Update lib.runtime copyright

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/configure.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.cli

@@ -2766,7 +2766,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)
 
 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
     fi
 
@@ -3775,7 +3775,7 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
     else
 	too_many_arguments $4
@@ -3864,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
     if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
 # Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -419,7 +419,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
     elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +501,7 @@ ip_network() {
 
 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
     local x
@@ -751,6 +751,8 @@ mutex_on()
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
     local lockd
+    local lockbin
+    local openwrt
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
@@ -760,29 +762,33 @@ mutex_on()
 
 	[ -d "$lockd" ] || mkdir -p "$lockd"
 
+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
+		    rm -f ${lockf}
+		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+		fi
 	    fi
 	fi
 
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall-core/lib.uninstaller

@@ -60,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
     if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
             rm -f $1
             echo "$1 Removed"
         fi
@@ -84,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
             if [ -d $f ] ; then
                 rm -rf $f
                 echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                 rm -f $f
                 echo "$f Removed"
             fi

Shorewall-core/shorewall

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)

Shorewall-core/wait4ifup

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-init/init.debian.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-init/init.openwrt.sh

@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)

Shorewall-init/init.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-init/init.suse.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-init/shorewall-init

@@ -1,5 +1,5 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/init.openwrt.sh

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)

Shorewall-lite/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-lite/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Macros/macro.Bitcoin

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinZMQ

@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332

Shorewall/Macros/macro.Cockpit

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Cockpit
+#
+# This macro handles Time protocol (RFC868).
+# Unless you are supporting extremely old hardware or software,
+# you shouldn't be using this.  NTP is a superior alternative.
+#
+#		By Eric Teeter
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	9090

Shorewall/Macros/macro.ONCRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.Tor

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorSocks

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -186,13 +186,12 @@ our %EXPORT_TAGS = (
 				       input_chain
 				       input_option_chain
 				       zone_input_chain
-				       use_input_chain
+				       use_interface_chain
 				       output_chain
 				       output_option_chain
 				       prerouting_chain
 				       postrouting_chain
 				       zone_output_chain
-				       use_output_chain
 				       masq_chain
 				       syn_flood_chain
 				       mac_chain
@@ -428,16 +427,17 @@ our $VERSION = 'MODULEVERSION';
 #      Established     - ^<z1-z2>
 #      Related         - +<z1-z2>
 #      Invalid         - _<z1-z2>
-#      Untracked       - &<z1-z2>
+#      Untracked       - =<z1-z2>
 #
 our %chain_table;
-our $raw_table;
-our $nat_table;
-our $mangle_table;
-our $filter_table;
-our $export;
-our %renamed;
-our %nfobjects;
+our $raw_table;         # Reference to $chain_table{raw}
+our $nat_table;         # Reference to $chain_table{nat}
+our $mangle_table;      # Reference to $chain_table{mangle}
+our $filter_table;      # Reference to $chain_table{filter}
+
+our $export;            # True if we are compiling for export
+our %renamed;           # Maps chain renaming during optimization
+our %nfobjects;         # Records nfacct objects
 
 #
 # Target Types
@@ -465,10 +465,10 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 
-	       FILTER_TABLE =>  0x1000000,
-	       MANGLE_TABLE =>  0x2000000,
-	       RAW_TABLE    =>  0x4000000,
-	       NAT_TABLE    =>  0x8000000,
+	       FILTER_TABLE =>  0x1000000,     #Target allowed in the filter table
+	       MANGLE_TABLE =>  0x2000000,     #Target allowed in the mangle table
+	       RAW_TABLE    =>  0x4000000,     #Target allowed in the raw table
+	       NAT_TABLE    =>  0x8000000,     #Target allowed in the nat table
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -687,15 +687,15 @@ our %ipset_exists;
 #
 # The following constants and hash are used to classify keys in a rule hash
 #
-use constant { UNIQUE      => 1,
-	       TARGET      => 2,
-	       EXCLUSIVE   => 4,
-	       MATCH       => 8,
-	       CONTROL     => 16,
-	       COMPLEX     => 32,
-	       NFACCT      => 64,
-	       EXPENSIVE   => 128,
-	       RECENT      => 256,
+use constant { UNIQUE      => 1,       # Simple header matches - only allowed once per rule
+	       TARGET      => 2,       # Rule target or its options
+	       EXCLUSIVE   => 4,       # 'state' or 'conntrack --ctstate'
+	       MATCH       => 8,       # Currently means 'policy ...'
+	       CONTROL     => 16,      # Unsed internally by the compiler - does not contribute to the iptables rule
+	       COMPLEX     => 32,      # Currently means 'contrack --cstate'
+	       NFACCT      => 64,      # nfacct match
+	       EXPENSIVE   => 128,     # Has high rule-processing cost in the kernel
+	       RECENT      => 256,     # recent match
 	   };
 
 our %opttype = ( rule          => CONTROL,
@@ -741,6 +741,9 @@ our %opttype = ( rule          => CONTROL,
 		 targetopts    => TARGET,
 	       );
 
+#
+# These allow the user to specify long option names in raw ip[6]tables input
+#
 our %aliases = ( protocol        => 'p',
 		 source          => 's',
 		 destination     => 'd',
@@ -760,7 +763,7 @@ our %isocodes;
 
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 
-our %switches;
+our %switches;   # Recoreds switches (conditions)
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -786,7 +789,9 @@ sub initialize( $$$ ) {
     $filter_table  = $chain_table{filter};
     %renamed       = ();
     #
-    # Used to sequence chain names in each table.
+    # Used to sequence chain names in each table. $hard is true on the initial call to this function and
+    # false, when this function is called a second time to re-initialize before generating stopped ip[6]tables-
+    # restore input
     #
     %chainseq = () if $hard;
     #
@@ -1746,6 +1751,10 @@ sub add_rule($$;$) {
 #
 # New add_rule implementation
 #
+
+#
+# Push a set of matches into an irule (a rule using the new hash representation)
+#
 sub push_matches {
 
     my $ruleref = shift;
@@ -1912,6 +1921,9 @@ sub compare_values( $$ ) {
     }
 }
 
+#
+# Add an irule with matches but no target
+#
 sub add_irule( $;@ ) {
     my ( $chainref, @matches ) = @_;
 
@@ -2275,7 +2287,7 @@ sub invalid_chain($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_chain($$) {
-    '&' . &rules_chain(@_);
+    '=' . &rules_chain(@_);
 }
 
 #
@@ -2325,7 +2337,7 @@ sub invalid_log($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_log($$) {
-    '&' . &rules_log(@_);
+    '=' . &rules_log(@_);
 }
 
 #
@@ -2431,10 +2443,11 @@ sub zone_input_chain($) {
 }
 
 #
-# Returns true if we're to use the interface's input chain
+# Returns true if we're to use the interface's input or chain, depending on the second argument
+# (use_input_chain or use_output_chain).
 #
-sub use_input_chain($$) {
-    my ( $interface, $chainref ) = @_;
+sub use_interface_chain($$) {
+    my ( $interface, $which ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
@@ -2462,17 +2475,11 @@ sub use_input_chain($$) {
     #                                            the zone has  multiple interfaces
     #                                            and this interface has option rules
     #
-    return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
+    return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1;
     #
     # Interface associated with a single zone -- use the zone's input chain if it has one
     #
-    return 0 if $chainref;
-    #
-    # Use the <zone>->fw rules chain if it is referenced.
-    #
-    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
-
-    ! ( $chainref->{referenced} || $chainref->{is_policy} )
+    return 0;
 }
 
 #
@@ -2509,41 +2516,6 @@ sub zone_output_chain($) {
     $_[0] . '_output';
 }
 
-#
-# Returns true if we're to use the interface's output chain
-#
-sub use_output_chain($$) {
-    my ( $interface, $chainref)  = @_;
-    my $interfaceref = find_interface($interface);
-    my $nets = $interfaceref->{nets};
-    #
-    # We must use the interfaces's chain if the interface is associated with multiple Zones
-    #
-    return 1 if ( keys %{interface_zones $interface} ) > 1;
-    #
-    # Use interface's chain if there are multiple nets on the interface
-    #
-    return 1 if $nets > 1;
-    #
-    # Use interface's chain if it is a bridge with ports
-    #
-    return 1 if $interfaceref->{ports};
-    #
-    # Don't need it if it isn't associated with any zone
-    #
-    return 0 unless $nets;
-    #
-    # Interface associated with a single zone -- use the zone's output chain if it has one
-    #
-    return 0 if $chainref;
-    #
-    # Use the fw-><zone> rules chain if it is referenced.
-    #
-    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
-
-    ! ( $chainref->{referenced} || $chainref->{is_policy} )
-}
-
 #
 # Masquerade Chain for an interface
 #
@@ -2753,6 +2725,12 @@ sub add_expanded_jump( $$$$ ) {
     add_reference( $chainref, $toref ) while --$splitcount > 0;
 }
 
