Revert "Allow leading 's' & 'd' to be omitted when specifying two rates"

This reverts commit 23bc6f1ab5.

Shorewall-core/lib.cli

@@ -3775,7 +3775,7 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
     else
 	too_many_arguments $4
@@ -3864,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
     if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
 # Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -419,7 +419,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
     elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +501,7 @@ ip_network() {
 
 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
     local x
@@ -751,6 +751,8 @@ mutex_on()
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
     local lockd
+    local lockbin
+    local openwrt
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
@@ -760,29 +762,33 @@ mutex_on()
 
 	[ -d "$lockd" ] || mkdir -p "$lockd"
 
+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
 		    rm -f ${lockf}
 		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 		fi
 	    fi
+	fi
 
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall-core/lib.uninstaller

@@ -60,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
     if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
             rm -f $1
             echo "$1 Removed"
         fi
@@ -84,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
             if [ -d $f ] ; then
                 rm -rf $f
                 echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                 rm -f $f
                 echo "$f Removed"
             fi

Shorewall-lite/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable

Shorewall/Macros/macro.Cockpit

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Cockpit
+#
+# This macro handles Time protocol (RFC868).
+# Unless you are supporting extremely old hardware or software,
+# you shouldn't be using this.  NTP is a superior alternative.
+#
+#		By Eric Teeter
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	9090

Shorewall/Perl/Shorewall/Chains.pm

@@ -186,13 +186,12 @@ our %EXPORT_TAGS = (
 				       input_chain
 				       input_option_chain
 				       zone_input_chain
-				       use_input_chain
+				       use_interface_chain
 				       output_chain
 				       output_option_chain
 				       prerouting_chain
 				       postrouting_chain
 				       zone_output_chain
-				       use_output_chain
 				       masq_chain
 				       syn_flood_chain
 				       mac_chain
@@ -428,7 +427,7 @@ our $VERSION = 'MODULEVERSION';
 #      Established     - ^<z1-z2>
 #      Related         - +<z1-z2>
 #      Invalid         - _<z1-z2>
-#      Untracked       - &<z1-z2>
+#      Untracked       - =<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -2275,7 +2274,7 @@ sub invalid_chain($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_chain($$) {
-    '&' . &rules_chain(@_);
+    '=' . &rules_chain(@_);
 }
 
 #
@@ -2325,7 +2324,7 @@ sub invalid_log($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_log($$) {
-    '&' . &rules_log(@_);
+    '=' . &rules_log(@_);
 }
 
 #
@@ -2431,10 +2430,11 @@ sub zone_input_chain($) {
 }
 
 #
-# Returns true if we're to use the interface's input chain
+# Returns true if we're to use the interface's input or chain, depending on the second argument
+# (use_input_chain or use_output_chain).
 #
-sub use_input_chain($$) {
-    my ( $interface, $chainref ) = @_;
+sub use_interface_chain($$) {
+    my ( $interface, $which ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
@@ -2462,17 +2462,11 @@ sub use_input_chain($$) {
     #                                            the zone has  multiple interfaces
     #                                            and this interface has option rules
     #
-    return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
+    return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1;
     #
     # Interface associated with a single zone -- use the zone's input chain if it has one
     #
-    return 0 if $chainref;
-    #
-    # Use the <zone>->fw rules chain if it is referenced.
-    #
-    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
-
-    ! ( $chainref->{referenced} || $chainref->{is_policy} )
+    return 0;
 }
 
