Don't run the 'up' command twice when an dual-stack interface comes up

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall-core/Shorewall-core-targetname

@@ -0,0 +1 @@
+5.2.4.1

Shorewall-core/configure

@@ -4,7 +4,7 @@
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/configure.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.cli

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -4120,9 +4120,9 @@ start_command() {
 
 	if [ -x $g_firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
@@ -4256,7 +4256,7 @@ restart_command() {
     [ -n "$g_nolock" ] || mutex_on
 
     if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $COMMAND
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
@@ -4270,7 +4270,7 @@ restart_command() {
 
 run_command() {
     if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it $g_firewall $@
     else
 	fatal_error "$g_firewall does not exist or is not executable"
     fi
@@ -4287,7 +4287,13 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
@@ -4317,7 +4323,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
     fi
 
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
@@ -4415,20 +4420,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
     g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
     if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
     fi
 
+    g_debugging=
     g_noroutes=
     g_purge=
     g_ipt_options="-nv"
@@ -4456,6 +4457,7 @@ shorewall_cli() {
     g_blacklistipset=
     g_disconnect=
     g_havemutex=
+    g_trace=
 
     VERBOSE=
     VERBOSITY=1
@@ -4587,6 +4589,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4639,7 +4652,7 @@ shorewall_cli() {
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
@@ -4648,7 +4661,7 @@ shorewall_cli() {
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
@@ -4661,7 +4674,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
@@ -4816,7 +4829,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument

Shorewall-core/lib.common

@@ -3,7 +3,7 @@
 #
 #     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
     local script
-    local options
+    local options='-'
 
     export VARDIR
 
     script=$1
     shift
 
-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	options="$1 -"
-	shift;
+
+    if [ "$g_debugging" = debug ]; then
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
     else
-	options='-'
+	options='-';
     fi
 
     [ -n "$g_noroutes" ]   && options=${options}n
@@ -411,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -736,8 +738,8 @@ truncate() # $1 = length
 
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the

Shorewall-core/lib.core

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.installer

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.uninstaller

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/manpages/shorewall.xml

@@ -21,9 +21,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg rep="norepeat">options</arg>
 
       <arg choice="plain"><option>add {</option></arg>
@@ -39,9 +36,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>allow</option></arg>
@@ -52,9 +46,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>blacklist</option></arg>
@@ -67,9 +58,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>call</option></arg>
@@ -106,9 +94,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -118,9 +103,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>close</option><arg choice="req">
@@ -159,9 +141,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg rep="norepeat">options</arg>
 
       <arg choice="plain"><option>delete {</option></arg>
@@ -177,9 +156,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>disable</option></arg>
@@ -191,9 +167,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>drop</option></arg>
@@ -204,8 +177,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>dump</option></arg>
@@ -222,9 +193,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>enable</option></arg>
@@ -236,9 +204,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>export</option></arg>
@@ -252,9 +217,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>forget</option></arg>
@@ -265,8 +227,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>help</option></arg>
@@ -275,8 +235,6 @@
     <cmdsynopsis>
       <command>shorewall[-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg
@@ -286,8 +244,6 @@
     <cmdsynopsis>
       <command>shorewall[-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>ipcalc</option></arg>
@@ -304,8 +260,6 @@
     <cmdsynopsis>
       <command>shorewall[-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>iprange</option></arg>
@@ -317,8 +271,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>iptrace</option></arg>
@@ -330,9 +282,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>logdrop</option></arg>
@@ -343,8 +292,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>logwatch</option></arg>
@@ -357,9 +304,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>logreject</option></arg>
@@ -370,8 +314,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>noiptrace</option></arg>
@@ -394,9 +336,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>reenable</option></arg>
@@ -408,9 +347,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>reject</option></arg>
@@ -421,9 +357,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>reload</option></arg>
@@ -448,10 +381,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
       <arg choice="plain"><option>remote-getcaps</option></arg>
 
       <arg><option>-s</option></arg>
@@ -472,8 +401,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-getrc</option></arg>
@@ -496,8 +423,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-start</option></arg>
@@ -520,8 +445,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-reload</option></arg>
@@ -544,8 +467,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-restart</option></arg>
@@ -568,9 +489,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -581,9 +499,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>restart</option></arg>
@@ -608,9 +523,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -622,9 +534,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>run</option></arg>
@@ -637,9 +546,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>safe-restart</option></arg>
@@ -656,8 +562,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>safe-start</option></arg>
@@ -674,9 +578,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -688,9 +589,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>savesets</option></arg>
@@ -699,8 +597,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -713,8 +609,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -735,8 +629,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -761,8 +653,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -774,8 +664,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -787,8 +675,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -800,8 +686,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -814,8 +698,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -827,8 +709,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -841,8 +721,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -853,8 +731,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -867,8 +743,7 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
 