+#
+# Utility function used by add_ijump() and add_ijump_extended().
+# Returns a reference to the added rule. Return may be reference
+# to the dummy rule if the chain was already complete (last rule
+# is a simple jump to a terminating target).
+#
 sub add_ijump_internal( $$$$$;@ ) {
     my ( $fromref, $jump, $to, $expandports, $origin, @matches ) = @_;
 
@@ -2800,16 +2778,26 @@ sub add_ijump_internal( $$$$$;@ ) {
     $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
 }
 
+#
+# Add an jump to the end of a chain
+#
 sub add_ijump( $$$;@ ) {
     my ( $fromref, $jump, $to, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, '', @matches );
 }
 
+#
+# Like add_ijump() but also accepts an origin of the jump (the config file and line number
+# that caused the jump to be generated).
+#
 sub add_ijump_extended( $$$$;@ ) {
     my ( $fromref, $jump, $to, $origin, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, $origin, @matches );
 }
 
+#
+# Insert a jump at a zero-relative index into a chain.
+#
 sub insert_ijump( $$$$;@ ) {
     my ( $fromref, $jump, $to, $index, @matches ) = @_;
 
@@ -2881,6 +2869,9 @@ sub delete_jumps ( $$ ) {
     }
 }
 
+#
+# Reset the passed flag(s) in the passed chain
+#
 sub reset_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2893,6 +2884,9 @@ sub reset_optflags( $$ ) {
     $chainref;
 }
 
+#
+# Set the passed flag(s) in the passed chain
+#
 sub set_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -3007,6 +3001,10 @@ sub accounting_chainrefs() {
     grep $_->{accounting} , values %$filter_table;
 }
 
+#
+# Ensure the existance of a chain in the mangle table and return
+# a reference to its chain table entry
+#
 sub ensure_mangle_chain($;$$) {
     my ( $chain, $number, $restriction ) = @_;
 
@@ -3017,6 +3015,10 @@ sub ensure_mangle_chain($;$$) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the nat table and return
+# a reference to its chain table entry
+
 sub ensure_nat_chain($) {
     my $chain = $_[0];
 
@@ -3025,6 +3027,10 @@ sub ensure_nat_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the raw table and return
+# a reference to its chain table entry
+#
 sub ensure_raw_chain($) {
     my $chain = $_[0];
 
@@ -3048,12 +3054,18 @@ sub new_builtin_chain($$$)
     $chainref;
 }
 
+#
+# Create a chain in the filter table, returning a reference to its chain table entry
+#
 sub new_standard_chain($) {
     my $chainref = new_chain 'filter' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new action chain, returning a reference to its chain table entry
+#
 sub new_action_chain($$) {
     my $chainref = &new_chain( @_ );
     $chainref->{referenced} = 1;
@@ -3061,12 +3073,18 @@ sub new_action_chain($$) {
     $chainref;
 }
 
+#
+# Create a chain in the nat table, returning a reference to its chain table entry
+#
 sub new_nat_chain($) {
     my $chainref = new_chain 'nat' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new manual chain, returning a reference to its chain table entry
+#
 sub new_manual_chain($) {
     my $chain = $_[0];
     fatal_error "Chain name ($chain) too long" if length $chain > 29;
@@ -3077,6 +3095,9 @@ sub new_manual_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a manual chain and return a reference to its chain table entry
+#
 sub ensure_manual_chain($) {
     my $chain = $_[0];
     my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
@@ -3086,6 +3107,9 @@ sub ensure_manual_chain($) {
 
 sub log_irule_limit( $$$$$$$$@ );
 
+#
+# Ensure the existance of the blacklist logging chain (blacklog)
+#
 sub ensure_blacklog_chain( $$$$$ ) {
     my ( $target, $disposition, $level, $tag, $audit ) = @_;
 
@@ -3104,6 +3128,9 @@ sub ensure_blacklog_chain( $$$$$ ) {
     'blacklog';
 }
 
+#
+# Ensure the existance of the audited blacklist logging chain (A_blacklog)
+#
 sub ensure_audit_blacklog_chain( $$$ ) {
     my ( $target, $disposition, $level ) = @_;
 
@@ -3125,7 +3152,6 @@ sub ensure_audit_blacklog_chain( $$$ ) {
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 #
-
 sub ensure_audit_chain( $;$$$ ) {
     my ( $target, $action, $tgt, $table ) = @_;
 
@@ -3162,7 +3188,6 @@ sub ensure_audit_chain( $;$$$ ) {
 #
 # Return the appropriate target based on whether the second argument is 'audit'
 #
-
 sub require_audit($$;$) {
     my ($action, $audit, $tgt ) = @_;
 
@@ -3340,10 +3365,20 @@ sub initialize_chain_table($) {
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS           ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
+	$chainref = new_standard_chain( 'DOCKER-USER'   );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER              ] && cat ${VARDIR}/.filter_DOCKER-USER      >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION         ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-2' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 >&3' );
     }
 
     my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -5068,7 +5103,9 @@ sub do_proto( $$$;$ )
     $output;
 }
 
-
+#
+# Generate a mac address match
+#
 sub do_mac( $ ) {
     my $mac = $_[0];
 
@@ -5081,6 +5118,9 @@ sub do_mac( $ ) {
     "-m mac ${invert}--mac-source $mac ";
 }
 
+#
+# Version of do_proto() that generates an irule match rather than an iptables text match
+#
 sub do_iproto( $$$ )
 {
     my ($proto, $ports, $sports ) = @_;
@@ -5276,6 +5316,9 @@ sub do_iproto( $$$ )
     @output;
 }
 
+#
+# Generate a mac address match in irule format.
+#
 sub do_imac( $ ) {
     my $mac = $_[0];
 
@@ -5338,7 +5381,6 @@ sub verify_small_mark( $ ) {
 #
 # Generate an appropriate -m [conn]mark match string for the contents of a MARK column
 #
-
 sub do_test ( $$ )
 {
     my ($testval, $mask) = @_;
@@ -5378,69 +5420,91 @@ sub do_ratelimit( $$ ) {
 
     fatal_error "Rate Limiting not available with $action" if $norate{$action};
 
-    my @rates = split_list $rates, 'rate';
+    my @rates = split_list3 $rates, 'rate';
 
     if ( @rates == 2 ) {
-	$rates[0] = 's:' . $rates[0];
-	$rates[1] = 'd:' . $rates[1];
+	$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s(?:\/\d+)?:/;
+	$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d(?:\/\d+)?:/;
     } elsif ( @rates > 2 ) {
 	fatal error "Only two rates may be specified";
     }
-
     my $limit = '';
 
     for my $rate ( @rates ) {
 	#
 	# "-m hashlimit" match for the passed LIMIT/BURST
 	#
-	if ( $rate =~ /^([sd]):{1,2}/ ) {
-	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
+	my $mode;
+	my $match;
+	my $units;
 
-	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-	    my $units;
+	#                  1          2            34                  5     6              78    9  10                       11
+	if ( $rate =~ /^(?:([sd])(?:\/(\d+))?:)?(?:(([A-Za-z]\w*)?(?:\((\d+),(\d+)\))?:)|:)?((\d+)(\/(sec|min|hour|day))?)(?::(\d+))?$/ ) {
+	    fatal_error "Invalid Rate ($8)" unless $8;
 
-	    $limit .= "-m hashlimit ";
-	    
-	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-		fatal_error "Invalid Rate ($3)" unless $4;
-		fatal_error "Invalid Burst ($7)" unless $7;
-		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
-		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
-		$limit .= ' --hashlimit-mode ';
-		$units = $6;
-	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
-		fatal_error "Invalid Rate ($3)" unless $4;
-		$limit .= "--$match $3 --hashlimit-name ";
-		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
-		$limit .= ' --hashlimit-mode ';
-		$units = $6;
-	    } else {
-		fatal_error "Invalid rate ($rate)";
+	    if ( $1 ) {
+		require_capability( 'HASHLIMIT_MATCH' , 'Per-ip rate limiting', 's' );
+		$mode = $1 eq 's' ? 'srcip' : 'dstip';
 	    }
 
-	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+	    if ( $mode || $2 || $4 || $5 ) {
+		$limit .= '-m hashlimit ';
+		$match  = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	    } else {
+		$limit .= '-m limit ';
+		$match  = 'limit';
+	    }
 
-	    if ( $units && $units ne 'sec' ) {
-		my $expire = 60000; # 1 minute in milliseconds
+	    $limit .= "--$match $7 ";
 
