Correct IPv6 Address Range parsing

Previously, such ranges were required to be of the form [<addr1>-<addr2>]
rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
(and in nat actions), the latter form was actually flagged as an error
while in other contexts, it resulted in a less obvious error being raised.

With this change, both forms are accepted.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.common

@@ -411,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

Shorewall-core/manpages/shorewall.xml

@@ -1141,7 +1141,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>When no <replaceable>verbosity</replaceable> is specified,
           each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1162,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>Each instance of this option causes 1 to be subtracted from
           the effective verbosity.</para>
@@ -1199,7 +1199,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
           A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
@@ -1214,7 +1214,7 @@
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5)) allows a single ipset to
           handle entries for multiple interfaces. When that option is
           specified for a zone, the <command>add</command> command has the
           alternative syntax in which the <replaceable>zone</replaceable> name
@@ -1332,7 +1332,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1440,7 +1440,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1458,7 +1458,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are a host or network address.</para>
 
@@ -1466,7 +1466,7 @@
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
           allows a single ipset to handle entries for multiple interfaces.
           When that option is specified for a zone, the
           <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1493,7 @@
           command removes any routes added from <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
           any traffic shaping configuration for the interface.</para>
         </listitem>
       </varlistentry>
@@ -1554,7 +1554,7 @@
           adds any route specified in <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
           and installs the interface's traffic shaping configuration, if
           any.</para>
         </listitem>
@@ -1599,7 +1599,7 @@
           given then the file specified by RESTOREFILE in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -1684,7 +1684,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,7 +1700,7 @@
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
           and produces an audible alarm when new Shorewall messages are
           logged. The <emphasis role="bold">-m</emphasis> option causes the
           MAC address of each packet source to be displayed if that
@@ -1723,7 +1723,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1878,13 +1878,13 @@
                 INLINE_MATCHES is set to Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>
 
                 <para>The <option>-C</option> option was added in Shorewall
                 4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 If an existing firewall script is used and if that script was
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
@@ -2006,7 +2006,7 @@
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2071,8 +2071,8 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2104,7 +2104,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -2144,8 +2144,8 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2177,7 +2177,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2304,7 +2304,7 @@
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <caution>
             <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2460,7 @@
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>The <option>-C</option> option, added in Shorewall 4.6.5,
           causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2477,7 @@
           the SAVE_IPSETS option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command may be used to proactively save your ipset contents in
           the event that a system failure occurs prior to issuing a
           <command>stop</command> command.</para>
@@ -2645,7 +2645,7 @@
                 accounting counters (<ulink
                 url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                 (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -2669,7 +2669,7 @@
                 file specified by the LOGFILE option in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 The <emphasis role="bold">-m</emphasis> option causes the MAC
                 address of each packet source to be displayed if that
                 information is available.</para>
@@ -2851,7 +2851,7 @@
                   in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                   will be restored if that saved configuration exists and has
                   been modified more recently than the files in
                   /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2862,7 @@
                   option was added to <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When LEGACY_FASTSTART=No, the modification times of files in
                   /etc/shorewall are compared with that of
                   /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2881,7 @@
                   overriding the AUTOMAKE setting in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When both <option>-f</option> and <option>-c</option>are
                   present, the result is determined by the option that appears
                   last.</para>
@@ -2897,7 +2897,7 @@
                   INLINE_MATCHES is set to Yes in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
                   <para>The <option>-C</option> option was added in Shorewall
                   4.6.5 and is only meaningful when the <option>-f</option>

Shorewall-lite/install.sh

@@ -426,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi
 
 if [ -f helpers ]; then
@@ -433,11 +438,6 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #

Shorewall/Macros/macro.Bitcoin

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinZMQ

@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332

Shorewall/Macros/macro.ONCRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.Tor

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorSocks

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -430,13 +430,14 @@ our $VERSION = 'MODULEVERSION';
 #      Untracked       - =<z1-z2>
 #
 our %chain_table;
-our $raw_table;
-our $nat_table;
-our $mangle_table;
-our $filter_table;
-our $export;
-our %renamed;
-our %nfobjects;
+our $raw_table;         # Reference to $chain_table{raw}
+our $nat_table;         # Reference to $chain_table{nat}
+our $mangle_table;      # Reference to $chain_table{mangle}
+our $filter_table;      # Reference to $chain_table{filter}
+
+our $export;            # True if we are compiling for export
+our %renamed;           # Maps chain renaming during optimization
+our %nfobjects;         # Records nfacct objects
 
 #
 # Target Types
@@ -464,10 +465,10 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 
-	       FILTER_TABLE =>  0x1000000,
-	       MANGLE_TABLE =>  0x2000000,
-	       RAW_TABLE    =>  0x4000000,
-	       NAT_TABLE    =>  0x8000000,
+	       FILTER_TABLE =>  0x1000000,     #Target allowed in the filter table
+	       MANGLE_TABLE =>  0x2000000,     #Target allowed in the mangle table
+	       RAW_TABLE    =>  0x4000000,     #Target allowed in the raw table
+	       NAT_TABLE    =>  0x8000000,     #Target allowed in the nat table
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -535,6 +536,9 @@ our $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
+#
+# Chain optimization flags
+#
 use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
 
 our %dscpmap = ( CS0  => 0x00,
@@ -686,15 +690,15 @@ our %ipset_exists;
 #
 # The following constants and hash are used to classify keys in a rule hash
 #
-use constant { UNIQUE      => 1,
-	       TARGET      => 2,
-	       EXCLUSIVE   => 4,
-	       MATCH       => 8,
-	       CONTROL     => 16,
-	       COMPLEX     => 32,
-	       NFACCT      => 64,
-	       EXPENSIVE   => 128,
-	       RECENT      => 256,
+use constant { UNIQUE      => 1,       # Simple header matches - only allowed once per rule
+	       TARGET      => 2,       # Rule target or its options
+	       EXCLUSIVE   => 4,       # 'state' or 'conntrack --ctstate'
+	       MATCH       => 8,       # Currently means 'policy ...'
+	       CONTROL     => 16,      # Unsed internally by the compiler - does not contribute to the iptables rule
+	       COMPLEX     => 32,      # Currently means 'contrack --cstate'
+	       NFACCT      => 64,      # nfacct match
+	       EXPENSIVE   => 128,     # Has high rule-processing cost in the kernel
+	       RECENT      => 256,     # recent match
 	   };
 
 our %opttype = ( rule          => CONTROL,
@@ -740,6 +744,9 @@ our %opttype = ( rule          => CONTROL,
 		 targetopts    => TARGET,
 	       );
 
+#
+# These allow the user to specify long option names in raw ip[6]tables input
+#
 our %aliases = ( protocol        => 'p',
 		 source          => 's',
 		 destination     => 'd',
@@ -759,7 +766,7 @@ our %isocodes;
 
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 
-our %switches;
+our %switches;   # Recoreds switches (conditions)
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -785,7 +792,9 @@ sub initialize( $$$ ) {
     $filter_table  = $chain_table{filter};
     %renamed       = ();
     #
-    # Used to sequence chain names in each table.
+    # Used to sequence chain names in each table. $hard is true on the initial call to this function and
+    # false, when this function is called a second time to re-initialize before generating stopped ip[6]tables-
+    # restore input
     #
     %chainseq = () if $hard;
     #
@@ -1416,7 +1425,7 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies
+    # Don't combine rules where each specifies
     #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
@@ -1745,6 +1754,10 @@ sub add_rule($$;$) {
 #
 # New add_rule implementation
 #
+
+#
+# Push a set of matches into an irule (a rule using the new hash representation)
+#
 sub push_matches {
 
     my $ruleref = shift;
@@ -1911,6 +1924,9 @@ sub compare_values( $$ ) {
     }
 }
 
+#
+# Add an irule with matches but no target
+#
 sub add_irule( $;@ ) {
     my ( $chainref, @matches ) = @_;
 
@@ -2712,6 +2728,12 @@ sub add_expanded_jump( $$$$ ) {
     add_reference( $chainref, $toref ) while --$splitcount > 0;
 }
 
+#
+# Utility function used by add_ijump() and add_ijump_extended().
+# Returns a reference to the added rule. Return may be reference
+# to the dummy rule if the chain was already complete (last rule
+# is a simple jump to a terminating target).
+#
 sub add_ijump_internal( $$$$$;@ ) {
     my ( $fromref, $jump, $to, $expandports, $origin, @matches ) = @_;
 
@@ -2759,16 +2781,26 @@ sub add_ijump_internal( $$$$$;@ ) {
     $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
 }
 
+#
+# Add an jump to the end of a chain
+#
 sub add_ijump( $$$;@ ) {
     my ( $fromref, $jump, $to, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, '', @matches );
 }
 
+#
+# Like add_ijump() but also accepts an origin of the jump (the config file and line number
+# that caused the jump to be generated).
+#
 sub add_ijump_extended( $$$$;@ ) {
     my ( $fromref, $jump, $to, $origin, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, $origin, @matches );
 }
 
+#
+# Insert a jump at a zero-relative index into a chain.
+#
 sub insert_ijump( $$$$;@ ) {
     my ( $fromref, $jump, $to, $index, @matches ) = @_;
 
@@ -2840,6 +2872,9 @@ sub delete_jumps ( $$ ) {
     }
 }
 
+#
+# Reset the passed flag(s) in the passed chain
+#
 sub reset_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2852,6 +2887,9 @@ sub reset_optflags( $$ ) {
     $chainref;
 }
 
+#
+# Set the passed flag(s) in the passed chain
+#
 sub set_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2966,6 +3004,10 @@ sub accounting_chainrefs() {
     grep $_->{accounting} , values %$filter_table;
 }
 
+#
+# Ensure the existance of a chain in the mangle table and return
+# a reference to its chain table entry
+#
 sub ensure_mangle_chain($;$$) {
     my ( $chain, $number, $restriction ) = @_;
 
@@ -2976,6 +3018,10 @@ sub ensure_mangle_chain($;$$) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the nat table and return
+# a reference to its chain table entry
+
 sub ensure_nat_chain($) {
     my $chain = $_[0];
 
@@ -2984,6 +3030,10 @@ sub ensure_nat_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the raw table and return
+# a reference to its chain table entry
+#
 sub ensure_raw_chain($) {
     my $chain = $_[0];
 