       <arg>options</arg>
 
@@ -892,9 +767,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -904,8 +776,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><arg
@@ -915,9 +785,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>try</option></arg>
@@ -930,8 +797,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>update</option></arg>
@@ -956,8 +821,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg
@@ -1025,16 +888,7 @@
   <refsect1>
     <title>Options</title>
 
-    <para>The <option>trace</option> and <option>debug</option> options are
-    used for debugging. See <ulink
-    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-
-    <para>The <option>nolock</option> option prevents the command from
-    attempting to acquire the Shorewall lockfile. It is useful if you need to
-    include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
-
-    <para>Other <replaceable>options</replaceable> are:</para>
+    <para>The <replaceable>options</replaceable> are:</para>
 
     <variablelist>
       <varlistentry>
@@ -1141,7 +995,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>When no <replaceable>verbosity</replaceable> is specified,
           each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1016,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>Each instance of this option causes 1 to be subtracted from
           the effective verbosity.</para>
@@ -1176,7 +1030,66 @@
           <para>Causes all progress messages to be timestamped.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-T</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier
+          <command>trace</command> keyword.. If the command invokes the
+          generated firewall script, the script's execution will be traced to
+          standard error.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
+          If the command invokes the generated firewall script, individual
+          invocations of the ip[6]tables utility will be used to configure the
+          ruleset rather than ip[6]tables-restore. This is useful for
+          diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
+
+    <note>
+      <para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
+      was:</para>
+
+      <cmdsynopsis>
+        <arg><option>trace|debug</option></arg>
+
+        <arg><option>nolock</option></arg>
+
+        <arg><replaceable>options</replaceable></arg>
+
+        <arg choice="plain"><replaceable>command</replaceable></arg>
+
+        <arg><replaceable>command-options</replaceable></arg>
+
+        <arg><replaceable>command-arguments</replaceable></arg>
+      </cmdsynopsis>
+
+      <para>Examples:</para>
+
+      <programlisting>    shorewall debug -tv2 reload
+    shorewall trace check
+    shorewall nolock enable eth0</programlisting>
+
+      <para>In Shorewall 5.2.4 and later, those commands would be:</para>
+
+      <programlisting>    shorewall -Dtv2 reload
+    shorewall check -D
+    shorewall -N enable eth0</programlisting>
+
+      <para>While not shown in the command synopses at the top of this page,
+      the <option>nolock</option> keyword is still supported in Shorewall
+      5.2.4 and later, but is deprecated in favor of the -<option>N
+      </option>option.</para>
+    </note>
   </refsect1>
 
   <refsect1>
@@ -1199,7 +1112,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
           A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
@@ -1214,11 +1127,12 @@
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
-          handle entries for multiple interfaces. When that option is
-          specified for a zone, the <command>add</command> command has the
-          alternative syntax in which the <replaceable>zone</replaceable> name
-          precedes the <replaceable>host-list</replaceable>.</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
+          allows a single ipset to handle entries for multiple interfaces.
+          When that option is specified for a zone, the <command>add</command>
+          command has the alternative syntax in which the
+          <replaceable>zone</replaceable> name precedes the
+          <replaceable>host-list</replaceable>.</para>
         </listitem>
       </varlistentry>
 
@@ -1294,7 +1208,7 @@
         <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
         [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
         [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        [-D][<replaceable>directory</replaceable>]</term>
 
         <listitem>
           <para>Not available with Shorewall[6]-lite.</para>
@@ -1332,7 +1246,11 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -1383,8 +1301,9 @@
       <varlistentry>
         <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
         [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
-        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-D] [<replaceable>
+        directory </replaceable>] [<replaceable> pathname</replaceable>
+        ]</term>
 
         <listitem>
           <para>Not available with shorewall[6]-lite.</para>
@@ -1440,7 +1359,11 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -1458,7 +1381,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are a host or network address.</para>
 