-		if ( $units ne 'min' ) {
-		    $expire *= 60; #At least an hour
-		    $expire *= 24 if $units eq 'day';
-		}
+	    if ( supplied $11 ) {
+		fatal_error "Invalid Burst ($11)" unless $11;
+		$limit .= $match eq 'limit' ? "--limit-burst $11 " : "--hashlimit-burst $11 ";
+	    }
 
-		$limit .= "--hashlimit-htable-expire $expire ";
+
+	    if ( $mode || $4 ) {
+		require_capability( 'HASHLIMIT_MATCH', 'Specifying a table name', 's' );
+		$limit .= "--hashlimit-name ";
+		$limit .= $4 ? $4 : 'shorewall' . $hashlimitset++;
+	    }
+
+	    if ( supplied $2 ) {
+		my $vlsm = numeric_value($2);
+		fatal_error "Invalid VLSM ($2)" unless $vlsm and $vlsm <= ( $family == F_IPV4 ? VLSMv4 : VLSMv6 );
+		$limit .= $mode eq 'srcip' ? " --hashlimit-srcmask $vlsm" : " --hashlimit-dstmask $vlsm";
+	    }
+
+	    if ( supplied $5 ) {
+		require_capability( 'HASHLIMIT_MATCH', 'Specifying hash table size', 's' );
+		my ( $htsize, $max ) = ( numeric_value($5), numeric_value($6) );
+
+		fatal_error "Invalid hash table buckets ($5)"               unless $htsize;
+		fatal_error "Invalid hash max entries($6)"                  unless $max;
+		fatal_error "Hash max entries must be > hash table buckets" unless $max > $htsize;
+
+		$limit .= " --hashlimit-htable-size $htsize --hashlimit-htable-max $max";
+	    }
+
+	    if ( $mode ) {
+		$limit .= " --hashlimit-mode $mode";
+		$units = $10;
 	    }
 	} else {
-	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-		fatal_error "Invalid Rate ($1)" unless $2;
-		fatal_error "Invalid Burst ($5)" unless $5;
-		$limit = "-m limit --limit $1 --limit-burst $5 ";
-	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
-		fatal_error "Invalid Rate (${1}${2})" unless $1;
-		$limit = "-m limit --limit $rate ";
-	    } else {
-		fatal_error "Invalid rate ($rate)";
+	    fatal_error "Invalid rate ($rate)";
+	}
+
+	if ( $units && $units ne 'sec' ) {
+	    my $expire = 60000; # 1 minute in milliseconds
+
+	    if ( $units ne 'min' ) {
+		$expire *= 60; #At least an hour
+		$expire *= 24 if $units eq 'day';
 	    }
+
+	    $limit .= " --hashlimit-htable-expire $expire ";
+	} else {
+	    $limit .= ' ';
 	}
     }
 
@@ -5471,6 +5535,9 @@ sub do_connlimit( $ ) {
     }
 }
 
+#
+# Create a calendar match
+#
 sub do_time( $ ) {
     my ( $time ) = @_;
 
@@ -5509,6 +5576,11 @@ sub do_time( $ ) {
     $result;
 }
 
+#
+# Resolve a user/group name to the appropriate numeric id. Only do the resolution
+# if we are not compiling for export, since remote name->id mapping is likely to
+# be different.
+#
 sub resolve_id( $$ ) {
     my ( $id, $type ) = @_;
 
@@ -5572,8 +5644,6 @@ sub do_user( $ ) {
 #
 # Create a "-m tos" match for the passed TOS
 #
-# This helper is also used during tos file processing
-#
 sub decode_tos( $$ ) {
     my ( $tos, $set ) = @_;
 
@@ -5825,7 +5895,7 @@ sub do_condition( $$ ) {
 
     $chain =~ s/[^\w-]//g;
     #                          $1    $2      -     $3
-    while ( $condition =~ m( ^(.*?) @({)?(?:0|chain)(?(2)}) (.*)$ )x ) {
+    while ( $condition =~ m( ^(.*?) @(\{)?(?:0|chain)(?(2)}) (.*)$ )x ) {
 	$condition = join( '', $1, $chain, $3 );
     }
 
@@ -5875,7 +5945,7 @@ sub do_nfacct( $ ) {
 #
 sub match_source_dev( $;$ ) {
     my ( $interface, $nodev ) = @_;
-    my $invert       =  ( $interface =~ s/^!// ) ? '!' : '';
+    my $invert       =  ( $interface =~ s/^!// ) ? '! ' : '';
     my $interfaceref =  known_interface( $interface );
     $interface = $interfaceref->{physical} if $interfaceref;
 
@@ -6110,6 +6180,9 @@ sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
+#
+# Verify and record a runtime address variable
+#
 sub record_runtime_address( $$;$$ ) {
     my ( $addrtype, $interface, $protect, $provider ) = @_;
 
@@ -6600,6 +6673,9 @@ sub match_ipsec_in( $$ ) {
     @match;
 }
 
+#
+# Match Dest IPSEC
+#
 sub match_ipsec_out( $$ ) {
     my ( $zone , $hostref ) = @_;
     my @match;
@@ -6624,7 +6700,7 @@ sub match_ipsec_out( $$ ) {
 }
 
 #
-# Handle a unidirectional IPSEC Options
+# Handle unidirectional IPSEC Options
 #
 sub do_ipsec_options($$$)
 {
@@ -6701,7 +6777,7 @@ sub do_ipsec($$) {
 }
 
 #
-# Generate a log message
+# Generate a logging rule
 #
 sub log_rule_limit( $$$$$$$$;$ ) {
     my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
@@ -6897,6 +6973,9 @@ sub log_irule_limit( $$$$$$$$@ ) {
     }
 }
 
+#
+# Wrappers for the above that use the global default log limit
+#
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
@@ -8484,7 +8563,7 @@ sub add_interface_options( $ ) {
 # We may have to generate part of the input at run-time. The rules array in each chain
 # table entry may contain both rules or shell source, determined by the contents of the 'mode'
 # member. We alternate between writing the rules into the temporary file to be passed to
-# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
+# iptables-restore (CAT_MODE) and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
 #
@@ -8499,6 +8578,18 @@ sub enter_cmd_mode() {
     $mode = CMD_MODE;
 }
 
+#
+# These two assure that we're in a particular mode
+#
+
+sub ensure_cat_mode() {
+    enter_cat_mode unless $mode == CAT_MODE;
+}
+
+sub ensure_cmd_mode() {
+    enter_cmd_mode unless $mode == CMD_MODE;
+}
+
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
@@ -8514,7 +8605,7 @@ sub emitr( $$ ) {
 	    #
 	    # A rule
 	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
+	    ensure_cat_mode;
 
 	    if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
 		emit_unindented '# ' . $origin;
@@ -8525,7 +8616,7 @@ sub emitr( $$ ) {
 	    #
 	    # A command
 	    #
-	    enter_cmd_mode unless $mode == CMD_MODE;
+	    ensure_cmd_mode;
 
 	    if ( exists $ruleref->{cmd} ) {
 		emit join( '', '    ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
@@ -8558,6 +8649,14 @@ sub enter_cmd_mode1() {
     $mode = CMD_MODE;
 }
 
+sub ensure_cat_mode1() {
+    enter_cat_mode1 unless $mode == CAT_MODE;
+}
+
+sub ensure_cmd_mode1() {
+    enter_cmd_mode1 unless $mode == CMD_MODE;
+}
+
 sub emitr1( $$ ) {
     my ( $chainref, $ruleref ) = @_;
 
@@ -8566,14 +8665,14 @@ sub emitr1( $$ ) {
 	    #
 	    # A rule
 	    #
-	    enter_cat_mode1 unless $mode == CAT_MODE;
+	    ensure_cat_mode1;
 
 	    print format_rule( $chainref, $ruleref ) . "\n";
 	} else {
 	    #
 	    # A command
 	    #
-	    enter_cmd_mode1 unless $mode == CMD_MODE;
+	    ensure_cmd_mode1;
 
 	    if ( exists $ruleref->{cmd} ) {
 		emitstd $ruleref->{cmd};
@@ -8598,7 +8697,20 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
-	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
+	  qq(    [ -n "\$g_dockeruser" ]    && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(),
+	  qq(    case "\$g_dockernetwork" in),
+	  qq(        One\)),
+	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
+	  qq(            ;;),
+	  qq(        Two\)),
+	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+	  qq(            ;;),
+	  qq(    esac),
+	  qq(),
 	);
 
     if ( known_interface( 'docker0' ) ) {
@@ -8614,7 +8726,8 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
-	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-USER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
 	)
@@ -9030,7 +9143,7 @@ sub create_nfobjects() {
 }
 #
 #
-# Generate the netfilter input
+# Generate the input to ip[6]tables-restore or to 'ip[6]tables -R'
 #
 sub create_netfilter_load( $ ) {
     my $test = shift;
@@ -9113,21 +9226,26 @@ sub create_netfilter_load( $ ) {
 