@@ -3007,12 +3057,18 @@ sub new_builtin_chain($$$)
     $chainref;
 }
 
+#
+# Create a chain in the filter table, returning a reference to its chain table entry
+#
 sub new_standard_chain($) {
     my $chainref = new_chain 'filter' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new action chain, returning a reference to its chain table entry
+#
 sub new_action_chain($$) {
     my $chainref = &new_chain( @_ );
     $chainref->{referenced} = 1;
@@ -3020,12 +3076,18 @@ sub new_action_chain($$) {
     $chainref;
 }
 
+#
+# Create a chain in the nat table, returning a reference to its chain table entry
+#
 sub new_nat_chain($) {
     my $chainref = new_chain 'nat' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new manual chain, returning a reference to its chain table entry
+#
 sub new_manual_chain($) {
     my $chain = $_[0];
     fatal_error "Chain name ($chain) too long" if length $chain > 29;
@@ -3036,6 +3098,9 @@ sub new_manual_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a manual chain and return a reference to its chain table entry
+#
 sub ensure_manual_chain($) {
     my $chain = $_[0];
     my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
@@ -3045,6 +3110,9 @@ sub ensure_manual_chain($) {
 
 sub log_irule_limit( $$$$$$$$@ );
 
+#
+# Ensure the existance of the blacklist logging chain (blacklog)
+#
 sub ensure_blacklog_chain( $$$$$ ) {
     my ( $target, $disposition, $level, $tag, $audit ) = @_;
 
@@ -3063,6 +3131,9 @@ sub ensure_blacklog_chain( $$$$$ ) {
     'blacklog';
 }
 
+#
+# Ensure the existance of the audited blacklist logging chain (A_blacklog)
+#
 sub ensure_audit_blacklog_chain( $$$ ) {
     my ( $target, $disposition, $level ) = @_;
 
@@ -3084,7 +3155,6 @@ sub ensure_audit_blacklog_chain( $$$ ) {
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 #
-
 sub ensure_audit_chain( $;$$$ ) {
     my ( $target, $action, $tgt, $table ) = @_;
 
@@ -3121,7 +3191,6 @@ sub ensure_audit_chain( $;$$$ ) {
 #
 # Return the appropriate target based on whether the second argument is 'audit'
 #
-
 sub require_audit($$;$) {
     my ($action, $audit, $tgt ) = @_;
 
@@ -4925,10 +4994,10 @@ sub do_proto( $$$;$ )
 
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
-			    $output .= get_set_flags( $ports, 'src' );
+			    $output .= get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5037,7 +5106,9 @@ sub do_proto( $$$;$ )
     $output;
 }
 
-
+#
+# Generate a mac address match
+#
 sub do_mac( $ ) {
     my $mac = $_[0];
 
@@ -5050,6 +5121,9 @@ sub do_mac( $ ) {
     "-m mac ${invert}--mac-source $mac ";
 }
 
+#
+# Version of do_proto() that generates an irule match rather than an iptables text match
+#
 sub do_iproto( $$$ )
 {
     my ($proto, $ports, $sports ) = @_;
@@ -5136,8 +5210,8 @@ sub do_iproto( $$$ )
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
-			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			if ( $sports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5245,6 +5319,9 @@ sub do_iproto( $$$ )
     @output;
 }
 
+#
+# Generate a mac address match in irule format.
+#
 sub do_imac( $ ) {
     my $mac = $_[0];
 
@@ -5307,7 +5384,6 @@ sub verify_small_mark( $ ) {
 #
 # Generate an appropriate -m [conn]mark match string for the contents of a MARK column
 #
-
 sub do_test ( $$ )
 {
     my ($testval, $mask) = @_;
@@ -5462,6 +5538,9 @@ sub do_connlimit( $ ) {
     }
 }
 
+#
+# Create a calendar match
+#
 sub do_time( $ ) {
     my ( $time ) = @_;
 
@@ -5500,6 +5579,11 @@ sub do_time( $ ) {
     $result;
 }
 
+#
+# Resolve a user/group name to the appropriate numeric id. Only do the resolution
+# if we are not compiling for export, since remote name->id mapping is likely to
+# be different.
+#
 sub resolve_id( $$ ) {
     my ( $id, $type ) = @_;
 
@@ -5563,8 +5647,6 @@ sub do_user( $ ) {
 #
 # Create a "-m tos" match for the passed TOS
 #
-# This helper is also used during tos file processing
-#
 sub decode_tos( $$ ) {
     my ( $tos, $set ) = @_;
 
@@ -6101,6 +6183,9 @@ sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
+#
+# Verify and record a runtime address variable
+#
 sub record_runtime_address( $$;$$ ) {
     my ( $addrtype, $interface, $protect, $provider ) = @_;
 
@@ -6591,6 +6676,9 @@ sub match_ipsec_in( $$ ) {
     @match;
 }
 
+#
+# Match Dest IPSEC
+#
 sub match_ipsec_out( $$ ) {
     my ( $zone , $hostref ) = @_;
     my @match;
@@ -6615,7 +6703,7 @@ sub match_ipsec_out( $$ ) {
 }
 
 #
-# Handle a unidirectional IPSEC Options
+# Handle unidirectional IPSEC Options
 #
 sub do_ipsec_options($$$)
 {
@@ -6692,7 +6780,7 @@ sub do_ipsec($$) {
 }
 
 #
-# Generate a log message
+# Generate a logging rule
 #
 sub log_rule_limit( $$$$$$$$;$ ) {
     my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
@@ -6888,6 +6976,9 @@ sub log_irule_limit( $$$$$$$$@ ) {
     }
 }
 
+#
+# Wrappers for the above that use the global default log limit
+#
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
@@ -7564,11 +7655,13 @@ sub isolate_source_interface( $ ) {
 		) {
 	    $iiface = $1;
 	    $inets  = $2;
+	    $inets =~ s/\]-\[/-/;
 	} elsif ( $source =~ /:/ ) {
 	    if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
 		$inets = $source;
 	    } elsif ( $source =~ /^\[(.+)\]$/ ) {
 		$inets = $1;
+		$inets =~ s/\]-\[/-/;
 	    } else {
 		$inets = $source;
 	    }
@@ -7686,6 +7779,7 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
+	    $dnets =~ s/\]-\[/-/;
 	} elsif (  $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
 		   $dest =~ /^(.+?):(!?\+.+)$/    ||
 		   $dest =~ /^(.+?):(!?[&%].+)$/  ||
@@ -7698,6 +7792,7 @@ sub isolate_dest_interface( $$$$ ) {
 		$dnets = $dest;
 	    } elsif ( $dest =~ /^\[(.+)\]$/ ) {
 		$dnets = $1;
+	        $dnets =~ s/\]-\[/-/;
 	    } else {
 		$dnets = $dest;
 	    }
@@ -8475,7 +8570,7 @@ sub add_interface_options( $ ) {
 # We may have to generate part of the input at run-time. The rules array in each chain
 # table entry may contain both rules or shell source, determined by the contents of the 'mode'
 # member. We alternate between writing the rules into the temporary file to be passed to
-# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
+# iptables-restore (CAT_MODE) and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
 #
@@ -9055,7 +9150,7 @@ sub create_nfobjects() {
 }
 #
 #
-# Generate the netfilter input
+# Generate the input to ip[6]tables-restore or to 'ip[6]tables -R'
 #
 sub create_netfilter_load( $ ) {
     my $test = shift;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,13 +47,13 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;
+our $export;          # True when compiling for export
 
-our $test;
+our $test;            # True when running regression tests
 
-our $family;
+our $family;          # IP address family (4 or 6)
 
-our $have_arptables;
+our $have_arptables;  # True if we have arptables rules
 
 #
 # Initilize the package-globals in the other modules
@@ -384,7 +384,7 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
 	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -396,7 +396,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -523,13 +523,17 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
-
+#
+# Keeps track of which capabilities were used or required - Key is capability name
+#
 our %used;
 
 use constant {
                USED     => 1,
 	       REQUIRED => 2 };
-
+#
+# Common Protocols
+#
 use constant {
 	       ICMP                => 1,
 	       TCP                 => 6,
@@ -541,7 +545,7 @@ use constant {
 	       UDPLITE             => 136,
 	     };
 #
-# Optimization masks
+# Optimization masks (OPTIMIZE option)
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
@@ -550,7 +554,9 @@ use constant {
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	     };
-
+#
+# Map helpers to protocols
+#
 our %helpers = ( amanda          => UDP,
 		 ftp             => TCP,
 		 irc             => TCP,
@@ -625,7 +631,7 @@ our %config_files = ( #accounting      => 1,
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
-# Directories to search for configuration files
+# Directories to search for configuration files (CONFIG_PATH option)
 #
 our @config_path;
 #
@@ -648,10 +654,12 @@ our %compiler_params;
 # Action parameters
 #
 our %actparams;
-our $parmsmodified;
-our $usedcaller;
-our $inline_matches;
-
+our $parmsmodified;          # True of the current action has modified its parameters
+our $usedcaller;             # True if $CALLER has been acceseed in the current action
+our $inline_matches;         # Inline matches from the current rule
+#
+# File handling
+#
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
@@ -669,6 +677,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $ulogcount;              # Used to suppress duplicate warnings about ULOG support
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -734,6 +743,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    MODULE_SUFFIX     => 1,
 		    MAPOLDACTIONS     => 1,
 		    INLINE_MATCHES    => 1,
+		    LOAD_HELPERS_ONLY => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -747,10 +757,11 @@ our $ifstack;
 #    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
 #    [1] - True if the outermost IF evaluated to false
 #    [2] - True if the the last unterminated IF evaluated to false
+#    [3] = The line number of the directive
 #
 # From .shorewallrc
 #
-our ( %shorewallrc, %shorewallrc1 );
+our ( %shorewallrc, %shorewallrc1 ); # Shorewallrc setting from local system and from remote firewall respectively
 #
 # read_a_line options
 #
@@ -828,6 +839,7 @@ sub initialize( $;$$$) {
     $comment       = '';
     $sr_comment    = '';
     $warningcount  = 0;
+    $ulogcount     = 0;
     #
     # Misc Globals
     #
@@ -969,7 +981,6 @@ sub initialize( $;$$$) {
 	  OPTIMIZE_ACCOUNTING => undef,
 	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
-	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
 	  FORWARD_CLEAR_MARK => undef,
 	  COMPLETE => undef,
@@ -1291,7 +1302,7 @@ sub initialize( $;$$$) {
     $compiletime =~ s/ +/ /g;
 }
 