@@ -1466,7 +1389,7 @@
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
           allows a single ipset to handle entries for multiple interfaces.
           When that option is specified for a zone, the
           <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1416,7 @@
           command removes any routes added from <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
           any traffic shaping configuration for the interface.</para>
         </listitem>
       </varlistentry>
@@ -1554,7 +1477,7 @@
           adds any route specified in <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
           and installs the interface's traffic shaping configuration, if
           any.</para>
         </listitem>
@@ -1599,7 +1522,7 @@
           given then the file specified by RESTOREFILE in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -1684,7 +1607,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,16 +1623,16 @@
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
-          and produces an audible alarm when new Shorewall messages are
-          logged. The <emphasis role="bold">-m</emphasis> option causes the
-          MAC address of each packet source to be displayed if that
-          information is available. The
-          <replaceable>refresh-interval</replaceable> specifies the time in
-          seconds between screen refreshes. You can enter a negative number by
-          preceding the number with "--" (e.g., <command>shorewall logwatch --
-          -30</command>). In this case, when a packet count changes, you will
-          be prompted to hit any key to resume screen refreshes.</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) and
+          produces an audible alarm when new Shorewall messages are logged.
+          The <emphasis role="bold">-m</emphasis> option causes the MAC
+          address of each packet source to be displayed if that information is
+          available. The <replaceable>refresh-interval</replaceable> specifies
+          the time in seconds between screen refreshes. You can enter a
+          negative number by preceding the number with "--" (e.g.,
+          <command>shorewall logwatch -- -30</command>). In this case, when a
+          packet count changes, you will be prompted to hit any key to resume
+          screen refreshes.</para>
         </listitem>
       </varlistentry>
 
@@ -1723,7 +1646,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1824,7 +1747,8 @@
         <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
         [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
         [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>
 
         <listitem>
           <para>This command was re-implemented in Shorewall 5.0.0. The
@@ -1878,17 +1802,21 @@
                 INLINE_MATCHES is set to Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>
 
                 <para>The <option>-C</option> option was added in Shorewall
                 4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 If an existing firewall script is used and if that script was
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
                 as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
               </listitem>
             </varlistentry>
 
@@ -2006,7 +1934,7 @@
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2071,8 +1999,9 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2104,7 +2033,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -2144,8 +2073,9 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2177,7 +2107,11 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -2204,7 +2138,8 @@
         <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
         [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
         [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>
 
         <listitem>
           <para>Beginning with Shorewall 5.0.0, this command performs a true
@@ -2264,6 +2199,10 @@
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
                 as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
               </listitem>
             </varlistentry>
 
@@ -2304,7 +2243,7 @@
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <caution>
             <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2399,7 @@
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>The <option>-C</option> option, added in Shorewall 4.6.5,
           causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2416,7 @@
           the SAVE_IPSETS option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command may be used to proactively save your ipset contents in
           the event that a system failure occurs prior to issuing a
           <command>stop</command> command.</para>
@@ -2645,7 +2584,7 @@
                 accounting counters (<ulink
                 url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                 (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -2669,7 +2608,7 @@
                 file specified by the LOGFILE option in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 The <emphasis role="bold">-m</emphasis> option causes the MAC
                 address of each packet source to be displayed if that
                 information is available.</para>
@@ -2831,8 +2770,8 @@
         <term><emphasis role="bold">start </emphasis><emphasis role="bold">
         </emphasis>[-<option>n</option>] [-<option>p</option>]
         [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [-D]
+        [ <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para><variablelist>
@@ -2851,7 +2790,7 @@
                   in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                   will be restored if that saved configuration exists and has
                   been modified more recently than the files in
                   /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2801,7 @@
                   option was added to <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When LEGACY_FASTSTART=No, the modification times of files in
                   /etc/shorewall are compared with that of
                   /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2820,7 @@
                   overriding the AUTOMAKE setting in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When both <option>-f</option> and <option>-c</option>are
                   present, the result is determined by the option that appears
                   last.</para>
@@ -2897,7 +2836,7 @@
                   INLINE_MATCHES is set to Yes in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
                   <para>The <option>-C</option> option was added in Shorewall
                   4.6.5 and is only meaningful when the <option>-f</option>
@@ -2906,6 +2845,11 @@
                   option was also specified in the <emphasis
                   role="bold">save</emphasis> command, then the packet and
                   byte counters will be restored.</para>
+
+                  <para>The <emphasis role="bold">-D </emphasis>option was
+                  added in Shoewall 5.2.4 and causes the compiler to write a
+                  large amount of debugging information to standard
+                  output.</para>
                 </listitem>
               </varlistentry>
 
@@ -3226,7 +3170,7 @@
 
     <simplelist>
       <member><ulink
-      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
+      url="/starting_and_stopping_shorewall.htm">https://shorewall.org/starting_and_stopping_shorewall.htm</ulink>
       - Describes operational aspects of Shorewall.</member>
 
       <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -

Shorewall-core/shorewall

@@ -5,7 +5,7 @@
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/wait4ifup

@@ -6,7 +6,7 @@
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/ifupdown.debian.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
     *)
         #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
         #
 	INTERFACE="$IFACE"
 
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/ifupdown.fedora.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,7 +90,14 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *)
 		exit 0

Shorewall-init/ifupdown.suse.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,7 +120,14 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *if-up.d*)
 		COMMAND=up