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
+			ensure_cmd_mode;
+			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			ensure_cmd_mode;
+			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-USER' ) {
+			ensure_cmd_mode;
+			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
 		    } else {		    
+			ensure_cat_mode;
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
+		    ensure_cat_mode;
 		    emit_unindented ":$name - [0:0]";
 		}
 
@@ -9145,17 +9263,19 @@ sub create_netfilter_load( $ ) {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode;
+
 	for my $chainref ( @chains ) {
 	    emitr( $chainref, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_mode unless $mode == CAT_MODE;
+	ensure_cat_mode;
 	emit_unindented 'COMMIT';
     }
 
-    enter_cmd_mode;
+    ensure_cmd_mode;
 
     pop_indent, emit "fi\n";
     #
@@ -9171,7 +9291,7 @@ sub create_netfilter_load( $ ) {
 	  '',
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
-	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  qq(    fatal_error "$utility Failed. Input is in \${VARDIR}/.${utility}-input"),
 	  'fi'
 	);
 
@@ -9220,24 +9340,31 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode1;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			ensure_cmd_mode1;
+			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print "\n";
+		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			ensure_cmd_mode1;
+			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 			print "\n";
-			enter_cat_mode1;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			print "\n";
-			enter_cat_mode1;
-		    } else {		    
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+		    } elsif ( $name eq 'DOCKER-USER' ) {
+			ensure_cmd_mode1;
+			print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
+			print "\n";
+		    } else {
+			ensure_cmd_mode1;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
+		    ensure_cat_mode1;
 		    print( ":$name - [0:0]\n" );
 		}
 
@@ -9247,13 +9374,15 @@ sub preview_netfilter_load() {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode1;
+
 	for my $chainref ( @chains ) {
 	    emitr1($chainref, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_mode1 unless $mode == CAT_MODE;
+	ensure_cat_mode1;
 	print "COMMIT\n";
     }
 
@@ -9313,21 +9442,26 @@ sub create_stop_load( $ ) {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
+		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			ensure_cmd_mode;
+			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-USER' ) {
+			ensure_cmd_mode;
+			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
 		    } else {		    
+			ensure_cat_mode;
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
+		    ensure_cat_mode;
 		    emit_unindented ":$name - [0:0]";
 		}
 
@@ -9337,6 +9471,8 @@ sub create_stop_load( $ ) {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode;
+
 	for my $chainref ( @chains ) {
 	    emitr( $chainref, $_ ) for @{$chainref->{rules}};
 	}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,7 +269,12 @@ sub generate_script_2() {
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
+	emit( 'if chain_exists DOCKER-ISOLATION; then',
+	      '    g_dockernetwork=One',
+	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
+	      '    g_dockernetwork=Two',
+	      'fi' );
     }
 
     pop_indent;
@@ -382,7 +387,7 @@ sub generate_script_3() {
 	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -523,13 +523,17 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
-
+#
+# Keeps track of which capabilities were used or required - Key is capability name
+#
 our %used;
 
 use constant {
                USED     => 1,
 	       REQUIRED => 2 };
-
+#
+# Common Protocols
+#
 use constant {
 	       ICMP                => 1,
 	       TCP                 => 6,
@@ -541,7 +545,7 @@ use constant {
 	       UDPLITE             => 136,
 	     };
 #
-# Optimization masks
+# Optimization masks (OPTIMIZE option)
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
@@ -550,7 +554,9 @@ use constant {
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	     };
-
+#
+# Map helpers to protocols
+#
 our %helpers = ( amanda          => UDP,
 		 ftp             => TCP,
 		 irc             => TCP,
@@ -625,7 +631,7 @@ our %config_files = ( #accounting      => 1,
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
-# Directories to search for configuration files
+# Directories to search for configuration files (CONFIG_PATH option)
 #
 our @config_path;
 #
@@ -648,10 +654,12 @@ our %compiler_params;
 # Action parameters
 #
 our %actparams;
-our $parmsmodified;
-our $usedcaller;
-our $inline_matches;
-
+our $parmsmodified;          # True of the current action has modified its parameters
+our $usedcaller;             # True if $CALLER has been acceseed in the current action
+our $inline_matches;         # Inline matches from the current rule
+#
+# File handling
+#
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
@@ -669,6 +677,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $ulogcount;              # Used to suppress duplicate warnings about ULOG support
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -747,10 +756,11 @@ our $ifstack;
 #    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
 #    [1] - True if the outermost IF evaluated to false
 #    [2] - True if the the last unterminated IF evaluated to false
+#    [3] = The line number of the directive
 #
 # From .shorewallrc
 #
-our ( %shorewallrc, %shorewallrc1 );
+our ( %shorewallrc, %shorewallrc1 ); # Shorewallrc setting from local system and from remote firewall respectively
 #
 # read_a_line options
 #
@@ -828,6 +838,7 @@ sub initialize( $;$$$) {
     $comment       = '';
     $sr_comment    = '';
     $warningcount  = 0;
+    $ulogcount     = 0;
     #
     # Misc Globals
     #
@@ -1291,7 +1302,7 @@ sub initialize( $;$$$) {
     $compiletime =~ s/ +/ /g;
 }
 
-my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
+my @moabbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 
 sub add_ipset( $ ) {
     $ipsets{$_[0]} = 1;
@@ -1391,7 +1402,7 @@ sub info_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1419,7 +1430,7 @@ sub warning_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1544,7 +1555,7 @@ sub fatal_error	{
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $confess ) {
 	    print $log longmess( "   ERROR: @_$currentlineinfo\n" );
@@ -1567,6 +1578,9 @@ sub fatal_error	{
     }
 }
 
+#
+# This one is used for reporting syntax errors in embedded Perl code
+#
 sub fatal_error1 {
     handle_first_entry if $first_entry;
 
@@ -1574,7 +1588,7 @@ sub fatal_error1 {
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $debug ) {
 	    print $log longmess( "   ERROR: @_\n" );
@@ -1684,7 +1698,7 @@ sub emit {
 
     if ( $script || $debug ) {
 	#
-	# 'compile' as opposed to 'check'
+	# 'compile' (as opposed to 'check') or debugging (CLI 'trace' command)
 	#
 	for ( @_ ) {
 	    unless ( /^\s*$/ ) {
@@ -1845,12 +1859,15 @@ sub progress_message {
 
 	    @localtime = localtime unless $havelocaltime;
 
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
     }
 }
 
+#
+# This one doesn't compress out superfluous white space
+#
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
@@ -1864,7 +1881,7 @@ sub progress_message_nocompress {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1885,7 +1902,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1906,7 +1923,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -2077,7 +2094,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2094,8 +2111,12 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+#
+# Search the CONFIG_PATH for a file that is writable. Ignore directories where sample/default files are installed,
+# because users have a bad habit of including those in the CONFIG_PATH
+#
 sub find_writable_file($) {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2117,6 +2138,9 @@ sub supplied( $ ) {
     defined $val && $val ne '';
 }
 
+#
+# This one is used for determining if an action argument has been passed (excludes '-')
+#
 sub passed( $ ) {
     my $val = shift;
 
@@ -2135,7 +2159,7 @@ sub split_list( $$;$ ) {
 }
 
 #
-# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+# This version handles parenthetical list elements containing embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
     my ($list, $type, $keepparens ) = @_;
@@ -2519,7 +2543,7 @@ sub split_line2( $$;$$$ ) {
 }
 
 #
-# Same as above, only it splits the raw current line
+# Same as above, only it splits the raw current line (line prior to variable expansion)
 #
 sub split_rawline2( $$;$$$ ) {
     my $savecurrentline = $currentline;
@@ -2627,6 +2651,7 @@ sub do_open_file( $ ) {
 # - Maximum value allowed in ?FORMAT directives
 # - ?COMMENT allowed in this file
 # - Ignore ?COMMENT in ths file
+# - Default file format
 #
 sub open_file( $;$$$$ ) {
     my ( $fname, $mf, $ca, $nc, $cf ) = @_;
@@ -2719,7 +2744,7 @@ sub clear_currentfilename() {
 }
 
 #
-# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
+# Utility functions for processing compiler directives
 #
 
 #
@@ -2746,7 +2771,7 @@ sub directive_warning( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 
@@ -2771,7 +2796,7 @@ sub directive_info( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 
@@ -2833,7 +2858,7 @@ sub evaluate_expression( $$$$ ) {
     }
 
     #                         $1      $2   $3                     -     $4
-    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
 	if ( $var =~ /^\d+$/ ) {
@@ -2850,7 +2875,7 @@ sub evaluate_expression( $$$$ ) {
 
     if ( $chain ) {
 	#                         $1      $2   $3                     -     $4
-	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $expression =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
@@ -2861,7 +2886,7 @@ sub evaluate_expression( $$$$ ) {
     }
 