-my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
+my @moabbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 
 sub add_ipset( $ ) {
     $ipsets{$_[0]} = 1;
@@ -1391,7 +1402,7 @@ sub info_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1419,7 +1430,7 @@ sub warning_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1544,7 +1555,7 @@ sub fatal_error	{
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $confess ) {
 	    print $log longmess( "   ERROR: @_$currentlineinfo\n" );
@@ -1567,6 +1578,9 @@ sub fatal_error	{
     }
 }
 
+#
+# This one is used for reporting syntax errors in embedded Perl code
+#
 sub fatal_error1 {
     handle_first_entry if $first_entry;
 
@@ -1574,7 +1588,7 @@ sub fatal_error1 {
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $debug ) {
 	    print $log longmess( "   ERROR: @_\n" );
@@ -1684,7 +1698,7 @@ sub emit {
 
     if ( $script || $debug ) {
 	#
-	# 'compile' as opposed to 'check'
+	# 'compile' (as opposed to 'check') or debugging (CLI 'trace' command)
 	#
 	for ( @_ ) {
 	    unless ( /^\s*$/ ) {
@@ -1845,12 +1859,15 @@ sub progress_message {
 
 	    @localtime = localtime unless $havelocaltime;
 
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
     }
 }
 
+#
+# This one doesn't compress out superfluous white space
+#
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
@@ -1864,7 +1881,7 @@ sub progress_message_nocompress {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1885,7 +1902,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1906,7 +1923,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -2077,7 +2094,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2094,8 +2111,12 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+#
+# Search the CONFIG_PATH for a file that is writable. Ignore directories where sample/default files are installed,
+# because users have a bad habit of including those in the CONFIG_PATH
+#
 sub find_writable_file($) {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2117,6 +2138,9 @@ sub supplied( $ ) {
     defined $val && $val ne '';
 }
 
+#
+# This one is used for determining if an action argument has been passed (excludes '-')
+#
 sub passed( $ ) {
     my $val = shift;
 
@@ -2135,7 +2159,7 @@ sub split_list( $$;$ ) {
 }
 
 #
-# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+# This version handles parenthetical list elements containing embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
     my ($list, $type, $keepparens ) = @_;
@@ -2519,7 +2543,7 @@ sub split_line2( $$;$$$ ) {
 }
 
 #
-# Same as above, only it splits the raw current line
+# Same as above, only it splits the raw current line (line prior to variable expansion)
 #
 sub split_rawline2( $$;$$$ ) {
     my $savecurrentline = $currentline;
@@ -2627,6 +2651,7 @@ sub do_open_file( $ ) {
 # - Maximum value allowed in ?FORMAT directives
 # - ?COMMENT allowed in this file
 # - Ignore ?COMMENT in ths file
+# - Default file format
 #
 sub open_file( $;$$$$ ) {
     my ( $fname, $mf, $ca, $nc, $cf ) = @_;
@@ -2719,7 +2744,7 @@ sub clear_currentfilename() {
 }
 
 #
-# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
+# Utility functions for processing compiler directives
 #
 
 #
@@ -2746,7 +2771,7 @@ sub directive_warning( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 
@@ -2771,7 +2796,7 @@ sub directive_info( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 
@@ -3523,7 +3548,7 @@ sub shorewall {
 # We do this processing in read_a_line() rather than in the higher-level routines because
 # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
 # until we get back to the caller of read_a_line(), we could issue error messages about parsing and
-# running scripts in the file before we'd even indicated that we are processing it.
+# running scripts in the file before we'd even reported that we are processing it.
 #
 sub first_entry( $ ) {
     $first_entry = shift;
@@ -3700,6 +3725,7 @@ sub push_action_params( $$$$$$ ) {
 # Return:
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
+#   3 if both
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
@@ -3710,6 +3736,10 @@ sub pop_action_params( $ ) {
     $return;
 }
 
+#
+# This is called when a DEFAULTS line is found in an action body. It supplies default values
+# for those paramaters that were not passed, or that were passed as '-'.
+#
 sub default_action_params {
     my $action = shift;
     my ( $val, $i );
@@ -3723,6 +3753,9 @@ sub default_action_params {
     fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }
 
+#
+# This function allows embedded Perl in actions to retreive the action paramaters
+#
 sub get_action_params( $ ) {
     my $num = shift;
 
@@ -3738,6 +3771,9 @@ sub get_action_params( $ ) {
     @return;
 }
 
+#
+# Helper for A_* actions
+#
 sub setup_audit_action( $ ) {
     my ( $action ) = @_;
 
@@ -3757,26 +3793,44 @@ sub get_action_logging() {
     @actparams{ 'loglevel', 'logtag' };
 }
 
+#
+# Allow embedded Perl in Actions to get the name of the action chain
+#
 sub get_action_chain() {
     $actparams{0};
 }
 
+#
+# Get the action name from an action file
+#
 sub get_action_chain_name() {
     $actparams{chain};
 }
-
+#
+# This allows an action to make subsequent log messages refer to the invoker of the action rather than the 
+# action itself
+#
 sub set_action_name_to_caller() {
     $actparams{chain} = $actparams{caller};
 }
 
+#
+# Get the current action's disposition
+#
 sub get_action_disposition() {
     $actparams{disposition};
 }
 
+#
+# Set the current action disposition for subsequent logging
+#
 sub set_action_disposition($) {
     $actparams{disposition} = $_[0];
 }
 
+#
+# Alter the value of one of the current actions parameters
+#
 sub set_action_param( $$ ) {
     my $i = shift;
 
@@ -3843,6 +3897,9 @@ sub expand_variables( \$ ) {
     }
 }
 
+#
+# Expand variables from shorewallrc in the current passed line
+#
 sub expand_shorewallrc_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                         $1      $2   $3                  -     $4
@@ -3886,7 +3943,7 @@ sub handle_first_entry() {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
-#   - Handle ?IF, ?ELSE, ?ENDIF
+#   - Handle ?SECTION
 #
 
 sub read_a_line($) {
@@ -4009,18 +4066,23 @@ sub read_a_line($) {
     }
 }
 
+#
+# Process the passed shorewallrc file, populating %shorewallrc
+#
 sub process_shorewallrc( $$ ) {
     my ( $shorewallrc , $product ) = @_;
 
     $shorewallrc{PRODUCT} = $product;
+    $variables{PRODUCT}   = $product;
 
     if ( open_file $shorewallrc ) {
-	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK | EXPAND_VARIABLES ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_shorewallrc_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
+		$variables{$var}   = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
@@ -4029,6 +4091,12 @@ sub process_shorewallrc( $$ ) {
 	fatal_error "Failed to open $shorewallrc: $!";
     }
 
+    #
+    # Older files may contain VARDIR= rather than VARLIB= to specify the directory
+    # where each product maintains its own state directory. This was confusing,
+    # because in the shell context, VARDIR points to the current product's state
+    # directory.
+    #
     if ( supplied $shorewallrc{VARDIR} ) {
 	if ( ! supplied $shorewallrc{VARLIB} ) {
 	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
@@ -4091,12 +4159,19 @@ sub default_yes_no ( $$;$ ) {
     $result;
 }
 
+#
+# This one is used for options that are supported by IPv4 but not IPv6. It issues a
+# warning message if the option is specified in shorewall6.conf.
+#
 sub default_yes_no_ipv4 ( $$ ) {
     my ( $var, $val ) = @_;
     default_yes_no( $var, $val );
     warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 
+#
+# This function handles options that have a numeric value.
+#
 sub numeric_option( $$$ ) {
     my ( $option, $default, $min ) = @_;
 
@@ -4114,6 +4189,9 @@ sub numeric_option( $$$ ) {
     $config{$option} = $val;
 }
 
+#
+# Returns a 32-bit value with the low order n bits set, where n is the passed argument.
+#
 sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
@@ -4214,6 +4292,10 @@ sub validate_level( $;$ ) {
 	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
 	    my $olevel  = $value;
 
+	    if ( $value eq 'ULOG' ) {
+		warning_message "ULOG is deprecated in favor of NFLOG. Support for ULOG will be removed in a future release" unless $ulogcount++;
+	    }
+
 	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
 		my @options = split /,/, $1;
 		my $prefix  = lc $olevel;
@@ -4289,7 +4371,7 @@ sub default_log_level( $$ ) {
 }
 
 #
-# Check a tri-valued variable
+# Check a tri-valued option ("on", "of" and "keep")
 #
 sub check_trivalue( $$ ) {
     my ( $var, $default) = @_;
@@ -4371,7 +4453,7 @@ sub load_kernel_modules( ) {
 	push @moduledirectories, $_ if -d $_;
     }
 
-    if ( $moduleloader &&  @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    if ( $moduleloader &&  @moduledirectories && open_file( 'helpers' ) ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -4425,7 +4507,8 @@ sub determine_kernelversion() {
 }
 
 #
-# Capability Reporting and detection.
+# Capability Reporting and detection. Each of the following functions detect the
+# availability of the related capability.
 #
 sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
@@ -5140,7 +5223,7 @@ sub have_capability( $;$ ) {
 
     $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting;
 
-    $used{$capability} = $required ? 2 : 1 if $setting;
+    $used{$capability} = $required ? REQUIRED : USED if $setting;
 