 #
@@ -2509,41 +2503,6 @@ sub zone_output_chain($) {
     $_[0] . '_output';
 }
 
-#
-# Returns true if we're to use the interface's output chain
-#
-sub use_output_chain($$) {
-    my ( $interface, $chainref)  = @_;
-    my $interfaceref = find_interface($interface);
-    my $nets = $interfaceref->{nets};
-    #
-    # We must use the interfaces's chain if the interface is associated with multiple Zones
-    #
-    return 1 if ( keys %{interface_zones $interface} ) > 1;
-    #
-    # Use interface's chain if there are multiple nets on the interface
-    #
-    return 1 if $nets > 1;
-    #
-    # Use interface's chain if it is a bridge with ports
-    #
-    return 1 if $interfaceref->{ports};
-    #
-    # Don't need it if it isn't associated with any zone
-    #
-    return 0 unless $nets;
-    #
-    # Interface associated with a single zone -- use the zone's output chain if it has one
-    #
-    return 0 if $chainref;
-    #
-    # Use the fw-><zone> rules chain if it is referenced.
-    #
-    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
-
-    ! ( $chainref->{referenced} || $chainref->{is_policy} )
-}
-
 #
 # Masquerade Chain for an interface
 #
@@ -3340,10 +3299,20 @@ sub initialize_chain_table($) {
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
-	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS           ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
+	$chainref = new_standard_chain( 'DOCKER-USER'   );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER              ] && cat ${VARDIR}/.filter_DOCKER-USER      >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION         ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-2' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 >&3' );
     }
 
     my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -5381,8 +5350,8 @@ sub do_ratelimit( $$ ) {
     my @rates = split_list3 $rates, 'rate';
 
     if ( @rates == 2 ) {
-	$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s:/;
-	$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d:/;
+	$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s(?:\/\d+)?:/;
+	$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d(?:\/\d+)?:/;
     } elsif ( @rates > 2 ) {
 	fatal error "Only two rates may be specified";
     }
@@ -5444,8 +5413,10 @@ sub do_ratelimit( $$ ) {
 		$limit .= " --hashlimit-htable-size $htsize --hashlimit-htable-max $max";
 	    }
 
-	    $limit .= " --hashlimit-mode $mode" if $mode;
+	    if ( $mode ) {
+		$limit .= " --hashlimit-mode $mode";
 		$units = $10;
+	    }
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
@@ -5845,7 +5816,7 @@ sub do_condition( $$ ) {
 
     $chain =~ s/[^\w-]//g;
     #                          $1    $2      -     $3
-    while ( $condition =~ m( ^(.*?) @({)?(?:0|chain)(?(2)}) (.*)$ )x ) {
+    while ( $condition =~ m( ^(.*?) @(\{)?(?:0|chain)(?(2)}) (.*)$ )x ) {
 	$condition = join( '', $1, $chain, $3 );
     }
 
@@ -5895,7 +5866,7 @@ sub do_nfacct( $ ) {
 #
 sub match_source_dev( $;$ ) {
     my ( $interface, $nodev ) = @_;
-    my $invert       =  ( $interface =~ s/^!// ) ? '!' : '';
+    my $invert       =  ( $interface =~ s/^!// ) ? '! ' : '';
     my $interfaceref =  known_interface( $interface );
     $interface = $interfaceref->{physical} if $interfaceref;
 
@@ -8519,6 +8490,18 @@ sub enter_cmd_mode() {
     $mode = CMD_MODE;
 }
 
+#
+# These two assure that we're in a particular mode
+#
+
+sub ensure_cat_mode() {
+    enter_cat_mode unless $mode == CAT_MODE;
+}
+
+sub ensure_cmd_mode() {
+    enter_cmd_mode unless $mode == CMD_MODE;
+}
+
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
@@ -8534,7 +8517,7 @@ sub emitr( $$ ) {
 	    #
 	    # A rule
 	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
+	    ensure_cat_mode;
 
 	    if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
 		emit_unindented '# ' . $origin;
@@ -8545,7 +8528,7 @@ sub emitr( $$ ) {
 	    #
 	    # A command
 	    #
-	    enter_cmd_mode unless $mode == CMD_MODE;
+	    ensure_cmd_mode;
 
 	    if ( exists $ruleref->{cmd} ) {
 		emit join( '', '    ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
@@ -8578,6 +8561,14 @@ sub enter_cmd_mode1() {
     $mode = CMD_MODE;
 }
 
+sub ensure_cat_mode1() {
+    enter_cat_mode1 unless $mode == CAT_MODE;
+}
+
+sub ensure_cmd_mode1() {
+    enter_cmd_mode1 unless $mode == CMD_MODE;
+}
+
 sub emitr1( $$ ) {
     my ( $chainref, $ruleref ) = @_;
 