     #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) __(\{)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);
 
 	if ( exists $capdesc{$cap} ) {
@@ -3523,7 +3548,7 @@ sub shorewall {
 # We do this processing in read_a_line() rather than in the higher-level routines because
 # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
 # until we get back to the caller of read_a_line(), we could issue error messages about parsing and
-# running scripts in the file before we'd even indicated that we are processing it.
+# running scripts in the file before we'd even reported that we are processing it.
 #
 sub first_entry( $ ) {
     $first_entry = shift;
@@ -3700,6 +3725,7 @@ sub push_action_params( $$$$$$ ) {
 # Return:
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
+#   3 if both
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
@@ -3710,6 +3736,10 @@ sub pop_action_params( $ ) {
     $return;
 }
 
+#
+# This is called when a DEFAULTS line is found in an action body. It supplies default values
+# for those paramaters that were not passed, or that were passed as '-'.
+#
 sub default_action_params {
     my $action = shift;
     my ( $val, $i );
@@ -3723,6 +3753,9 @@ sub default_action_params {
     fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }
 
+#
+# This function allows embedded Perl in actions to retreive the action paramaters
+#
 sub get_action_params( $ ) {
     my $num = shift;
 
@@ -3738,6 +3771,9 @@ sub get_action_params( $ ) {
     @return;
 }
 
+#
+# Helper for A_* actions
+#
 sub setup_audit_action( $ ) {
     my ( $action ) = @_;
 
@@ -3757,26 +3793,44 @@ sub get_action_logging() {
     @actparams{ 'loglevel', 'logtag' };
 }
 
+#
+# Allow embedded Perl in Actions to get the name of the action chain
+#
 sub get_action_chain() {
     $actparams{0};
 }
 
+#
+# Get the action name from an action file
+#
 sub get_action_chain_name() {
     $actparams{chain};
 }
-
+#
+# This allows an action to make subsequent log messages refer to the invoker of the action rather than the 
+# action itself
+#
 sub set_action_name_to_caller() {
     $actparams{chain} = $actparams{caller};
 }
 
+#
+# Get the current action's disposition
+#
 sub get_action_disposition() {
     $actparams{disposition};
 }
 
+#
+# Set the current action disposition for subsequent logging
+#
 sub set_action_disposition($) {
     $actparams{disposition} = $_[0];
 }
 
+#
+# Alter the value of one of the current actions parameters
+#
 sub set_action_param( $$ ) {
     my $i = shift;
 
@@ -3791,7 +3845,7 @@ sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     my $chain = $actparams{chain};
     #                         $1      $2   $3                   -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
@@ -3830,7 +3884,7 @@ sub expand_variables( \$ ) {
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
-	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $$lineref =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
@@ -3843,10 +3897,13 @@ sub expand_variables( \$ ) {
     }
 }
 
+#
+# Expand variables from shorewallrc in the current passed line
+#
 sub expand_shorewallrc_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
@@ -3886,7 +3943,7 @@ sub handle_first_entry() {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
-#   - Handle ?IF, ?ELSE, ?ENDIF
+#   - Handle ?SECTION
 #
 
 sub read_a_line($) {
@@ -4009,6 +4066,9 @@ sub read_a_line($) {
     }
 }
 
+#
+# Process the passed shorewallrc file, populating %shorewallrc
+#
 sub process_shorewallrc( $$ ) {
     my ( $shorewallrc , $product ) = @_;
 
@@ -4029,6 +4089,12 @@ sub process_shorewallrc( $$ ) {
 	fatal_error "Failed to open $shorewallrc: $!";
     }
 
+    #
+    # Older files may contain VARDIR= rather than VARLIB= to specify the directory
+    # where each product maintains its own state directory. This was confusing,
+    # because in the shell context, VARDIR points to the current product's state
+    # directory.
+    #
     if ( supplied $shorewallrc{VARDIR} ) {
 	if ( ! supplied $shorewallrc{VARLIB} ) {
 	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
@@ -4091,12 +4157,19 @@ sub default_yes_no ( $$;$ ) {
     $result;
 }
 
+#
+# This one is used for options that are supported by IPv4 but not IPv6. It issues a
+# warning message if the option is specified in shorewall6.conf.
+#
 sub default_yes_no_ipv4 ( $$ ) {
     my ( $var, $val ) = @_;
     default_yes_no( $var, $val );
     warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 
+#
+# This function handles options that have a numeric value.
+#
 sub numeric_option( $$$ ) {
     my ( $option, $default, $min ) = @_;
 
@@ -4114,6 +4187,9 @@ sub numeric_option( $$$ ) {
     $config{$option} = $val;
 }
 
+#
+# Returns a 32-bit value with the low order n bits set, where n is the passed argument.
+#
 sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
@@ -4214,6 +4290,10 @@ sub validate_level( $;$ ) {
 	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
 	    my $olevel  = $value;
 
+	    if ( $value eq 'ULOG' ) {
+		warning_message "ULOG is deprecated in favor of NFLOG. Support for ULOG will be removed in a future release" unless $ulogcount++;
+	    }
+
 	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
 		my @options = split /,/, $1;
 		my $prefix  = lc $olevel;
@@ -4289,7 +4369,7 @@ sub default_log_level( $$ ) {
 }
 
 #
-# Check a tri-valued variable
+# Check a tri-valued option ("on", "of" and "keep")
 #
 sub check_trivalue( $$ ) {
     my ( $var, $default) = @_;
@@ -4425,7 +4505,8 @@ sub determine_kernelversion() {
 }
 
 #
-# Capability Reporting and detection.
+# Capability Reporting and detection. Each of the following functions detect the
+# availability of the related capability.
 #
 sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
@@ -5140,7 +5221,7 @@ sub have_capability( $;$ ) {
 
     $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting;
 
-    $used{$capability} = $required ? 2 : 1 if $setting;
+    $used{$capability} = $required ? REQUIRED : USED if $setting;
 
     $setting;
 }
@@ -5337,6 +5418,9 @@ sub ensure_config_path() {
     }
 
     if ( $shorewall_dir ) {
+	#
+	# A directory has been specified -- place it at the front of the CONFIG_PATH
+	#
 	$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
@@ -5371,7 +5455,8 @@ sub conditional_quote( $ ) {
 }
 
 #
-# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+# 'update' default values are sometimes different from the normal defaut value, to provide
+# backward compatibility.
 #
 sub update_default($$) {
     my ( $var, $val ) = @_;
@@ -5392,6 +5477,9 @@ sub transfer_permissions( $$ ) {
     }
 }
 
+#
+# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+#
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -5790,7 +5878,7 @@ sub unsupported_yes_no_warning( $ ) {
 }
 
 #
-# Process the params file
+# Process the params file. Actually processing is done by the 'getparams' program in $LIBEXECDIR/shorewall/.
 #
 sub get_params( $ ) {
     my $export = $_[0];
@@ -5925,7 +6013,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' || $_ eq 'SW_CONFDIR' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -7196,6 +7284,9 @@ sub generate_aux_config() {
     finalize_aux_config;
 }
 
+#
+# Generate a report of the fwmark layout
+#
 sub dump_mark_layout() {
     sub dumpout( $$$$$ ) {
 	my ( $name, $bits, $min, $max, $mask ) = @_;

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -66,6 +66,9 @@ sub initialize( $ ) {
     $family = shift;
 }
 
+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -145,6 +148,9 @@ sub setup_ecn()
     }
 }
 
+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -402,6 +408,9 @@ EOF
     }
 }
 
+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -662,13 +671,26 @@ sub process_stoppedrules() {
     $result;
 }
 
+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
-    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
+    add_commands( $chainref ,
+		  '',
+		  'case "$g_dockernetwork" in',
+		  '    One)',
+		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
+		  '        ;;',
+		  '    Two)',
+		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
+		  '        ;;',
+		  'esac' );
 
     if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
@@ -693,6 +715,9 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -1273,6 +1298,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -1714,9 +1746,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );
 
-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1725,10 +1757,10 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
 
-	    if ( use_output_chain $interface, $outputref ) {
+	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1917,7 +1949,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
     my @zone_interfaces   = keys %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2051,7 +2083,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
     my @source            = imatch_source_net $net;
     my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 
-    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or
@@ -2444,6 +2476,9 @@ sub generate_matrix() {
     }
 }
 
+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,25 +60,63 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_interfaces;
+our @load_providers;
 
-our $balancing;
-our $fallback;
-our $balanced_providers;
-our $fallback_providers;
-our $metrics;
-our $first_default_route;
-our $first_fallback_route;
-our $maxload;
-our $tproxies;
+our $balancing;               # True, if there are balanced providers
+our $fallback;                # True, if there are fallback providers
+our $balanced_providers;      # Count of balanced providers
+our $fallback_providers;      # Count of fallback providers
+our $metrics;                 # True, if using statistical balancing
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
+our $maxload;                 # Sum of 'load' values
+our $tproxies;                # Count of tproxy providers
 