     $setting;
 }
@@ -5169,111 +5252,6 @@ sub determine_capabilities() {
 	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
-
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
-	#
-	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
-	# functions but it ensures that %detect_capability is initialized properly.
-	#
-	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
-	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
-	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
-	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
-	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
-	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
-	} else {
-	    $capabilities{NEW_CONNTRACK_MATCH} = '';
-	    $capabilities{OLD_CONNTRACK_MATCH} = '';
-	}
-
-	$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
-	$capabilities{EMULTIPORT}   = detect_capability( 'EMULTIPORT' );
-	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
-
-	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
-	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
-	} else {
-	    $capabilities{PHYSDEV_BRIDGE} = '';
-	}
-
-	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
-	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
-	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
-	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
-	$capabilities{OWNER_NAME_MATCH}
-                                       = detect_capability( 'OWNER_NAME_MATCH' );
-	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
-	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
-	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
-	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
-	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
-	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
-	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
-	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
-	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
-	$capabilities{MARK}            = detect_capability( 'MARK' );
-	$capabilities{XMARK}           = detect_capability( 'XMARK' );
-	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
-	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
-	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
-	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
-	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
-	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
-	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
-	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
-	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
-	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
-	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
-	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
-	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
-	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
-	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
-	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
-	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
-	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
-	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
-	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
-	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
-	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
-	$capabilities{BASIC_EMATCH}    = detect_capability( 'BASIC_EMATCH' );
-	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
-	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
-	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
-	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
-	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
-	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
-	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
-	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
-	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
-	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
-	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
-	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
-	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
-	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );
-
-	unless ( have_capability 'CT_TARGET' ) {
-	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-	}
-
-    }
 }
 
 #
@@ -5337,6 +5315,9 @@ sub ensure_config_path() {
     }
 
     if ( $shorewall_dir ) {
+	#
+	# A directory has been specified -- place it at the front of the CONFIG_PATH
+	#
 	$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
@@ -5371,7 +5352,8 @@ sub conditional_quote( $ ) {
 }
 
 #
-# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+# 'update' default values are sometimes different from the normal defaut value, to provide
+# backward compatibility.
 #
 sub update_default($$) {
     my ( $var, $val ) = @_;
@@ -5392,6 +5374,9 @@ sub transfer_permissions( $$ ) {
     }
 }
 
+#
+# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+#
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -5456,6 +5441,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5790,7 +5776,7 @@ sub unsupported_yes_no_warning( $ ) {
 }
 
 #
-# Process the params file
+# Process the params file. Actually processing is done by the 'getparams' program in $LIBEXECDIR/shorewall/.
 #
 sub get_params( $ ) {
     my $export = $_[0];
@@ -6260,11 +6246,6 @@ sub get_configuration( $$$ ) {
 
     unshift @INC, @config_path;
 
-    #
-    # get_capabilities requires that the true settings of these options be established
-    #
-    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
-
     if ( ! $export && $> == 0 ) {
 	get_capabilities($have_capabilities);
     }
@@ -6317,8 +6298,6 @@ sub get_configuration( $$$ ) {
 	$capabilities{$_}    = 0 for grep /_HELPER/ , keys %capabilities;
     }
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
     #
     # Now initialize the used capabilities hash
     #
@@ -7056,8 +7035,6 @@ sub get_configuration( $$$ ) {
     }
 
     convert_to_version_5_2 if $update;
-
-    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
 
 #
@@ -7196,6 +7173,9 @@ sub generate_aux_config() {
     finalize_aux_config;
 }
 
+#
+# Generate a report of the fwmark layout
+#
 sub dump_mark_layout() {
     sub dumpout( $$$$$ ) {
 	my ( $name, $bits, $min, $max, $mask ) = @_;

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -66,6 +66,9 @@ sub initialize( $ ) {
     $family = shift;
 }
 
+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -145,6 +148,9 @@ sub setup_ecn()
     }
 }
 
+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -402,6 +408,9 @@ EOF
     }
 }
 
+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -662,6 +671,9 @@ sub process_stoppedrules() {
     $result;
 }
 
+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
@@ -703,6 +715,9 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -1283,6 +1298,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -2454,6 +2476,9 @@ sub generate_matrix() {
     }
 }
 
+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -62,23 +62,61 @@ our @routemarked_interfaces;
 our %provider_interfaces;
 our @load_providers;
 
-our $balancing;
-our $fallback;
-our $balanced_providers;
-our $fallback_providers;
-our $metrics;
-our $first_default_route;
-our $first_fallback_route;
-our $maxload;
-our $tproxies;
+our $balancing;               # True, if there are balanced providers
+our $fallback;                # True, if there are fallback providers
+our $balanced_providers;      # Count of balanced providers
+our $fallback_providers;      # Count of fallback providers
+our $metrics;                 # True, if using statistical balancing
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
+our $maxload;                 # Sum of 'load' values
+our $tproxies;                # Count of tproxy providers
 
-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }
 
-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 
 
-our $family;
+our $family;       # Address family
 
-our $lastmark;
+our $lastmark;     # Highest assigned mark
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -132,7 +170,6 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -677,7 +714,6 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -292,6 +292,8 @@ our $mangle;
 
 our $sticky;
 
+our $excludefw;
+
 our $divertref; # DIVERT chain
 
 our %validstates = ( NEW                => 0,
@@ -365,6 +367,10 @@ sub initialize( $ ) {
     #
     %actions           = ();
     #
+    # Count of 'all[+]=' encountered
+    #
+    $excludefw         = 0;
+    #
     # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
@@ -605,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
+sub handle_nfqueue( $ ) {
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -619,7 +625,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -647,7 +652,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -672,14 +676,42 @@ sub process_a_policy1($$$$$$$) {
 
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
-    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+    my $clientwild = ( "\L$client" =~ /^all(\+)?(?:!(.+))?$/ );
+    my $clientexclude;
+    my %clientexcluded;
 
-    $intrazone  ||= $clientwild && $1;
+    if ( $clientwild ) {
+	$intrazone ||= $1;
+
+	if ( $clientexclude = $2 ) {
+	    for my $client ( split_list( $clientexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($client)" unless defined_zone( $client );
+		$clientexcluded{$client} = 1;
+	    }
+
+	    $client = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
-    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    my $serverwild = ( "\L$server" =~ /^all(\+)?(?:!(.+))?/ );
+    my $serverexclude;
+    my %serverexcluded;
+
+
+    if ( $serverwild ) {
+	$intrazone ||= $1;
+
+	if ( $serverexclude = $2 ) {
+	    for my $server ( split_list( $serverexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($server)" unless defined_zone( $server );
+		$serverexcluded{$server} = 1;
+	    }
+
+	    $server = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -687,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -702,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	$policy = handle_nfqueue( $queue );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -762,20 +798,20 @@ sub process_a_policy1($$$$$$$) {
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
-	    for my $zone ( @zonelist ) {
-		for my $zone1 ( @zonelist ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, @zonelist ) ) {
+		for my $zone1 ( grep( ! $serverexcluded{zone}, @zonelist ) ) {
 		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
-	    for my $zone ( all_zones ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, all_zones ) ) {
 		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
-	for my $zone ( @zonelist ) {
+	for my $zone ( grep( ! $serverexcluded{$_}, @zonelist ) ) {
 	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
@@ -802,11 +838,15 @@ sub process_a_policy() {
 
     my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $clientlist = ( $clients =~ /,/ ) ) {
+    if ( $clients =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
 	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $serverlist = ( $servers =~ /,/ ) ) {
+    if ( $servers =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
 	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
@@ -816,12 +856,14 @@ sub process_a_policy() {
 
     if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
     } else {
-	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
     }
 }
 
@@ -1564,8 +1606,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
-    my @subparts = split /:/, $subordinate;
+    my @supparts = split_list2( $superior ,    'Action' );
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 
@@ -2609,7 +2651,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -2658,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	$action = handle_nfqueue( $param );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -3659,6 +3699,7 @@ sub next_section() {
 #
 sub build_zone_list( $$$\$\$ ) {
     my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $original_input = $input;
     my $any = ( $input =~ s/^any/all/ );
     my $exclude;
     my $rest;
@@ -3687,9 +3728,25 @@ sub build_zone_list( $$$\$\$ ) {
 	    if ( $input eq 'all+' ) {
 		$$intrazoneref = 1;
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
+		    } else {
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
+		    }
+		}
+
 		$$intrazoneref = 1;
 		$exclude{$fw} = 1;
 	    } elsif ( $input eq 'all-' ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
+		    } else {
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+		    }
+		}
+
 		$exclude{$fw} = 1;
 	    } else {
 		fatal_error "Invalid $which ($input)";
@@ -4889,7 +4946,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -5710,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;
 
 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -222,6 +222,9 @@ use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };
 
+#
+# Zone types
+#
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -231,6 +234,9 @@ use constant { FIREWALL => 1,
 	       LOCAL    => 64,
 	   };
 
+#
+# Interface option classification
+#
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
 	       ENUM_IF_OPTION     => 3,
@@ -247,11 +253,17 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 
+#
+# 'ignore' option flags
+#
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
 our %validinterfaceoptions;
 
+#
+# Interface options that are implemented in /proc
+#
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
@@ -263,6 +275,9 @@ our %procinterfaceoptions=( accept_ra   => 1,
 			    sourceroute => 1,
 			  );
 
+#
+# Options that are not allowed with unmanaged interfaces
+#
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -281,10 +296,15 @@ our %prohibitunmanaged = (
 			  upnp           => 1,
 			  upnpclient     => 1,
 			 );
-
+#
+# Default values for options that admit an optional value
+#
 our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
+#
+# Maximum value for options that accept a range of values
+#
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 300 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
 
 our %validhostoptions;
 
@@ -701,7 +721,7 @@ sub determine_zones()
 }
 
 #
-# Return true of we have any ipsec zones
+# Return true If we have any ipsec zones
 #
 sub haveipseczones() {
     for my $zoneref ( values %zones ) {
@@ -872,6 +892,9 @@ sub single_interface( $ ) {
     @keys == 1 ? $keys[0] : '';
 }
 
+#
+# This function adds an interface:network pair to a zone
+#
 sub add_group_to_zone($$$$$$)
 {
     my ($zone, $type, $interface, $networks, $options, $inherit_options) = @_;
@@ -976,6 +999,9 @@ sub find_zone( $ ) {
     $zoneref;
 }
 
+#
+# Access functions for zone members
+#
 sub zone_type( $ ) {
     find_zone( $_[0] )->{type};
 }
@@ -990,26 +1016,44 @@ sub zone_mark( $ ) {
     $zoneref->{mark};
 }
 
+#
+# Returns the zone table entry for the passed zone name
+#
 sub defined_zone( $ ) {
     $zones{$_[0]};
 }
 
+#
+# Returns a list of all defined zones
+#
 sub all_zones() {
     @zones;
 }
 
+#
+# Returns a list of zones in the firewall itself (the firewall zone and vserver zones)
+#
 sub on_firewall_zones() {
    grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall and vserver zones
+#
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall zones
+#
 sub non_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }
 
+#
+# Returns the list of zones that don't contain sub-zones
+#
 sub all_parent_zones() {
     #
     # Although the firewall zone is technically a parent zone, we let the caller decide
@@ -1018,22 +1062,37 @@ sub all_parent_zones() {
     grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 
+#
+# Returns a list of complex zones (ipsec or with multiple interface:subnets)
+#
 sub complex_zones() {
     grep( $zones{$_}{complex} , @zones );
 }
 
+#
+# Returns a list of vserver zones
+#
 sub vserver_zones() {
     grep ( $zones{$_}{type} & VSERVER, @zones );
 }
 
+#
+# Returns the name of the firewall zone
+#
 sub firewall_zone() {
     $firewall_zone;
 }
 
+#
+# Returns a list of loopback zones
+#
 sub loopback_zones() {
     @loopback_zones;
 }
 
+#
+# Returns a list of local zones
+#
 sub local_zones() {
     @local_zones;
 }

Shorewall/Perl/compiler.pl

@@ -34,6 +34,8 @@
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
+#         --test                      # Used by the regression library to omit versions and time/dates
+#                                     # from the generated script
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #         --shorewallrc=<path>        # Path to global shorewallrc file.