@@ -8586,14 +8577,14 @@ sub emitr1( $$ ) {
 	    #
 	    # A rule
 	    #
-	    enter_cat_mode1 unless $mode == CAT_MODE;
+	    ensure_cat_mode1;
 
 	    print format_rule( $chainref, $ruleref ) . "\n";
 	} else {
 	    #
 	    # A command
 	    #
-	    enter_cmd_mode1 unless $mode == CMD_MODE;
+	    ensure_cmd_mode1;
 
 	    if ( exists $ruleref->{cmd} ) {
 		emitstd $ruleref->{cmd};
@@ -8618,7 +8609,20 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
-	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
+	  qq(    [ -n "\$g_dockeruser" ]    && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(),
+	  qq(    case "\$g_dockernetwork" in),
+	  qq(        One\)),
+	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
+	  qq(            ;;),
+	  qq(        Two\)),
+	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+	  qq(            ;;),
+	  qq(    esac),
+	  qq(),
 	);
 
     if ( known_interface( 'docker0' ) ) {
@@ -8634,7 +8638,8 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
-	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-USER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
 	)
@@ -9133,21 +9138,26 @@ sub create_netfilter_load( $ ) {
 
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
+			ensure_cmd_mode;
+			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			ensure_cmd_mode;
+			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-USER' ) {
+			ensure_cmd_mode;
+			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
 		    } else {		    
+			ensure_cat_mode;
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
+		    ensure_cat_mode;
 		    emit_unindented ":$name - [0:0]";
 		}
 
@@ -9165,17 +9175,19 @@ sub create_netfilter_load( $ ) {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode;
+
 	for my $chainref ( @chains ) {
 	    emitr( $chainref, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_mode unless $mode == CAT_MODE;
+	ensure_cat_mode;
 	emit_unindented 'COMMIT';
     }
 
-    enter_cmd_mode;
+    ensure_cmd_mode;
 
     pop_indent, emit "fi\n";
     #
@@ -9191,7 +9203,7 @@ sub create_netfilter_load( $ ) {
 	  '',
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
-	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  qq(    fatal_error "$utility Failed. Input is in \${VARDIR}/.${utility}-input"),
 	  'fi'
 	);
 
@@ -9240,24 +9252,31 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode1;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			ensure_cmd_mode1;
+			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print "\n";
+		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			ensure_cmd_mode1;
+			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 			print "\n";
-			enter_cat_mode1;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			print "\n";
-			enter_cat_mode1;
+		    } elsif ( $name eq 'DOCKER-USER' ) {
+			ensure_cmd_mode1;
+			print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
+			print "\n";
 		    } else {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			ensure_cmd_mode1;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
+		    ensure_cat_mode1;
 		    print( ":$name - [0:0]\n" );
 		}
 
@@ -9267,13 +9286,15 @@ sub preview_netfilter_load() {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode1;
+
 	for my $chainref ( @chains ) {
 	    emitr1($chainref, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_mode1 unless $mode == CAT_MODE;
+	ensure_cat_mode1;
 	print "COMMIT\n";
     }
 
@@ -9333,21 +9354,26 @@ sub create_stop_load( $ ) {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
+		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			ensure_cmd_mode;
+			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-USER' ) {
+			ensure_cmd_mode;
+			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
 		    } else {		    
+			ensure_cat_mode;
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
+		    ensure_cat_mode;
 		    emit_unindented ":$name - [0:0]";
 		}
 
@@ -9357,6 +9383,8 @@ sub create_stop_load( $ ) {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode;
+
 	for my $chainref ( @chains ) {
 	    emitr( $chainref, $_ ) for @{$chainref->{rules}};
 	}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,7 +269,12 @@ sub generate_script_2() {
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
+	emit( 'if chain_exists DOCKER-ISOLATION; then',
+	      '    g_dockernetwork=One',
+	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
+	      '    g_dockernetwork=Two',
+	      'fi' );
     }
 
     pop_indent;
@@ -382,7 +387,7 @@ sub generate_script_3() {
 	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 

Shorewall/Perl/Shorewall/Config.pm

@@ -2833,7 +2833,7 @@ sub evaluate_expression( $$$$ ) {
     }
 
     #                         $1      $2   $3                     -     $4
-    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
 	if ( $var =~ /^\d+$/ ) {
@@ -2850,7 +2850,7 @@ sub evaluate_expression( $$$$ ) {
 
     if ( $chain ) {
 	#                         $1      $2   $3                     -     $4
-	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $expression =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
@@ -2861,7 +2861,7 @@ sub evaluate_expression( $$$$ ) {
     }
 