-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }
 
-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 
 
-our $family;
+our $family;       # Address family
 
-our $lastmark;
+our $lastmark;     # Highest assigned mark
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -99,7 +137,7 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_interfaces        = ();
+    @load_providers         = ();
     $balancing              = 0;
     $balanced_providers     = 0;
     $fallback_providers     = 0;
@@ -163,8 +201,8 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 
 		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
+			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
@@ -185,16 +223,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
     }
 
-    if ( @load_interfaces ) {
+    if ( @load_providers ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
 
-	for my $physical ( @load_interfaces ) {
+	for my $provider ( @load_providers ) {
 
-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
 
 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 
@@ -446,7 +484,7 @@ sub process_a_provider( $ ) {
     fatal_error 'NAME must be specified' if $table eq '-';
 
     unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
 
 	my $num = numeric_value $number;
 
@@ -636,6 +674,7 @@ sub process_a_provider( $ ) {
     }
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
+    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;
 
     unless ( $pseudo ) {
 	if ( $local ) {
@@ -779,7 +818,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
     }
 
-    push @load_interfaces, $physical if $load;
+    push @load_providers, $table if $load;
 
     push @providers, $table;
 
@@ -941,8 +980,9 @@ sub add_a_provider( $$ ) {
 	}
     }
 
-    emit( "echo $load > \${VARDIR}/${physical}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
+    emit( "echo $load > \${VARDIR}/${table}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
+	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
 
     emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1097,7 +1137,7 @@ CEOF
 	    $weight = 1;
 	}
 
-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+	emit ( "distribute_load $maxload @load_providers" ) if $load;
 
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1244,7 +1284,7 @@ CEOF
 	}
 
 	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
+	       "distribute_load $maxload @load_providers" ) if $load;
 
 	if ( $persistent ) {
 	    emit ( '',
@@ -1615,7 +1655,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
-	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1909,24 +1949,24 @@ sub setup_providers() {
 	pop_indent;
 	emit 'fi';
 
-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_providers;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
+	emit "undo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
 
 	if ( $config{NULL_ROUTE_RFC1918} ) {
+	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}
@@ -2485,7 +2525,7 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers || @load_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
@@ -2493,9 +2533,9 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_providers" ,
 	   ''
-	 ) if @load_interfaces;
+	 ) if @load_providers;
 }
 
 1;

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -2609,7 +2609,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -2781,7 +2781,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 
 	      HELPER => sub { 
-		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER requires that a helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,
 
@@ -3137,13 +3137,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
-	# don't apply rate limiting twice
 	#
 	$rule .= join( '',
 		       do_proto($proto, $ports, $sports),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_user( $user ) ,
 		       do_test( $mark , $globals{TC_MASK} ) ,
 		       do_connlimit( $connlimit ),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
@@ -3239,12 +3240,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
+	#   - don't apply rate limiting twice
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '',
 			  $matches,
 			  do_proto( $proto, $ports, $sports ),
-			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
 			  do_condition( $condition , $chain ),
@@ -4888,7 +4889,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -5573,6 +5574,15 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}
 
+	if ( $chainref->{complete} ) {
+	    if ( $interface ) {
+		warning_message( "Interface $interface entry generated no $toolname rule" );
+	    } else {
+		warning_message( "Entry generated no $toolname rule" );
+	    }
+	    next;
+	}
+
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	#
 	# Handle IPSEC options, if any

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -222,6 +222,9 @@ use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };
 
+#
+# Zone types
+#
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -231,6 +234,9 @@ use constant { FIREWALL => 1,
 	       LOCAL    => 64,
 	   };
 
+#
+# Interface option classification
+#
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
 	       ENUM_IF_OPTION     => 3,
@@ -247,11 +253,17 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 
+#
+# 'ignore' option flags
+#
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
 our %validinterfaceoptions;
 
+#
+# Interface options that are implemented in /proc
+#
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
@@ -263,6 +275,9 @@ our %procinterfaceoptions=( accept_ra   => 1,
 			    sourceroute => 1,
 			  );
 
+#
+# Options that are not allowed with unmanaged interfaces
+#
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -281,10 +296,15 @@ our %prohibitunmanaged = (
 			  upnp           => 1,
 			  upnpclient     => 1,
 			 );
-
+#
+# Default values for options that admit an optional value
+#
 our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
+#
+# Maximum value for options that accept a range of values
+#
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 300 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
 
 our %validhostoptions;
 
@@ -701,7 +721,7 @@ sub determine_zones()
 }
 
 #
-# Return true of we have any ipsec zones
+# Return true If we have any ipsec zones
 #
 sub haveipseczones() {
     for my $zoneref ( values %zones ) {
@@ -872,6 +892,9 @@ sub single_interface( $ ) {
     @keys == 1 ? $keys[0] : '';
 }
 
+#
+# This function adds an interface:network pair to a zone
+#
 sub add_group_to_zone($$$$$$)
 {
     my ($zone, $type, $interface, $networks, $options, $inherit_options) = @_;
@@ -976,6 +999,9 @@ sub find_zone( $ ) {
     $zoneref;
 }
 
+#
+# Access functions for zone members
+#
 sub zone_type( $ ) {
     find_zone( $_[0] )->{type};
 }
@@ -990,26 +1016,44 @@ sub zone_mark( $ ) {
     $zoneref->{mark};
 }
 
+#
+# Returns the zone table entry for the passed zone name
+#
 sub defined_zone( $ ) {
     $zones{$_[0]};
 }
 
+#
+# Returns a list of all defined zones
+#
 sub all_zones() {
     @zones;
 }
 
+#
+# Returns a list of zones in the firewall itself (the firewall zone and vserver zones)
+#
 sub on_firewall_zones() {
    grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall and vserver zones
+#
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall zones
+#
 sub non_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }
 
+#
+# Returns the list of zones that don't contain sub-zones
+#
 sub all_parent_zones() {
     #
     # Although the firewall zone is technically a parent zone, we let the caller decide
@@ -1018,22 +1062,37 @@ sub all_parent_zones() {
     grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 
+#
+# Returns a list of complex zones (ipsec or with multiple interface:subnets)
+#
 sub complex_zones() {
     grep( $zones{$_}{complex} , @zones );
 }
 
+#
+# Returns a list of vserver zones
+#
 sub vserver_zones() {
     grep ( $zones{$_}{type} & VSERVER, @zones );
 }
 
+#
+# Returns the name of the firewall zone
+#
 sub firewall_zone() {
     $firewall_zone;
 }
 
+#
+# Returns a list of loopback zones
+#
 sub loopback_zones() {
     @loopback_zones;
 }
 
+#
+# Returns a list of local zones
+#
 sub local_zones() {
     @local_zones;
 }

Shorewall/Perl/getparams

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V5.2
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -601,26 +601,29 @@ interface_enabled() {
 }
 
 distribute_load() {
+    local provider
     local interface
-    local currentload # Total load of enabled interfaces
-    local load        # Specified load of an enabled interface
-    local mark        # Mark of an enabled interface
-    local totalload   # Total load of all interfaces - usually 1.000000
-    local nload       # Normalized load of an enabled interface
-    local var         # Interface name to embed in a variable name
+    local currentload # Total load of enabled providers
+    local load        # Specified load of an enabled provider
+    local mark        # Mark of an enabled provider
+    local totalload   # Total load of all providers - usually 1.000000
+    local nload       # Normalized load of an enabled provider
 
     totalload=$1
     shift
 
     currentload=0
 
-    for interface in $@; do
+    for provider in $@; do
+
+	interface=$(cat ${VARDIR}/${provider}_interface)
+	eval ${provider}_interface=$interface
+
 	if interface_enabled $interface; then
-	    var=$(echo $interface | sed 's/[.-]/_/g')
-	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${var}_load=$load
-	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${var}_mark=$mark
+	    load=$(cat ${VARDIR}/${provider}_load)
+	    eval ${provider}_load=$load
+	    mark=$(cat ${VARDIR}/${provider}_mark)
+	    eval ${provider}_mark=$mark
 	    currentload=$( bc <<EOF
 scale=8
 $currentload + $load
@@ -630,12 +633,13 @@ EOF
     done
 
     if [ $currentload ]; then
-	for interface in $@; do
-	    qt $g_tool -t mangle -F ~$interface
+	for provider in $@; do
+	    eval interface=\$${provider}_interface
 