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -897,6 +897,14 @@ detect_dynamic_gateway() { # $1 = interface
 	fi
     done
 
+    if [ -z "$gateway" -a -n "$(mywhich nmcli)" ]; then
+	if [ $g_family = 4 ]; then
+	    gateway=$(nmcli --fields DHCP4.OPTION,IP4.GATEWAY device show ${1} 2> /dev/null | sed -rn '/( routers = |IP4.GATEWAY:.*[1-9])/{s/.* //;p;q}')
+	else
+	    gateway=$(nmcli --terse --fields IP6.GATEWAY device show ${1} 2> /dev/null | cut -f2- -d':')
+	fi
+    fi
+
     [ -n "$gateway" ] && echo $gateway
 }
 

Shorewall/Samples/Universal/shorewall.conf

@@ -191,8 +191,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/one-interface/shorewall.conf

@@ -202,8 +202,6 @@ IP_FORWARDING=Off
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -199,8 +199,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -202,8 +202,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/configfiles/shorewall.conf

@@ -191,8 +191,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/helpers

@@ -16,25 +16,6 @@
 
 # Helpers
 #
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-#
-# 2.6.20+ helpers
-#
 loadmodule nf_conntrack_ftp
 loadmodule nf_conntrack_h323
 loadmodule nf_conntrack_irc

Shorewall/install.sh

@@ -466,17 +466,6 @@ if [ -z "$first_install" ]; then
     fi
 fi
 
-#
-# Install the Modules file
-#
-run_install $OWNERSHIP -m 0644 modules ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules
-echo "Modules file installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules"
-
-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f
-    echo "Modules file $f installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f"
-done
-
 #
 # Install the Module Helpers file
 #
@@ -1252,6 +1241,14 @@ if [ $PRODUCT = shorewall ]; then
     rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
 fi
 
+#
+# Remove unneeded modules files
+#
+
+if [ -n "$first_install" ]; then
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules*
+fi
+
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then

Shorewall/lib.cli-std

@@ -300,19 +300,6 @@ get_config() {
 	    ;;
     esac
 
-    case $LOAD_HELPERS_ONLY in
-	Yes|yes)
-	    ;;
-	No|no)
-	    LOAD_HELPERS_ONLY=
-	    ;;
-	*)
-	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
-		fatal_error "Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)"
-	    fi
-	    ;;
-    esac
-
     if [ -n "$WORKAROUNDS" ]; then
 	case $WORKAROUNDS in
 	    [Yy]es)

Shorewall/manpages/shorewall-files.xml

@@ -901,7 +901,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
     reload</command> or <command>shorewall restart</command>. This may be
     accomplished using the SWITCH column in <ulink
     url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
-    url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using
+    url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5). Using
     this column requires that your kernel and iptables include
     <firstterm>Condition Match Support</firstterm> and you must be running
     Shorewall 4.4.24 or later. See the output of <command>shorewall show

Shorewall/manpages/shorewall-init.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/init.d/shorewall-init</command>
+      <command>shorewall-init</command>
 
       <arg>start|stop</arg>
     </cmdsynopsis>
@@ -149,7 +149,7 @@
     want to make both interfaces optional and set the REQUIRE_INTERFACE option
     to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
     </ulink>(5) or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
+    url="/manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). This
     causes the firewall to remain stopped until at least one of the interfaces
     comes up.</para>
   </refsect1>

Shorewall/manpages/shorewall-interfaces.xml

@@ -155,7 +155,7 @@ loc     eth2            -</programlisting>
           <para>Beginning with Shorewall 4.5.17, if you specify a zone for the
           'lo' interface, then that zone must be defined as type
           <option>local</option> in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5).</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-logging.xml

@@ -276,7 +276,7 @@
 
     <para>By setting the LOGTAGONLY option to Yes in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+    url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
     disposition ('DROP' in the above example) will be omitted. Consider the
     following rule:</para>
 
@@ -373,7 +373,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     <para>Beginning with Shorewall 4.6.4, you can configure the backend using
     the LOG_BACKEND option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-modules.xml

@@ -38,6 +38,12 @@
     <filename>helpers</filename> file is used when
     LOAD_HELPERS_ONLY=Yes</para>
 
+    <important>
+      <para>Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option has
+      been removed and the behavior is the same as if LOAD_HELPERS_ONLY=Yes
+      was specified.</para>
+    </important>
+
     <para>Each record in the files has the following format:</para>
 
     <cmdsynopsis>

Shorewall/manpages/shorewall-nat.xml

@@ -35,7 +35,7 @@
       in many cases, Proxy ARP (<ulink
       url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
       or Proxy-NDP(<ulink
-      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
+      url="/manpages/shorewall-proxyndp.html">shorewall6-proxyndp</ulink>(5))
       is a better solution that one-to-one NAT.</para>
     </warning>
 

Shorewall/manpages/shorewall-policy.xml

@@ -68,32 +68,35 @@
         <term><emphasis role="bold">SOURCE</emphasis> -
         <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
-        role="bold">all+</emphasis></term>
+        role="bold">all[+][!<replaceable>ezone</replaceable>[,...]]</emphasis></term>
 
         <listitem>
           <para>Source zone. Must be the name of a zone defined in <ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           $FW, "all" or "all+".</para>
 
-          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
-          not override the implicit intra-zone ACCEPT policy while "all+"
-          does.</para>
+          <para>Support for <emphasis role="bold">all+</emphasis> was added in
+          Shorewall 4.5.17. <emphasis role="bold">all</emphasis> does not
+          override the implicit intra-zone ACCEPT policy while <emphasis
+          role="bold">all+</emphasis> does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
           separated by commas. As above, if '+' is specified after two or more
           zone names, then the policy overrides the implicit intra-zone ACCEPT
           policy if the same <replaceable>zone</replaceable> appears in both
           the SOURCE and DEST columns.</para>
+
+          <para>Beginning with Shorewall 5.2.3, a comma-separated list of
+          excluded zones preceded by "!" may follow <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">all+.</emphasis></para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
         <emphasis>zone</emphasis>[,...[+]]|<emphasis
-        role="bold">$FW</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
-        role="bold">all+</emphasis></term>
+        role="bold">$FW</emphasis>|all[+][!<replaceable>ezone</replaceable>[,...]]</term>
 
         <listitem>
           <para>Destination zone. Must be the name of a zone defined in <ulink
@@ -112,6 +115,11 @@
           zone names, then the policy overrides the implicit intra-zone ACCEPT
           policy if the same <replaceable>zone</replaceable> appears in both
           the SOURCE and DEST columns.</para>
+
+          <para>Beginning with Shorewall 5.2.3, a comma-separated list of
+          excluded zones preceded by "!" may follow <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">all+</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -123,7 +131,7 @@
         role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
         role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
         role="bold">None</emphasis>}]</term>
@@ -228,7 +236,18 @@
                 given queues. This is useful for multicore systems: start
                 multiple instances of the userspace program on queues x, x+1,
                 .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                connection are put into the same nfqueue. Beginning with
+                Shorewall 5.1.0, queuenumber2 may be followed by the letter
+                'c' to indicate that the CPU ID will be used as an index to
+                map packets to the queues. The idea is that you can improve
+                performance if there's a queue per CPU. Requires the NFQUEUE
+                CPU Fanout capability in your kernel and iptables.</para>
+
+                <para>Beginning with Shorewall 4.6.10, the keyword <emphasis
+                role="bold">bypass</emphasis> can be given. By default, if no
+                userspace program is listening on an NFQUEUE, then all packets
+                that are to be queued are dropped. When this option is used,
+                the NFQUEUE rule behaves like ACCEPT instead.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -387,8 +387,10 @@
                 distributions but <emphasis role="bold">nohostroute</emphasis>
                 (below) is appropriate for recent distributions. <emphasis
                 role="bold">hostroute</emphasis> may interfere with Zebra's
-                ability to add routes on some distributions such as Debian
-                7.</para>
+                ability to add routes on some distributions such as Debian 7.
+                This option defaults to on when BALANCE_PROVIDERS=Yes, in
+                <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -404,7 +406,9 @@
                 older distributions but is appropriate for recent
                 distributions. <emphasis role="bold">nohostroute</emphasis>
                 allows Zebra's to correctly add routes on some distributions
-                such as Debian 7.</para>
+                such as Debian 7. This option defaults to off when
+                BALANCE_PROVIDERS=Yes, in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
               </listitem>
             </varlistentry>
 
@@ -446,7 +450,7 @@
                 </note>
 
                 <important>
-                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
+                  <para>RESTORE_DEFAULT_ROUTE=Yes in shorewall[6].conf is not
                   recommended when the <option>persistent</option> option is
                   used, as restoring default routes to the main routing table
                   can prevent link status monitors such as foolsm from

Shorewall/manpages/shorewall-rules.xml

@@ -545,7 +545,7 @@
                 the<replaceable>
                 ip6tables-</replaceable><replaceable>target</replaceable> as a
                 builtin action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
 