     #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) __(\{)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);
 
 	if ( exists $capdesc{$cap} ) {
@@ -3791,7 +3791,7 @@ sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     my $chain = $actparams{chain};
     #                         $1      $2   $3                   -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
@@ -3830,7 +3830,7 @@ sub expand_variables( \$ ) {
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
-	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $$lineref =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
@@ -3846,7 +3846,7 @@ sub expand_variables( \$ ) {
 sub expand_shorewallrc_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
@@ -5925,7 +5925,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' || $_ eq 'SW_CONFDIR' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}

Shorewall/Perl/Shorewall/Misc.pm

@@ -668,7 +668,17 @@ sub create_docker_rules() {
     my $chainref = $filter_table->{FORWARD};
 
     add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
+    add_commands( $chainref ,
+		  '',
+		  'case "$g_dockernetwork" in',
+		  '    One)',
+		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
+		  '        ;;',
+		  '    Two)',
+		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
+		  '        ;;',
+		  'esac' );
 
     if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
@@ -1714,9 +1724,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );
 
-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1726,9 +1736,9 @@ sub add_interface_jumps {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
 	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
 
-	    if ( use_output_chain $interface, $outputref ) {
+	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1917,7 +1927,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
     my @zone_interfaces   = keys %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2051,7 +2061,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
     my @source            = imatch_source_net $net;
     my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 
-    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or

Shorewall/Perl/Shorewall/Providers.pm

@@ -60,7 +60,7 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_interfaces;
+our @load_providers;
 
 our $balancing;
 our $fallback;
@@ -99,7 +99,7 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_interfaces        = ();
+    @load_providers         = ();
     $balancing              = 0;
     $balanced_providers     = 0;
     $fallback_providers     = 0;
@@ -163,8 +163,8 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 
 		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
+			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
@@ -185,16 +185,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
     }
 
-    if ( @load_interfaces ) {
+    if ( @load_providers ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
 
-	for my $physical ( @load_interfaces ) {
+	for my $provider ( @load_providers ) {
 
-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
 
 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 
@@ -446,7 +446,7 @@ sub process_a_provider( $ ) {
     fatal_error 'NAME must be specified' if $table eq '-';
 
     unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
 
 	my $num = numeric_value $number;
 
@@ -636,6 +636,7 @@ sub process_a_provider( $ ) {
     }
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
+    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;
 
     unless ( $pseudo ) {
 	if ( $local ) {
@@ -779,7 +780,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
     }
 
-    push @load_interfaces, $physical if $load;
+    push @load_providers, $table if $load;
 
     push @providers, $table;
 
@@ -941,8 +942,9 @@ sub add_a_provider( $$ ) {
 	}
     }
 
-    emit( "echo $load > \${VARDIR}/${physical}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
+    emit( "echo $load > \${VARDIR}/${table}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
+	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
 
     emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1097,7 +1099,7 @@ CEOF
 	    $weight = 1;
 	}
 
-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+	emit ( "distribute_load $maxload @load_providers" ) if $load;
 
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1244,7 +1246,7 @@ CEOF
 	}
 
 	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
+	       "distribute_load $maxload @load_providers" ) if $load;
 
 	if ( $persistent ) {
 	    emit ( '',
@@ -1615,7 +1617,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
-	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1909,24 +1911,24 @@ sub setup_providers() {
 	pop_indent;
 	emit 'fi';
 
-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_providers;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
+	emit "undo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
 
 	if ( $config{NULL_ROUTE_RFC1918} ) {
+	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}
@@ -2485,7 +2487,7 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers || @load_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
@@ -2493,9 +2495,9 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_providers" ,
 	   ''
-	 ) if @load_interfaces;
+	 ) if @load_providers;
 }
 
 1;

Shorewall/Perl/Shorewall/Rules.pm

@@ -2781,7 +2781,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 
 	      HELPER => sub { 
-		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER requires that a helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,
 