-	    var=$(echo $interface | sed 's/[.-]/_/g')
-	    eval load=\$${var}_load
-	    eval mark=\$${var}_mark
+	    qt $g_tool -t mangle -F ~$provider
+
+	    eval load=\$${provider}_load
+	    eval mark=\$${provider}_mark
 
 	    if [ -n "$load" ]; then
 		nload=$(bc <<EOF
@@ -651,10 +655,10 @@ EOF
 
 		case $nload in
 		    .*|0.*)
-			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -m statistic --mode random --probability $nload -j MARK --set-mark $mark
 			;;
 		    *)
-			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -j MARK --set-mark $mark
 			;;
 		esac
 	    fi
@@ -893,6 +897,14 @@ detect_dynamic_gateway() { # $1 = interface
 	fi
     done
 
+    if [ -z "$gateway" -a -n "$(mywhich nmcli)" ]; then
+	if [ $g_family = 4 ]; then
+	    gateway=$(nmcli --fields DHCP4.OPTION,IP4.GATEWAY device show ${1} 2> /dev/null | sed -rn '/( routers = |IP4.GATEWAY:.*[1-9])/{s/.* //;p;q}')
+	else
+	    gateway=$(nmcli --terse --fields IP6.GATEWAY device show ${1} 2> /dev/null | cut -f2- -d':')
+	fi
+    fi
+
     [ -n "$gateway" ] && echo $gateway
 }
 
@@ -959,7 +971,7 @@ add_gateway() # $1 = Delta $2 = Table Number
     local delta
     local dev
 
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/linkdown//g; s/[\]//g'`
 
     if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
@@ -993,7 +1005,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
     local gateway
     local dev
 
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/linkdown//g; s/[\]//g'`
     gateway=$1
 
     if [ -n "$route" ]; then

Shorewall/helpers

@@ -67,5 +67,4 @@ loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
-loadmodule ipt_ULOG
 loadmodule nfnetlink_log

Shorewall/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005, 2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/lib.cli-std

@@ -456,6 +456,16 @@ compiler() {
 
     ensure_root
     #
+    # Let params and the compiler know the base configuration directory
+    #
+    if [ -n "$g_shorewalldir" ]; then
+	SW_CONFDIR="$g_shorewalldir"
+    else
+	SW_CONFDIR="$g_confdir"
+    fi
+
+    export SW_CONFDIR
+    #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
     [ -n "$g_haveconfig" ] || ensure_config_path
@@ -1691,7 +1701,7 @@ remote_commands() # $* = original arguments less the command.
     #
     # Handle nonstandard remote VARDIR
     #
-    progress_message2 "Getting VARDIR on system $system..."
+    progress_message3 "Getting VARDIR on system $system..."
     temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
  
     [ -n "$temp" ] && litedir="$temp"

Shorewall/manpages/shorewall-addresses.xml

@@ -36,7 +36,7 @@
 
           <para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
           where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
-          of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
+          of 1 to 4 hexadecimal digits (leading zeros may be omitted). a
           single series of 0 addresses may be omitted. For example
           2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
         </listitem>

Shorewall/manpages/shorewall-blrules.xml

@@ -280,9 +280,9 @@
         <term>IPv4 Example 1:</term>
 
         <listitem>
-          <para>Drop Teredo packets from the net.</para>
+          <para>Drop 6to4 packets from the net.</para>
 
-          <programlisting>DROP          net:[2001::/32]            all</programlisting>
+          <programlisting>DROP          net:192.88.99.1            all</programlisting>
         </listitem>
       </varlistentry>
 
@@ -290,10 +290,10 @@
         <term>IPv4 Example 2:</term>
 
         <listitem>
-          <para>Don't subject packets from 2001:DB8::/64 to the remaining
+          <para>Don't subject packets from 70.90.191.120/29 to the remaining
           rules in the file.</para>
 
-          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
+          <programlisting>WHITELIST     net:70.90.191.120/29       all</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-files.xml

@@ -199,7 +199,7 @@
       <listitem>
         <para><ulink url="shorewall-ecn.html">/etc/shorewall/ecn</ulink> -
         disable Explicit Congestion Notification (ECN - RFC 3168) to remote
-        hosts or networks. Superceded by ECN entries in
+        hosts or networks. Superseded by ECN entries in
         <filename>/etc/shorewall/mangle</filename> in Shorewall 5.0.6.</para>
       </listitem>
 
@@ -376,7 +376,7 @@ br0                -                    routeback</programlisting></para>
   </refsect1>
 
   <refsect1>
-    <title>Line Continuation</title>
+    <title id="Continuation">Line Continuation</title>
 
     <para>Lines may be continued using the usual backslash (<quote>\</quote>)
     followed immediately by a new line character (Enter key).</para>
@@ -720,7 +720,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
   <refsect1>
     <title>Time Columns</title>
 
-    <para>Several of the files include a TIME colum that allows you to specify
+    <para>Several of the files include a TIME column that allows you to specify
     times when the rule is to be applied. Contents of this column is a list of
     <replaceable>timeelement</replaceable>s separated by apersands
     (&amp;).</para>

Shorewall/manpages/shorewall-names.xml

@@ -243,7 +243,7 @@ POP(ACCEPT)    loc                  net:pop.gmail.com</programlisting>
   </refsect1>
 
   <refsect1>
-    <title>Logical Interface Names</title>
+    <title id="Logical">Logical Interface Names</title>
 
     <para>When dealing with a complex configuration, it is often awkward to
     use physical interface names in the Shorewall configuration.</para>

Shorewall/manpages/shorewall-policy.xml

@@ -295,21 +295,21 @@
           <para>where limit is one of:</para>
 
           <simplelist>
-            <member>[<emphasis
-            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
-            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
+            role="bold">s</emphasis>|<emphasis
+            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[[<replaceable>name</replaceable>][(ht-buckets,ht-max)]:]]]<emphasis>rate</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
             role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
 
-            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            <member>[<replaceable>name</replaceable>1:]<emphasis>rate1</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2:]<emphasis>rate2</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
@@ -331,7 +331,14 @@
           role="bold">shorewall</emphasis> is assumed. Where more than one
           POLICY or rule specifies the same name, the connections counts for
           the policies are aggregated and the individual rates apply to the
-          aggregated count.</para>
+          aggregated count. Beginning with Shorewall 5.2.1, the <emphasis
+          role="bold">s</emphasis> or <emphasis role="bold">d</emphasis> may
+          be followed by a slash ("/") and an integer
+          <replaceable>vlsm</replaceable>. When a
+          <replaceable>vlsm</replaceable> is specified, all source or
+          destination addresses encountered will be grouped according to the
+          given prefix length and the so-created subnet will be subject to the
+          rate limit.</para>
 
           <para>Beginning with Shorewall 4.6.5, two<replaceable>
           limit</replaceable>s may be specified, separated by a comma. In this
@@ -342,6 +349,17 @@
 
           <para>Example: <emphasis
           role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+
+          <para>Beginning with Shorewall 5.2.1, the table name, if any, may be
+          followed by two integers separated by commas and enclosed in
+          parentheses. The first integer
+          (<replaceable>ht-buckets</replaceable>) specifies the number of
+          buckets in the generated hash table. The second integer
+          (<replaceable>ht-max</replaceable>) specifies the maximum number of
+          entries in the hash table.</para>
+
+          <para>Example: <emphasis
+          role="bold">s:client(1024,65536):10/sec</emphasis></para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -387,8 +387,10 @@
                 distributions but <emphasis role="bold">nohostroute</emphasis>
                 (below) is appropriate for recent distributions. <emphasis
                 role="bold">hostroute</emphasis> may interfere with Zebra's
-                ability to add routes on some distributions such as Debian
-                7.</para>
+                ability to add routes on some distributions such as Debian 7.
+                This option defaults to on when BALANCE_PROVIDERS=Yes, in
+                <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -404,7 +406,9 @@
                 older distributions but is appropriate for recent
                 distributions. <emphasis role="bold">nohostroute</emphasis>
                 allows Zebra's to correctly add routes on some distributions
-                such as Debian 7.</para>
+                such as Debian 7. This option defaults to off when
+                BALANCE_PROVIDERS=Yes, in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-rules.xml

@@ -1900,19 +1900,21 @@
           <simplelist>
             <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
             role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[<replaceable>name</replaceable>[(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
             role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
 