                 <important>
                   <para>If you specify REJECT as the
@@ -674,15 +674,15 @@
                 the keyword <emphasis role="bold">bypass</emphasis> can be
                 given. By default, if no userspace program is listening on an
                 NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                When this option is used, the NFQUEUE rule behaves like ACCEPT
+                instead. Also beginning in Shorewall 4.6.10, a second queue
+                number (<replaceable>queuenumber2</replaceable>) may be
+                specified. This specifies a range of queues to use. Packets
+                are then balanced across the given queues. This is useful for
+                multicore systems: start multiple instances of the userspace
+                program on queues x, x+1, .. x+n and use "x:x+n". Packets
+                belonging to the same connection are put into the same
+                nfqueue.</para>
 
                 <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
                 followed by the letter 'c' to indicate that the CPU ID will be
@@ -993,19 +993,18 @@
 
                 <variablelist>
                   <varlistentry>
-                    <term>all[+][-]</term>
+                    <term>all[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
+                      "-" means "All Zones, including the firewall zone".
                       Normally all omits intra-zone traffic, but intra-zone
                       traffic can be included specifying "+".</para>
                     </listitem>
                   </varlistentry>
 
                   <varlistentry>
-                    <term>any[+][-]</term>
+                    <term>any[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">any</emphasis> is equivalent
@@ -1259,6 +1258,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>all+!$FW</term>
+
+              <listitem>
+                <para>All but the firewall zone and applies to intrazone
+                traffic.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>net:^CN</term>
 
@@ -1349,19 +1357,18 @@
 
                 <variablelist>
                   <varlistentry>
-                    <term>all[+][-]</term>
+                    <term>all[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
+                      "-" means "All Zones, including the firewall zone".
                       Normally all omits intra-zone traffic, but intra-zone
                       traffic can be included specifying "+".</para>
                     </listitem>
                   </varlistentry>
 
                   <varlistentry>
-                    <term>any[+][-]</term>
+                    <term>any[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">any</emphasis> is equivalent
@@ -1573,7 +1580,7 @@
           <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
           then either:<orderedlist numeration="loweralpha">
               <listitem>
-                <para>the SOURCE must be <option>all[+][-]</option>, or</para>
+                <para>the SOURCE must be <option>all[+]</option>, or</para>
               </listitem>
 
               <listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -1382,7 +1382,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           of modules loaded by shorewall to those listed in
           <filename>/var/lib/shorewall[6]/helpers</filename> and those that
           are actually used. When not set, or set to the empty value,
-          LOAD_HELPERS_ONLY=No is assumed.</para>
+          LOAD_HELPERS_ONLY=No is assumed in Shorewall versions 5.2.2 and
+          earlier. Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY
+          option is removed, and the behavior is as if LOAD_HELPERS_ONLY=Yes
+          had been specified.</para>
         </listitem>
       </varlistentry>
 

Shorewall/modules

@@ -1,39 +0,0 @@
-#
-# Shorewall version 5 - Modules File
-#
-# /usr/share/shorewall/modules
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-INCLUDE modules.essential
-#
-# Other xtables modules
-#
-INCLUDE modules.xtables
-#
-# Helpers
-#
-INCLUDE helpers
-#
-# Ipset
-#
-INCLUDE modules.ipset
-#
-# Traffic Shaping
-#
-INCLUDE modules.tc
-#
-# Extensions
-#
-INCLUDE modules.extensions

Shorewall/modules.essential

@@ -1,32 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.essential
-#
-# Essential Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-loadmodule nfnetlink
-loadmodule x_tables
-loadmodule ip_tables
-loadmodule iptable_filter
-loadmodule iptable_mangle
-loadmodule ip_conntrack
-loadmodule nf_conntrack
-loadmodule nf_conntrack_ipv4
-loadmodule iptable_nat
-loadmodule nf_nat
-loadmodule nf_nat_ipv4
-loadmodule iptable_raw
-loadmodule xt_state
-loadmodule xt_tcpudp

Shorewall/modules.extensions

@@ -1,59 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.extensions
-#
-# Extensions Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule ipt_addrtype
-loadmodule ipt_ah
-loadmodule ipt_CLASSIFY
-loadmodule ipt_CLUSTERIP
-loadmodule ipt_comment
-loadmodule ipt_connmark
-loadmodule ipt_CONNMARK
-loadmodule ipt_conntrack
-loadmodule ipt_dscp
-loadmodule ipt_DSCP
-loadmodule ipt_ecn
-loadmodule ipt_ECN
-loadmodule ipt_esp
-loadmodule ipt_hashlimit
-loadmodule ipt_helper
-loadmodule ipt_ipp2p
-loadmodule ipt_iprange
-loadmodule ipt_length
-loadmodule ipt_limit
-loadmodule ipt_mac
-loadmodule ipt_mark
-loadmodule ipt_MARK
-loadmodule ipt_MASQUERADE
-loadmodule ipt_multiport
-loadmodule ipt_NETMAP
-loadmodule ipt_NOTRACK
-loadmodule ipt_owner
-loadmodule ipt_physdev
-loadmodule ipt_pkttype
-loadmodule ipt_policy
-loadmodule ipt_realm
-loadmodule ipt_recent
-loadmodule ipt_REDIRECT
-loadmodule ipt_REJECT
-loadmodule ipt_SAME
-loadmodule ipt_sctp
-loadmodule ipt_set
-loadmodule ipt_state
-loadmodule ipt_tcpmss
-loadmodule ipt_TCPMSS
-loadmodule ipt_tos
-loadmodule ipt_TOS
-loadmodule ipt_ttl
-loadmodule ipt_TTL

Shorewall/modules.ipset

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.ipset
-#
-# IP Set Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_set
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_ipporthash
-loadmodule ip_set_iptree
-loadmodule ip_set_iptreemap
-loadmodule ip_set_macipmap
-loadmodule ip_set_nethash
-loadmodule ip_set_portmap
-loadmodule ipt_SET
-loadmodule ipt_set

Shorewall/modules.tc

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.tc
-#
-# Traffic Shaping Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule sch_sfq
-loadmodule sch_ingress
-loadmodule sch_hfsc
-loadmodule sch_htb
-loadmodule sch_prio
-loadmodule sch_tbf
-loadmodule sch_fq_codel
-loadmodule cls_u32
-loadmodule cls_fw
-loadmodule cls_flow
-loadmodule cls_basic
-loadmodule act_police

Shorewall/modules.xtables

@@ -1,53 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.xtables
-#
-# Xtables Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_AUDIT
-loadmodule xt_CLASSIFY
-loadmodule xt_connmark
-loadmodule xt_CONNMARK
-loadmodule xt_conntrack
-loadmodule xt_dccp
-loadmodule xt_dscp
-loadmodule xt_DSCP
-loadmodule xt_hashlimit
-loadmodule xt_helper
-loadmodule xt_ipp2p
-loadmodule xt_iprange
-loadmodule xt_length
-loadmodule xt_limit
-loadmodule xt_mac
-loadmodule xt_mark
-loadmodule xt_MARK
-loadmodule xt_multiport
-loadmodule xt_nat
-loadmodule xt_NFQUEUE
-loadmodule xt_owner
-loadmodule xt_physdev
-loadmodule xt_pkttype
-loadmodule xt_policy
-loadmodule xt_sctp
-loadmodule xt_tcpmss
-loadmodule xt_TCPMSS
-loadmodule xt_time
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
-#
-# From xtables-addons
-#
-loadmodule xt_condition
-loadmodule xt_geoip
-loadmodule xt_ipp2p
-loadmodule xt_LOGMARK
-loadmodule xt_RAWNAT

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -179,8 +179,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/configfiles/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/modules

@@ -1,39 +0,0 @@
-#
-# Shorewall6 version 5 - Modules File
-#
-# /usr/share/shorewall6/modules
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-INCLUDE modules.essential
-#
-# Other xtables modules
-#
-INCLUDE modules.xtables
-#
-# Helpers
-#
-INCLUDE helpers
-#
-# Ipset
-#
-INCLUDE modules.ipset
-#
-# Traffic Shaping
-#
-INCLUDE modules.tc
-#
-# Extensions
-#
-INCLUDE modules.extensions

Shorewall6/modules.essential

@@ -1,28 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.essential
-#
-# Essential Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule nfnetlink
-loadmodule x_tables
-loadmodule ip6_tables
-loadmodule ip6table_filter
-loadmodule ip6table_mangle
-loadmodule ip6table_raw
-loadmodule xt_conntrack
-loadmodule nf_conntrack_ipv6
-loadmodule nf_nat
-loadmodule nf_nat_ipv6
-loadmodule xt_state
-loadmodule xt_tcpudp
-loadmodule ip6t_REJECT

Shorewall6/modules.extensions

@@ -1,16 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.extension
-#
-# Extensions Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule ip6_queue

Shorewall6/modules.ipset

@@ -1,27 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.ipset
-#
-# IP Set Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall6 and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_set
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_ipporthash
-loadmodule ip_set_iptree
-loadmodule ip_set_iptreemap
-loadmodule ip_set_macipmap
-loadmodule ip_set_nethash
-loadmodule ip_set_portmap
-loadmodule ipt_SET
-loadmodule ipt_set

Shorewall6/modules.tc

@@ -1,27 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.tc
-#
-# Traffic Shaping Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule sch_sfq
-loadmodule sch_ingress
-loadmodule sch_htb
-loadmodule sch_hfsc
-loadmodule sch_prio
-loadmodule sch_tbf
-loadmodule sch_fq_codel
-loadmodule cls_u32
-loadmodule cls_fw
-loadmodule cls_flow
-loadmodule cls_basic
-loadmodule act_police

Shorewall6/modules.xtables

@@ -1,51 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.xtables
-#
-# Xtables Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_AUDIT
-loadmodule xt_CLASSIFY
-loadmodule xt_connmark
-loadmodule xt_CONNMARK
-loadmodule xt_conntrack
-loadmodule xt_dccp
-loadmodule xt_dscp
-loadmodule xt_DSCP
-loadmodule xt_hashlimit
-loadmodule xt_helper
-loadmodule xt_iprange
-loadmodule xt_length
-loadmodule xt_limit
-loadmodule xt_mac
-loadmodule xt_mark
-loadmodule xt_MARK
-loadmodule xt_multiport
-loadmodule xt_NFQUEUE
-loadmodule xt_owner
-loadmodule xt_physdev
-loadmodule xt_pkttype
-loadmodule xt_policy
-loadmodule xt_sctp
-loadmodule xt_tcpmss
-loadmodule xt_TCPMSS
-loadmodule xt_time
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
-#
-# From xtables-addons
-#
-loadmodule xt_condition
-loadmodule xt_geoip
-loadmodule xt_ipp2p
-loadmodule xt_LOGMARK
-loadmodule xt_RAWNAT

docs/Accounting.xml

@@ -54,9 +54,7 @@
     <quote>tcpflags</quote> and <quote>maclist</quote>.</para>
 