@@ -3137,13 +3137,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
-	# don't apply rate limiting twice
 	#
 	$rule .= join( '',
 		       do_proto($proto, $ports, $sports),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_user( $user ) ,
 		       do_test( $mark , $globals{TC_MASK} ) ,
 		       do_connlimit( $connlimit ),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
@@ -3239,12 +3240,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
+	#   - don't apply rate limiting twice
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '',
 			  $matches,
 			  do_proto( $proto, $ports, $sports ),
-			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
 			  do_condition( $condition , $chain ),
@@ -5573,6 +5574,15 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}
 
+	if ( $chainref->{complete} ) {
+	    if ( $interface ) {
+		warning_message( "Interface $interface entry generated no $toolname rule" );
+	    } else {
+		warning_message( "Entry generated no $toolname rule" );
+	    }
+	    next;
+	}
+
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	#
 	# Handle IPSEC options, if any

Shorewall/Perl/lib.runtime

@@ -601,26 +601,29 @@ interface_enabled() {
 }
 
 distribute_load() {
+    local provider
     local interface
-    local currentload # Total load of enabled interfaces
-    local load        # Specified load of an enabled interface
-    local mark        # Mark of an enabled interface
-    local totalload   # Total load of all interfaces - usually 1.000000
-    local nload       # Normalized load of an enabled interface
-    local var         # Interface name to embed in a variable name
+    local currentload # Total load of enabled providers
+    local load        # Specified load of an enabled provider
+    local mark        # Mark of an enabled provider
+    local totalload   # Total load of all providers - usually 1.000000
+    local nload       # Normalized load of an enabled provider
 
     totalload=$1
     shift
 
     currentload=0
 
-    for interface in $@; do
+    for provider in $@; do
+
+	interface=$(cat ${VARDIR}/${provider}_interface)
+	eval ${provider}_interface=$interface
+
 	if interface_enabled $interface; then
-	    var=$(echo $interface | sed 's/[.-]/_/g')
-	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${var}_load=$load
-	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${var}_mark=$mark
+	    load=$(cat ${VARDIR}/${provider}_load)
+	    eval ${provider}_load=$load
+	    mark=$(cat ${VARDIR}/${provider}_mark)
+	    eval ${provider}_mark=$mark
 	    currentload=$( bc <<EOF
 scale=8
 $currentload + $load
@@ -630,12 +633,13 @@ EOF
     done
 
     if [ $currentload ]; then
-	for interface in $@; do
-	    qt $g_tool -t mangle -F ~$interface
+	for provider in $@; do
+	    eval interface=\$${provider}_interface
 
-	    var=$(echo $interface | sed 's/[.-]/_/g')
-	    eval load=\$${var}_load
-	    eval mark=\$${var}_mark
+	    qt $g_tool -t mangle -F ~$provider
+
+	    eval load=\$${provider}_load
+	    eval mark=\$${provider}_mark
 
 	    if [ -n "$load" ]; then
 		nload=$(bc <<EOF
@@ -651,10 +655,10 @@ EOF
 
 		case $nload in
 		    .*|0.*)
-			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -m statistic --mode random --probability $nload -j MARK --set-mark $mark
 			;;
 		    *)
-			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -j MARK --set-mark $mark
 			;;
 		esac
 	    fi
@@ -959,7 +963,7 @@ add_gateway() # $1 = Delta $2 = Table Number
     local delta
     local dev
 
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/linkdown//g; s/[\]//g'`
 
     if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
@@ -993,7 +997,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
     local gateway
     local dev
 
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/linkdown//g; s/[\]//g'`
     gateway=$1
 
     if [ -n "$route" ]; then

Shorewall/helpers

@@ -67,5 +67,4 @@ loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
-loadmodule ipt_ULOG
 loadmodule nfnetlink_log

Shorewall/lib.cli-std

@@ -456,6 +456,16 @@ compiler() {
 
     ensure_root
     #
+    # Let params and the compiler know the base configuration directory
+    #
+    if [ -n "$g_shorewalldir" ]; then
+	SW_CONFDIR="$g_shorewalldir"
+    else
+	SW_CONFDIR="$g_confdir"
+    fi
+
+    export SW_CONFDIR
+    #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
     [ -n "$g_haveconfig" ] || ensure_config_path

