interface};
-	$wildcards ||= $providerref->{wildcard};
+    for my $provider ( @providers ) {
+	if ( ( my $providerref = $providers{$provider} )->{optional} ) {
+	    push @interfaces, $providerref->{interface};
+	    $wildcards ||= $providerref->{wildcard};
+	}
     }
 
     #
@@ -2258,17 +2297,7 @@ sub handle_optional_interfaces() {
 
 		emit( "$physical)" ), push_indent if $wildcards;
 
-		if ( $provider eq $physical ) {
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 
 		push_indent;
 
@@ -2285,22 +2314,22 @@ sub handle_optional_interfaces() {
 		emit( 'fi' );
 
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
+		    my $variable = get_interface_address( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
+		    my $variable = get_interface_gateway( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
@@ -2485,7 +2514,7 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers || @load_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
@@ -2493,9 +2522,9 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_providers" ,
 	   ''
-	 ) if @load_interfaces;
+	 ) if @load_providers;
 }
 
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -155,7 +155,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sortkeysiftest %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +164,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sortkeysiftest %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Tc.pm

@@ -10,7 +10,7 @@
 #     Modified by Tom Eastep for integration into the Shorewall distribution
 #     published under GPL Version 2#
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -72,6 +72,9 @@ our %flow_keys = ( 'src'            => 1,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
+#                              flow          => Comma-separated flow tupple
+#                              classify      => 0|1
+#                              pfifo         => 0|1
 #                              tablenumber   => <next u32 table to be allocated for this device>
 #                              default       => <default class mark value>
 #                              redirected    => [ <dev1>, <dev2>, ... ]
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src'            => 1,
 #                              qdisc         => htb|hfsc
 #                              guarantee     => <total RATE of classes seen so far>
 #                              name          => <interface>
+#                              filters       => [ filter, ... ]
+#                              linklayer     => <type> (optional)
+#                              overhead      => <number>
+#                              mtu           => <number>
+#                              tsize         => <number>
+#                              filterpri     => <number> (initially 0)
+#                              connmark      => 0|1
 #                                               }
 #
 our @tcdevices;
@@ -365,9 +375,7 @@ sub process_simple_device() {
 
     emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip6 protocol 6 0xff" .
-	  "\\\n    match u8 0x05 0x0f at 0" .
-	  "\\\n    match u16 0x0000 0xffc0 at 2" .
-	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+	  "\\\n    match u8 0x10 0xff at 53 flowid $number:1\n" );
 
     save_progress_message_short qq("   TC Device $physical defined.");
 
@@ -422,8 +430,8 @@ sub validate_tc_device( ) {
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
 
-    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
-	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize, $connmark ) = 
+	(0,         0,      '',    'htb',  '',         0,         0,    0,    0,      0);
 
     if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -458,6 +466,9 @@ sub validate_tc_device( ) {
 		$tsize = numeric_value( $1 );
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option eq 'connmark' ) {
+		require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
+		$connmark = 1;
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -470,7 +481,7 @@ sub validate_tc_device( ) {
 
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
-	$classify = 1;
+	$classify = 1 unless $connmark;
 
 	for my $rdevice ( @redirected ) {
 	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -478,6 +489,8 @@ sub validate_tc_device( ) {
 	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
 	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} != 0;
 	}
+    } elsif ( $connmark ) {
+	fatal_error "Option connmark can only be used when setting up a IFB device";
     }
 
     $inband = process_in_bandwidth( $inband );
@@ -503,6 +516,7 @@ sub validate_tc_device( ) {
 			    mpu           => $mpu,
 			    tsize         => $tsize,
 			    filterpri     => 0,
+			    connmark      => $connmark,
 			  } ,
 
     push @tcdevices, $device;
@@ -661,6 +675,7 @@ sub validate_tc_class( ) {
 
     if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	fatal_error "MARK may not be specified for an interface with the 'classify' option" if $devref->{classify};
 
 	( $mark, my $priority ) = split/:/, $mark, 2;
 
@@ -1639,8 +1654,8 @@ sub process_tcfilters() {
 #
 # Process a tcpri record
 #
-sub process_tc_priority1( $$$$$$ ) {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
+sub process_tc_priority1( $$$$$$$ ) {
+    my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
 
     my $val = numeric_value $band;
 
@@ -1651,7 +1666,7 @@ sub process_tc_priority1( $$$$$$ ) {
     $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
 
     if ( $interface ne '-' ) {
-	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
 
 	my $forwardref = $mangle_table->{tcfor};
 
@@ -1662,41 +1677,57 @@ sub process_tc_priority1( $$$$$$ ) {
 	my $postref = $mangle_table->{tcpost};
 
 	if ( $address ne '-' ) {
-	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
 	    add_rule( $postref ,
-		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
 		      1 );
 
-	    if ( $ports ne '-' ) {
+	    if ( $dports ne '-' ) {
 		my $protocol = resolve_proto $proto;
 
 		if ( $proto =~ /^ipp2p/ ) {
 		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
 		    $ipp2p = 1;
+		} elsif ( $file_format == 1 ) {
+		    add_rule( $postref ,
+			      join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
+			      1 )
+			unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 		}
-
-		add_rule( $postref ,
-			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
-			  1 )
-		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 	    }
 	}
     }
 }
 
 sub process_tc_priority() {
-    my ( $band, $protos, $ports , $address, $interface, $helper ) =
-	split_line1( 'tcpri',
-		     { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
+    my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
+
+    if ( $file_format == 1 ) {
+	( $band, $protos, $dports , $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
+			 {},
+			 6,
+			 1 );
+	$sports = '-';
+    } else {
+	( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
+			 {},
+			 7,
+			 1 );
+    };
 
     fatal_error 'BAND must be specified' if $band eq '-';
 
     fatal_error "Invalid tcpri entry" if ( $protos    eq '-' &&
-					   $ports     eq '-' &&
+					   $dports    eq '-' &&
+					   $sports    eq '-' &&
 					   $address   eq '-' &&
 					   $interface eq '-' &&
 					   $helper    eq '-' );
@@ -1706,7 +1737,7 @@ sub process_tc_priority() {
     fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+	process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
     }
 }
 
@@ -1728,7 +1759,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
     my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri', 1,1;
+    my $fn1 = open_file 'tcpri', 2,1,0,1;
 
     if ( $fn1 ) {
 	first_entry
@@ -1865,7 +1896,7 @@ sub process_traffic_shaping() {
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
 	    }
 
 	    for my $class ( @tcclasses ) {
@@ -2284,11 +2315,11 @@ sub open_mangle_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##############################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
@@ -2300,11 +2331,11 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
@@ -2371,7 +2402,6 @@ sub setup_tc( $ ) {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-
 	if ( $convert ) {
 	    my $have_tcrules;