     <para>The columns in the accounting file are described in <ulink
-    url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
-    and <ulink
-    url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
+    url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
     (5).</para>
 
     <para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,

docs/Actions.xml

@@ -499,16 +499,12 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
       <title>Mangle Actions</title>
 
       <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
-      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
-      <ulink
-      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>.
       Because the rules and mangle files have different column layouts,
       actions can be defined to be used in one file or the other but not in
       both. To designate an action to be used in the mangle file, specify the
       <option>mangle</option> option in the action's entry in <ulink
-      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
-      <ulink
-      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
 
       <para>To create a mangle action, follow the steps in the preceding
       section, but use the

docs/Documentation_Index.xml

@@ -45,11 +45,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Manpages.html">IPv4 Manpages</ulink></entry>
-          </row>
-
-          <row>
-            <entry><ulink url="Manpages6.html">IPv6 Manpages</ulink></entry>
+            <entry><ulink url="Manpages.html">Manpages</ulink></entry>
           </row>
 
           <row>

docs/FTP.xml

@@ -431,7 +431,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti
     <para><filename>/etc/shorewall/rules:</filename></para>
 
     <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
-DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
+DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }</programlisting>
 
     <para>That entry will accept ftp connections on port 12345 from the net
     and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>

docs/IPSEC-2.6.xml

@@ -364,6 +364,12 @@ ACCEPT     vpn:134.28.54.2  $FW</programlisting>
       <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
+      <para>Note that if you are using ipcomp, you should omit the mode
+      specification:</para>
+
+      <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+vpn     ipsec   -                       <emphasis role="bold">mss=1400</emphasis></programlisting>
+
       <para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
       both the SYN and SYN,ACK packets have their MSS field adjusted.</para>
 

docs/IPv6Support.xml

@@ -178,7 +178,7 @@
             <para>Set KEEP_RT_TABLES=No in <ulink
             url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
             set KEEP_RT_TABLES=Yes in <ulink
-            url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+            url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
           </listitem>
         </itemizedlist>
 
@@ -469,9 +469,9 @@ ACCEPT          net:wlan0:&lt;2002:ce7c:92b4::3&gt;   $FW             tcp     22
           <para>The Linux IPv6 stack does not support balancing (multi-hop)
           routes. Thehe <option>balance</option> and <option>fallback</option>
           options in <ulink
-          url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
+          url="manpages/shorewall-providers.html">shorewall6-providers</ulink>(5)
           and USE_DEFAULT_RT=Yes in <ulink
-          url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) are
+          url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5) are
           supported, but at most one provider can have the
           <option>balance</option> option and at most one provider can have
           the <option>fallback</option> option.</para>

docs/ISO-3661.xml

@@ -84,7 +84,7 @@
     any future ability to install the database at another location, Shorewall
     supports a GEOIPDIR option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). The
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
     default value of that option is
     <filename>/usr/share/xt_geoip/LE</filename>.</para>
 

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 5.0 Manpages</title>
+    <title>Shorewall 5.* Manpages</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2007-2017</year>
+      <year>2007-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -53,6 +53,10 @@
         <member><ulink url="manpages/shorewall-actions.html">actions</ulink> -
         Declare user-defined actions.</member>
 
+        <member><ulink
+        url="/manpages/shorewall-addresses.html">addresses</ulink> - Describes
+        how IP address and ports are specified in Shorewall</member>
+
         <member><ulink url="manpages/shorewall-arprules.html">arprules</ulink>
         - (Added in Shorewall 4.5.12) Define arpfilter rules.</member>
 
@@ -71,6 +75,9 @@
         url="manpages/shorewall-exclusion.html">exclusion</ulink> - Excluding
         hosts from a network or zone</member>
 
+        <member><ulink url="/manpages/shorewall-files.html">files</ulink> -
+        Describes the shorewall configuration files</member>
+
         <member><ulink url="manpages/shorewall-hosts.html">hosts</ulink> -
         Define multiple zones accessed through a single interface</member>
 
@@ -96,7 +103,11 @@
         Define Masquerade/SNAT (deprecated)</member>
 
         <member><ulink url="manpages/shorewall-modules.html">modules</ulink> -
-        Specify which kernel modules to load.</member>
+        Specify which kernel modules to load (Removed in Shorewall
+        5.2.3)</member>
+
+        <member><ulink url="/manpages/shorewall-names.html">names</ulink> -
+        Describes object naming in Shorewall configuration files</member>
 
         <member><ulink url="manpages/shorewall-nat.html">nat</ulink> - Define
         one-to-one NAT.</member>
@@ -120,9 +131,8 @@
         <member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
         - Define Proxy ARP (IPv4)</member>
 
-        <member><ulink
-        url="manpages6/shorewall-proxyndp.html">proxyndp</ulink> - Define
-        Proxy NDP (IPv6)</member>
+        <member><ulink url="manpages/shorewall-proxyndp.html">proxyndp</ulink>
+        - Define Proxy NDP (IPv6)</member>
 
         <member><ulink url="manpages/shorewall-rtrules.html">rtrules</ulink> -
         Define routing rules.</member>
@@ -168,7 +178,7 @@
         values for global Shorewall options.</member>
 
         <member><ulink
-        url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
+        url="manpages/shorewall.conf.html">shorewall6.conf</ulink> - Specify
         values for global Shorewall6 options.</member>
 
         <member><ulink
@@ -201,7 +211,7 @@
       <simplelist>
         <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
         /sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and
-        /sbin/shorewall6-line command syntax and semantics.</member>
+        /sbin/shorewall6-lite command syntax and semantics.</member>
       </simplelist>
     </blockquote>
   </section>

docs/Manpages6.xml

@@ -1,182 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
-
-  <articleinfo>
-    <title>Shorewall6 5.0 Manpages</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2007-2014</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <warning>
-    <para>These manpages are for Shorewall6 5.0 and later only. They describe
-    features and options not available on earlier releases.The manpages for
-    Shorewall 4.4-4.6 are available <ulink
-    url="/manpages4/Manpages.html">here</ulink>.</para>
-  </warning>
-
-  <section id="Section5">
-    <title>Section 5 — Files and Concepts</title>
-
-    <blockquote>
-      <simplelist>
-        <member><ulink
-        url="manpages6/shorewall6-accounting.html">accounting</ulink> - Define
-        IP accounting rules.</member>
-
-        <member><ulink url="manpages6/shorewall6-actions.html">actions</ulink>
-        - Declare user-defined actions.</member>
-
-        <member><ulink url="manpages6/shorewall6-blrules.html">blrules</ulink>
-        - shorewall6 Blacklist file.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-conntrack.html">conntrack</ulink> - Specify
-        helpers for connections or exempt certain traffic from netfilter
-        connection tracking.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-exclusion.html">exclusion</ulink> -
-        Excluding hosts from a network or zone</member>
-
-        <member><ulink url="manpages6/shorewall6-hosts.html">hosts</ulink> -
-        Define multiple zones accessed through a single interface</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-interfaces.html">interfaces</ulink> - Define
-        the interfaces on the system and optionally associate them with
-        zones.</member>
-
-        <member><ulink url="manpages6/shorewall6-maclist.html">maclist</ulink>
-        - Define MAC verification.</member>
-
-        <member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
-        Supersedes tcrules and describes packet/connection marking.</member>
-
-        <member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
-        Define Masquerade/SNAT</member>
-
-        <member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
-        - Specify which kernel modules to load.</member>
-
-        <member><ulink url="manpages6/shorewall6-nat.html">nat</ulink> -
-        (added in Shorewall 4.6.4) Specify 1:1 NAT</member>
-
-        <member><ulink url="manpages6/shorewall6-nesting.html">nesting</ulink>
-        - How to define nested zones.</member>
-
-        <member><ulink url="manpages6/shorewall6-params.html">params</ulink> -
-        Assign values to shell variables used in other files.</member>
-
-        <member><ulink url="manpages6/shorewall6-policy.html">policy</ulink> -
-        Define high-level policies for connections between zones.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-providers.html">providers</ulink> - Define
-        routing tables, usually for multiple Internet links.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-proxyndp.html">proxyndp</ulink> - Defines
-        Proxy NDP</member>
-
-        <member><ulink url="manpages6/shorewall6-rtrules.html">rtrules</ulink>
-        - Define routing rules.</member>
-
-        <member><ulink url="manpages6/shorewall6-routes.html">routes</ulink> -
-        (Added in Shorewall 4.4.15) Add additional routes to provider routing
-        tables.</member>
-
-        <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
-        Specify exceptions to policies, including DNAT and REDIRECT.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
-        an SELinux context to a packet.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-stoppedrules.html">stoppedrules</ulink> -
-        Specify connections to be permitted when Shorewall6 is in the stopped
-        state (Added in Shoreall 4.5.8).</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
-        htb classes for traffic shaping.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
-        speed of devices for traffic shaping.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
-        Specify interfaces for simplified traffic shaping.</member>
-
-        <member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
-        Classify traffic for simplified traffic shaping.</member>
-
-        <member><ulink url="manpages6/shorewall6-tunnels.html">tunnels</ulink>
-        - Define VPN connections with endpoints on the firewall.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
-        values for global Shorewall6 options.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>
-        - Specify values for global Shorewall6 Lite options.</member>
-
-        <member><ulink url="manpages6/shorewall6-vardir.html">vardir</ulink> -
-        Redefine the directory where Shorewall6 keeps its state
-        information.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-lite-vardir.html">vardir-lite</ulink> -
-        Redefine the directory where Shorewall6 Lite keeps its state
-        information.</member>
-
-        <member><ulink url="manpages6/shorewall6-zones.html">zones</ulink> -
-        Declare Shorewall6 zones.</member>
-      </simplelist>
-    </blockquote>
-  </section>
-
-  <section id="Section8">
-    <title>Section 8 — Administrative Commands</title>
-
-    <blockquote>
-      <simplelist>
-        <member><ulink url="manpages6/shorewall6.html">shorewall6</ulink> -
-        /sbin/shorewall6 command syntax and semantics.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink> -
-        /sbin/shorewall6-lite command syntax and semantics.</member>
-      </simplelist>
-    </blockquote>
-  </section>
-</article>

docs/PacketMarking.xml

@@ -63,8 +63,7 @@
     <command>ethereal</command> or any other packet sniffing program. They can
     be seen in an iptables/ip6tables trace -- see the
     <command>iptrace</command> command in <ulink
-    url="manpages/shorewall.html">shorewall</ulink>(8) and <ulink
-    url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
+    url="manpages/shorewall.html">shorewall</ulink>(8).</para>
 