Shorewall/manpages/shorewall-addresses.xml

@@ -36,7 +36,7 @@
 
           <para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
           where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
-          of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
+          of 1 to 4 hexadecimal digits (leading zeros may be omitted). a
           single series of 0 addresses may be omitted. For example
           2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
         </listitem>

Shorewall/manpages/shorewall-blrules.xml

@@ -280,9 +280,9 @@
         <term>IPv4 Example 1:</term>
 
         <listitem>
-          <para>Drop Teredo packets from the net.</para>
+          <para>Drop 6to4 packets from the net.</para>
 
-          <programlisting>DROP          net:[2001::/32]            all</programlisting>
+          <programlisting>DROP          net:192.88.99.1            all</programlisting>
         </listitem>
       </varlistentry>
 
@@ -290,10 +290,10 @@
         <term>IPv4 Example 2:</term>
 
         <listitem>
-          <para>Don't subject packets from 2001:DB8::/64 to the remaining
+          <para>Don't subject packets from 70.90.191.120/29 to the remaining
           rules in the file.</para>
 
-          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
+          <programlisting>WHITELIST     net:70.90.191.120/29       all</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-files.xml

@@ -199,7 +199,7 @@
       <listitem>
         <para><ulink url="shorewall-ecn.html">/etc/shorewall/ecn</ulink> -
         disable Explicit Congestion Notification (ECN - RFC 3168) to remote
-        hosts or networks. Superceded by ECN entries in
+        hosts or networks. Superseded by ECN entries in
         <filename>/etc/shorewall/mangle</filename> in Shorewall 5.0.6.</para>
       </listitem>
 
@@ -376,7 +376,7 @@ br0                -                    routeback</programlisting></para>
   </refsect1>
 
   <refsect1>
-    <title>Line Continuation</title>
+    <title id="Continuation">Line Continuation</title>
 
     <para>Lines may be continued using the usual backslash (<quote>\</quote>)
     followed immediately by a new line character (Enter key).</para>
@@ -720,7 +720,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
   <refsect1>
     <title>Time Columns</title>
 
-    <para>Several of the files include a TIME colum that allows you to specify
+    <para>Several of the files include a TIME column that allows you to specify
     times when the rule is to be applied. Contents of this column is a list of
     <replaceable>timeelement</replaceable>s separated by apersands
     (&amp;).</para>

Shorewall/manpages/shorewall-names.xml

@@ -243,7 +243,7 @@ POP(ACCEPT)    loc                  net:pop.gmail.com</programlisting>
   </refsect1>
 
   <refsect1>
-    <title>Logical Interface Names</title>
+    <title id="Logical">Logical Interface Names</title>
 
     <para>When dealing with a complex configuration, it is often awkward to
     use physical interface names in the Shorewall configuration.</para>

Shorewall/manpages/shorewall-rules.xml

@@ -1900,19 +1900,21 @@
           <simplelist>
             <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
             role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[[<replaceable>name</replaceable>][(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
+            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[<replaceable>name</replaceable>[(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
             role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
 
-            <member>[<replaceable>name</replaceable>1:]<emphasis>rate1</emphasis><emphasis
+            <member>[<emphasis
+            role="bold">s</emphasis>[/<replaceable>vlsm1</replaceable>]:][<replaceable>name</replaceable>1[(<replaceable>ht-buckets1</replaceable>,<replaceable>ht-max1</replaceable>)]:]<emphasis>rate1</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2:]<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<emphasis
+            role="bold">d</emphasis>[/<replaceable>vlsm2</replaceable>:][<replaceable>name</replaceable>2[(<replaceable>ht-buckets2</replaceable>,<replaceable>ht-max2</replaceable>)]:]<emphasis>rate2</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis

Shorewall/manpages/shorewall.conf.xml

@@ -500,7 +500,7 @@
           each listed directory is to be searched. AUTOMAKE=1 only searches
           each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
           will search each directory and its immediate sub-directories;
-          AUTOMAKE=3 will search each diretory, each of its immediate
+          AUTOMAKE=3 will search each directory, each of its immediate
           sub-directories, and each of their immediate sub-directories,
           etc.</para>
         </listitem>