-            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            <member>[<emphasis
+            role="bold">s</emphasis>[/<replaceable>vlsm1</replaceable>]:][<replaceable>name</replaceable>1[(<replaceable>ht-buckets1</replaceable>,<replaceable>ht-max1</replaceable>)]:]<emphasis>rate1</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<emphasis
+            role="bold">d</emphasis>[/<replaceable>vlsm2</replaceable>:][<replaceable>name</replaceable>2[(<replaceable>ht-buckets2</replaceable>,<replaceable>ht-max2</replaceable>)]:]<emphasis>rate2</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
@@ -1940,7 +1942,16 @@
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,
           the connections counts for the rules are aggregated and the
-          individual rates apply to the aggregated count.</para>
+          individual rates apply to the aggregated count. Beginning with
+          Shorewall 5.2.1, the <emphasis role="bold">s</emphasis> or <emphasis
+          role="bold">d</emphasis> may be followed by a slash ("/") and an
+          integer <replaceable>vlsm</replaceable>. When a
+          <replaceable>vlsm</replaceable> is specified, all source or
+          destination addresses encountered will be grouped according to the
+          given prefix length and the so-created subnet will be subject to the
+          rate limit.</para>
+
+          <para>Example: <emphasis role="bold">s/24::10/sec</emphasis></para>
 
           <para>Beginning with Shorewall 4.6.5, two<replaceable>
           limit</replaceable>s may be specified, separated by a comma. In this
@@ -1957,6 +1968,17 @@
           name for the hash table that tracks the per-destination
           limit.</para>
 
+          <para>Beginning with Shorewall 5.2.1, the table name, if any, may be
+          followed by two integers separated by commas and enclosed in
+          parentheses. The first integer
+          (<replaceable>ht-buckets</replaceable>) specifies the number of
+          buckets in the generated hash table. The second integer
+          (<replaceable>ht-max</replaceable>) specifies the maximum number of
+          entries in the hash table.</para>
+
+          <para>Example: <emphasis
+          role="bold">s:netfw(1024,65536):10/sec</emphasis></para>
+
           <para>This column was formerly labelled RATE LIMIT.</para>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall.conf.xml

@@ -500,7 +500,7 @@
           each listed directory is to be searched. AUTOMAKE=1 only searches
           each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
           will search each directory and its immediate sub-directories;
-          AUTOMAKE=3 will search each diretory, each of its immediate
+          AUTOMAKE=3 will search each directory, each of its immediate
           sub-directories, and each of their immediate sub-directories,
           etc.</para>
         </listitem>

Shorewall/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}

Shorewall6-lite/init.openwrt.sh

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)

Shorewall6-lite/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall6-lite/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall6/Samples6/three-interfaces/rules

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
+# Shorewall6 version 5.2 - Sample Rules File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/Samples6/three-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4 - Sample Zones File for three-interface configuration.
+# Shorewall6 version 5.2 - Sample Zones File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/Samples6/two-interfaces/rules

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
+# Shorewall6 version 5.2 - Sample Rules File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/Samples6/two-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
+# Shorewall6 version 5.2 - Sample Zones File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or

Shorewall6/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall6/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

docs/Anti-Spoofing.xml

@@ -85,7 +85,7 @@
     server. It then sends a packet addressed to itself and from the server.
     Such packets are sent back out the same interface that received them
     (<firstterm>hairpin</firstterm>). In cases where the
-    <option>routerfilter</option> option can't be used, Shorewall 4.4.20 and
+    <option>routefilter</option> option can't be used, Shorewall 4.4.20 and
     later will set up hairpinning traps (see the SFILTER_DISPOSITION and
     SFILTER_LOG_LEVEL options in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>

docs/FAQ.xml

@@ -244,9 +244,25 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
         work</title>
 
         <para><emphasis role="bold">Answer:</emphasis> That is usually the
-        result of one of four things:</para>
+        result of one of five things:</para>
 
         <itemizedlist>
+          <listitem>
+            <para>You are trying to redirect a UDP port and there is already a
+            conntrack table entry for the flow, created via an ACCEPT
+            rule.</para>
+
+            <para>Example:</para>
+
+            <programlisting>        DNAT    loc:192.168.0.2 dmz:192.168.1.3 udp 53</programlisting>
+
+            <para>Assuming that you have installed the
+            <emphasis>conntrack</emphasis> package, you can delete all such
+            conntrack table entries using:</para>
+
+            <programlisting>        conntrack -D -s 192.168.0.2 -p udp --dport 53</programlisting>
+          </listitem>
+
           <listitem>
             <para>You are trying to test from inside your firewall (no, that
             won't work -- see <xref linkend="faq2"/>).</para>

docs/IPSEC-2.6.xml

@@ -323,7 +323,7 @@ vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ips
 
     <blockquote>
       <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:0.0.0.0/o                       <emphasis role="bold">ipsec</emphasis></programlisting>
+vpn               eth0:0.0.0.0/0                       <emphasis role="bold">ipsec</emphasis></programlisting>
     </blockquote>
 
     <para>Assuming that you want to give each local network free access to the

docs/MultiISP.xml

@@ -18,21 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2005</year>
-
-      <year>2006</year>
-
-      <year>2007</year>
-
-      <year>2008</year>
-
-      <year>2009</year>
-
-      <year>2010</year>
-
-      <year>2011</year>
-
-      <year>2012 2013</year>
+      <year>2005-2018</year>
 
       <holder>Thomas M. Eastep,</holder>
 
@@ -67,7 +53,7 @@
     <itemizedlist>
       <listitem>
         <para>The LARTC HOWTO: <ulink
-        url="http://www.lartc.org">http://www.lartc.org</ulink></para>
+        url="http://comparitech.net/lartc">http://comparitech.net/lartc</ulink></para>
       </listitem>
 
       <listitem>
@@ -2568,6 +2554,15 @@ exit 0
           of<filename> /etc/shorewall/providers</filename>; <emphasis
           role="bold">detect</emphasis> is not permitted.</para>
         </listitem>
+
+        <listitem>
+          <para>The <emphasis role="bold">optional</emphasis>
+          provider/interface option doesn't work (and is disallowed beginning
+          with Shorewall 5.2.1). If you need failover, you will need to
+          front-end your firewall with a configurable switch and create a
+          separate VLAN for each of your providers, thus providing a separate
+          network interface for each provider.</para>
+        </listitem>
       </orderedlist>
 
       <para>Taken together, b. and h. effectively preclude using this

docs/Shorewall_Doesnt.xml

@@ -65,9 +65,10 @@
         <itemizedlist>
           <listitem>
             <para>HTTP - better to use <ulink
-            url="Shorewall_Squid_Usage.html">Squid</ulink> and <ulink
-            url="http://dansguardian.org/">Dansguardian</ulink> for
-            that.</para>
+            url="Shorewall_Squid_Usage.html">Squid</ulink>, <ulink
+            url="http://www.e2guardian.org/">E2guardian</ulink>, or <ulink
+            url="http://comparitech.net/parental-control">Parental
+            Control</ulink> for that.</para>
           </listitem>
 
           <listitem>

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2017</year>
+      <year>2001-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -56,7 +56,7 @@
     Shorewall</ulink> is required reading for being able to use this article
     effectively. For information about setting up your first Shorewall-based
     firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
+    Guides</ulink>.in</para>
   </section>
 
   <section id="Files">
@@ -817,11 +817,11 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
           <programlisting>#ACTION              SOURCE           DEST
 
 ?COMMENT Drop DNS Amplification Attack Packets
-INLINE(DROP):info    net              $FW ; udp     53      ; -m u32 --u32 "0&gt;&gt;22&amp;0x3C\@8&amp;0xffff=0x0100 &amp;&amp; 0&gt;&gt;22&amp;0x3C\@12&amp;0xffff0000=0x00010000"
+INLINE(DROP):info    net              $FW   udp     53   ;; -m u32 --u32 "0&gt;&gt;22&amp;0x3C\@8&amp;0xffff=0x0100 &amp;&amp; 0&gt;&gt;22&amp;0x3C\@12&amp;0xffff0000=0x00010000"
 ?COMMENT
 
 ?COMMENT Rule generated by the IfEvent action
-INLINE               net              $FW ; -m recent --rcheck 10 --hitcount 5 --name SSH -s 1.2.3.4 -j MARK --or-mark 0x4000
+INLINE               net              $FW ;; -m recent --rcheck 10 --hitcount 5 --name SSH -s 1.2.3.4 -j MARK --or-mark 0x4000
 ?COMMENT</programlisting>
         </listitem>
       </varlistentry>
@@ -852,7 +852,8 @@ INLINE               net              $FW ; -m recent --rcheck 10 --hitcount 5 -
           column=value specifications. In Shorewall 5.0.0 and later, inline
           matches are allowed in mangle, masq and rules following two adjacent
           semicolons (";;"). If alternate input is present, the adjacent
-          semicolons should follow that input.</para>
+          semicolons should follow that input. In Shorewall 5.2.2, this
+          support was extended to the conntrack file.</para>
 
           <caution>
             <para>INLINE_MATCHES=Yes is deprecated and will no longer be
@@ -1302,7 +1303,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 
       <member><filename>macro</filename>.* files</member>
 
-      <member><filename>masq</filename></member>
+      <member><filename>snat</filename></member>
 
       <member><filename>nat</filename></member>