     <para>Example (output has been folded for display ):</para>
 

docs/ProxyARP.xml

@@ -311,7 +311,7 @@ shorewall start</programlisting>
     <itemizedlist>
       <listitem>
         <para>The configuration file is /etc/shorewall6/proxyndp (see <ulink
-        url="manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp
+        url="manpages/shorewall-proxyndp.html">shorewall6-proxyndp
         </ulink>(5)).</para>
       </listitem>
 

docs/SharedConfig.xml

@@ -348,7 +348,7 @@ ZONE_BITS=0
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#  http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

docs/Shorewall-Lite.xml

@@ -386,6 +386,10 @@
         <filename>modules</filename> or <filename>helpers</filename> file
         found on the CONFIG_PATH on the Administrative System during
         compilation will be used.</para>
+
+        <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and
+        the behavior is that which was formerly obtained by setting
+        LOAD_HELPERS_ONLY=Yes.</para>
       </section>
 
       <section id="Converting">

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2017</year>
+      <year>2001-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -56,7 +56,7 @@
     Shorewall</ulink> is required reading for being able to use this article
     effectively. For information about setting up your first Shorewall-based
     firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
+    Guides</ulink>.in</para>
   </section>
 
   <section id="Files">
@@ -283,8 +283,8 @@
 
         <listitem>
           <para><filename>/usr/share/shorewall/modules</filename> — Specifies
-          the kernel modules to be loaded during shorewall
-          start/restart.</para>
+          the kernel modules to be loaded during shorewall start/restart
+          (removed in Shorewall 5.2.3).</para>
         </listitem>
 
         <listitem>
@@ -802,9 +802,9 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
         <term>INLINE</term>
 
         <listitem>
-          <para>INLINE, added in Shorewall 4. is available in the mangle, masq
-          and rules files and allows you to specify ip[6]table text following
-          a semicolon to the right of the column-oriented
+          <para>INLINE, added in Shorewall 4. is available in the mangle, snat
+          (masq) and rules files and allows you to specify ip[6]table text
+          following two semicolons to the right of the column-oriented
           specifications.</para>
 
           <para>INLINE takes one optional parameter which, if present, must be
@@ -852,12 +852,13 @@ INLINE               net              $FW ;; -m recent --rcheck 10 --hitcount 5
           column=value specifications. In Shorewall 5.0.0 and later, inline
           matches are allowed in mangle, masq and rules following two adjacent
           semicolons (";;"). If alternate input is present, the adjacent
-          semicolons should follow that input.</para>
+          semicolons should follow that input. In Shorewall 5.2.2, this
+          support was extended to the conntrack file.</para>
 
           <caution>
-            <para>INLINE_MATCHES=Yes is deprecated and will no longer be
-            supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
-            to introduce inline matches.</para>
+            <para>INLINE_MATCHES=Yes is deprecated and is not supported in
+            Shorewall 5.2 and beyond. Use two adjacent semicolons to introduce
+            inline matches.</para>
           </caution>
 
           <para>Example from the masq file that spits outgoing SNAT between

docs/ipsets.xml

@@ -28,6 +28,8 @@
 
       <year>2017</year>
 
+      <year>2019</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -182,7 +184,7 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     together with the ipsets supporting dynamic zones are saved. Shorewall6
     support for the SAVE_IPSETS option was also added in 4.6.4. When
     SAVE_IPSETS=Yes in <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, only ipv6
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, only ipv6
     ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
     ipv4 ipsets are saved. Both features require ipset version 5 or
@@ -201,9 +203,9 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
 
     <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
-    to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
-    by setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
+    url="manpages/shorewall.conf.html">shorewall6-conf(5)</ulink>. When set to
+    Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by
+    setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
 
     <para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work
@@ -221,7 +223,7 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
 
     <para>If you configure SAVE_IPSETS in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> then do
-    not set SAVE_IPSETS in shorewall-init.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then do not
+    set SAVE_IPSETS in shorewall-init.</para>
   </section>
 </article>

docs/shorewall_logging.xml

@@ -431,7 +431,7 @@ sync=1</programlisting>
     <para>Beginning with Shorewall 4.6.4, you can configure the backend using
     the LOG_BACKEND option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
   </section>
 
   <section id="Syslog-ng">
@@ -477,7 +477,7 @@ sync=1</programlisting>
 
       <para>By setting the LOGTAGONLY option to Yes in <ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
-      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+      url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
       disposition ('DROP' in the above example) will be omitted. Consider the
       following rule:</para>
 
@@ -511,7 +511,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
 
       <para><ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
+      url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> have a
       number of options whose values are log levels. Beginning with Shorewall
       5.0.0, these specifcations may include a log tag as described <link
       linkend="LogTags">above</link>.</para>

docs/standalone.xml

@@ -486,6 +486,11 @@ root@lists:~# </programlisting>
     <filename>/usr/share/shorewall/modules</filename>. That file does not set
     <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
 
+    <important>
+      <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and
+      the behavior is the same as if LOAD_HELPERS_ONLY=Yes.</para>
+    </important>
+
     <para>If you need to modify either
     <filename>/usr/share/shorewall/helpers</filename> or
     <filename>/usr/share/shorewall/modules</filename> then copy the file to

docs/three-interface.xml

@@ -799,6 +799,12 @@ root@lists:~# </programlisting>
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+
+    <important>
+      <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed, and
+      the behavior is the same as if LOAD_HELPERS_ONLY=Yes was
+      specified.</para>
+    </important>
   </section>
 
   <section id="DNAT">

docs/traffic_shaping.xml

@@ -1049,7 +1049,7 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
 
         <listitem>
           <para>Set TC_ENABLED=Shared in <ulink
-          url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+          url="manpages/shorewall.conf.html">shorewall6.conf</ulink>
           (5).</para>
         </listitem>
 

docs/two-interface.xml

@@ -751,6 +751,12 @@ root@lists:~# </programlisting>
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+
+    <important>
+      <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed, and
+      the behavior is the same as if LOAD_HELPERS_ONLY=Yes was
+      specified.</para>
+    </important>
   </section>
 
   <section id="DNAT">

docs/upgrade_issues.xml

@@ -771,7 +771,7 @@
         <para>If your <ulink
         url="manpages/shorewall-params.html">/etc/shorewall/params</ulink> (or
         <ulink
-        url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
+        url="manpages/shorewall-params.html">/etc/shorewall6/params</ulink>)
         file sends output to Standard Output, you need to be aware that the
         output will be redirected to Standard Error beginning with Shorewall
         4.4.16.</para>
@@ -782,7 +782,7 @@
         deprecated. With EXPORTPARAMS=No, the variables set by <ulink
         url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
         (<ulink
-        url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
+        url="manpages/shorewall-params.html">/etc/shorewall6/params</ulink>)
         at compile time are now available in the compiled firewall
         script.</para>
       </listitem>

docs/useful_links.xml

@@ -10,7 +10,9 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2009</year>
+      <year>2003-2013</year>
+
+      <year>2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -79,7 +81,7 @@
 
         <row rowsep="0" valign="middle">
           <entry>Debian apt-get sources for Shorewall: <ulink
-          url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
+          url="http://people.connexer.com/~roberto/debian/">http://people.connexer.com/~roberto/debian/</ulink></entry>
         </row>
 
         <row rowsep="0" valign="middle">
@@ -88,45 +90,51 @@
         </row>
 
         <row rowsep="0" valign="middle">
-          <entry>Tom's 2005 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2005 LinuxFest NW Presentation - "Shorewall and Native
+          IPsec" : <ulink
           url="http://www.shorewall.net/LinuxFest2005.pdf">http://www.shorewall.net/LinuxFest2005.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2006 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2006 LinuxFest NW Presentation - "OpenVPN" : <ulink
           url="http://www.shorewall.net/LinuxFest2006.pdf">http://www.shorewall.net/LinuxFest2006.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2007 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2007 LinuxFest NW Presentation - "Xen and the Art of
+          Consolidation" : <ulink
           url="http://www.shorewall.net/Linuxfest-2007.pdf">http://www.shorewall.net/Linuxfest-2007.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2008 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2008 LinuxFest NW Presentation - "Kernel-mode Virtual
+          Machine (KVM)" : <ulink
           url="http://www.shorewall.net/Linuxfest-2008.pdf">http://www.shorewall.net/Linuxfest-2008.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2009 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2009 LinuxFest NW Presentation - "Introduction to IPv6"
+          : <ulink
           url="http://www.shorewall.net/Linuxfest-2009.pdf">http://www.shorewall.net/LinuxFestNW-2009.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2010 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2010 LinuxFest NW Presentation - "Managing Multiple
+          Internet Connections with Shorewall" : <ulink
           url="http://www.shorewall.net/LinuxfestNW-2010.pdf">http://www.shorewall.net/LinuxFestNW-2010.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2011 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2011 LinuxFest NW Presentation - "LXC - Linux
+          Containers" : <ulink
           url="http://www.shorewall.net/Linuxfest2011.pdf">http://www.shorewall.net/LinuxFest2011.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2013 SeaGL Presentation: <ulink
+          <entry>Tom's 2013 SeaGL Presentation - "AN INTRODUCTION TO LINUX
+          POLICY ROUTING" : <ulink
           url="http://www.shorewall.net/SeaGL2013.pdf">http://www.shorewall.net/SeaGL2013.pdf</ulink></entry>
         </row>
-
       </tbody>
     </tgroup>
   </informaltable>