Shorewall/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}

docs/Anti-Spoofing.xml

@@ -85,7 +85,7 @@
     server. It then sends a packet addressed to itself and from the server.
     Such packets are sent back out the same interface that received them
     (<firstterm>hairpin</firstterm>). In cases where the
-    <option>routerfilter</option> option can't be used, Shorewall 4.4.20 and
+    <option>routefilter</option> option can't be used, Shorewall 4.4.20 and
     later will set up hairpinning traps (see the SFILTER_DISPOSITION and
     SFILTER_LOG_LEVEL options in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>

docs/FAQ.xml

@@ -244,9 +244,25 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
         work</title>
 
         <para><emphasis role="bold">Answer:</emphasis> That is usually the
-        result of one of four things:</para>
+        result of one of five things:</para>
 
         <itemizedlist>
+          <listitem>
+            <para>You are trying to redirect a UDP port and there is already a
+            conntrack table entry for the flow, created via an ACCEPT
+            rule.</para>
+
+            <para>Example:</para>
+
+            <programlisting>        DNAT    loc:192.168.0.2 dmz:192.168.1.3 udp 53</programlisting>
+
+            <para>Assuming that you have installed the
+            <emphasis>conntrack</emphasis> package, you can delete all such
+            conntrack table entries using:</para>
+
+            <programlisting>        conntrack -D -s 192.168.0.2 -p udp --dport 53</programlisting>
+          </listitem>
+
           <listitem>
             <para>You are trying to test from inside your firewall (no, that
             won't work -- see <xref linkend="faq2"/>).</para>

docs/IPSEC-2.6.xml

@@ -323,7 +323,7 @@ vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ips
 
     <blockquote>
       <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:0.0.0.0/o                       <emphasis role="bold">ipsec</emphasis></programlisting>
+vpn               eth0:0.0.0.0/0                       <emphasis role="bold">ipsec</emphasis></programlisting>
     </blockquote>
 
     <para>Assuming that you want to give each local network free access to the

docs/MultiISP.xml

@@ -18,21 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2005</year>
-
-      <year>2006</year>
-
-      <year>2007</year>
-
-      <year>2008</year>
-
-      <year>2009</year>
-
-      <year>2010</year>
-
-      <year>2011</year>
-
-      <year>2012 2013</year>
+      <year>2005-2018</year>
 
       <holder>Thomas M. Eastep,</holder>
 
@@ -67,7 +53,7 @@
     <itemizedlist>
       <listitem>
         <para>The LARTC HOWTO: <ulink
-        url="http://www.lartc.org">http://www.lartc.org</ulink></para>
+        url="http://comparitech.net/lartc">http://comparitech.net/lartc</ulink></para>
       </listitem>
 
       <listitem>
@@ -2568,6 +2554,15 @@ exit 0
           of<filename> /etc/shorewall/providers</filename>; <emphasis
           role="bold">detect</emphasis> is not permitted.</para>
         </listitem>
+
+        <listitem>
+          <para>The <emphasis role="bold">optional</emphasis>
+          provider/interface option doesn't work (and is disallowed beginning
+          with Shorewall 5.2.1). If you need failover, you will need to
+          front-end your firewall with a configurable switch and create a
+          separate VLAN for each of your providers, thus providing a separate
+          network interface for each provider.</para>
+        </listitem>
       </orderedlist>
 
       <para>Taken together, b. and h. effectively preclude using this

docs/Shorewall_Doesnt.xml

@@ -65,9 +65,10 @@
         <itemizedlist>
           <listitem>
             <para>HTTP - better to use <ulink
-            url="Shorewall_Squid_Usage.html">Squid</ulink> and <ulink
-            url="http://dansguardian.org/">Dansguardian</ulink> for
-            that.</para>
+            url="Shorewall_Squid_Usage.html">Squid</ulink>, <ulink
+            url="http://www.e2guardian.org/">E2guardian</ulink>, or <ulink
+            url="http://comparitech.net/parental-control">Parental
+            Control</ulink> for that.</para>
           </listitem>
 
           <listitem>

docs/configuration_file_basics.xml

@@ -1302,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 
       <member><filename>macro</filename>.* files</member>
 
-      <member><filename>masq</filename></member>
+      <member><filename>snat</filename></member>
 
       <member><filename>nat</filename></member>