Shorewall-init/init.debian.sh

@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/init.suse.sh

@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/install.sh

@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/shorewall-init

@@ -6,7 +6,7 @@
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -93,7 +93,14 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} clear
+		fi
+	    )
 	fi
     done
 

Shorewall-lite/Shorewall-lite-targetname

@@ -0,0 +1 @@
+5.2.4.1

Shorewall-lite/init.openwrt.sh

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.sh

@@ -7,7 +7,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.suse.sh

@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -426,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi
 
 if [ -f helpers ]; then
@@ -433,11 +438,6 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #

Shorewall-lite/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -183,7 +183,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>
 
     <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),

Shorewall-lite/shorewall-lite.conf

@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall/Actions/action.A_REJECT

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.A_REJECT!

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Broadcast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.DNSAmp

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Established

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.FIN

@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.IfEvent

@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -115,8 +115,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
     
-    print "Resetting....\n";
-    
     my $mark = $globals{EVENT_MARK};
     #
     # The event mark bit must be within 32 bits

Shorewall/Actions/action.Invalid

@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Limit

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Multicast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.New

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.NotSyn

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.RST

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Related

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.ResetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.SetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 
 DEFAULTS -,ACCEPT,src

Shorewall/Actions/action.Untracked

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowInvalid

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowinUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcasts

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropInvalid

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.forwardUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.mangletemplate

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.

Shorewall/Actions/action.rejNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.template

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.

Shorewall/Contrib/swping

@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #

Shorewall/Contrib/swping.init

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall/Macros/macro.Bitcoin

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinRegtest

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444

Shorewall/Macros/macro.BitcoinTestnet

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333

Shorewall/Macros/macro.BitcoinTestnetRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnetRPC
+#
+# Macro for handling Bitcoin RPC traffic (Testnet and Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18332

Shorewall/Macros/macro.BitcoinZMQ

@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332

Shorewall/Macros/macro.ONCRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.Tor

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorSocks

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/ARP.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -37,6 +37,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use strict;
+use sort 'stable';
 
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw(
@@ -430,13 +431,14 @@ our $VERSION = 'MODULEVERSION';
 #      Untracked       - =<z1-z2>
 #
 our %chain_table;
-our $raw_table;
-our $nat_table;
-our $mangle_table;
-our $filter_table;
-our $export;
-our %renamed;
-our %nfobjects;
+our $raw_table;         # Reference to $chain_table{raw}
+our $nat_table;         # Reference to $chain_table{nat}
+our $mangle_table;      # Reference to $chain_table{mangle}
+our $filter_table;      # Reference to $chain_table{filter}
+
+our $export;            # True if we are compiling for export
+our %renamed;           # Maps chain renaming during optimization
+our %nfobjects;         # Records nfacct objects
 
 #
 # Target Types
@@ -464,10 +466,10 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 
-	       FILTER_TABLE =>  0x1000000,
-	       MANGLE_TABLE =>  0x2000000,
-	       RAW_TABLE    =>  0x4000000,
-	       NAT_TABLE    =>  0x8000000,
+	       FILTER_TABLE =>  0x1000000,     #Target allowed in the filter table
+	       MANGLE_TABLE =>  0x2000000,     #Target allowed in the mangle table
+	       RAW_TABLE    =>  0x4000000,     #Target allowed in the raw table
+	       NAT_TABLE    =>  0x8000000,     #Target allowed in the nat table
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -535,6 +537,9 @@ our $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
+#
+# Chain optimization flags
+#
 use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
 
 our %dscpmap = ( CS0  => 0x00,
@@ -686,15 +691,15 @@ our %ipset_exists;
 #
 # The following constants and hash are used to classify keys in a rule hash
 #
-use constant { UNIQUE      => 1,
-	       TARGET      => 2,
-	       EXCLUSIVE   => 4,
-	       MATCH       => 8,
-	       CONTROL     => 16,
-	       COMPLEX     => 32,
-	       NFACCT      => 64,
-	       EXPENSIVE   => 128,
-	       RECENT      => 256,
+use constant { UNIQUE      => 1,       # Simple header matches - only allowed once per rule
+	       TARGET      => 2,       # Rule target or its options
+	       EXCLUSIVE   => 4,       # 'state' or 'conntrack --ctstate'
+	       MATCH       => 8,       # Currently means 'policy ...'
+	       CONTROL     => 16,      # Unsed internally by the compiler - does not contribute to the iptables rule
+	       COMPLEX     => 32,      # Currently means 'contrack --cstate'
+	       NFACCT      => 64,      # nfacct match
+	       EXPENSIVE   => 128,     # Has high match-processing cost in the kernel
+	       RECENT      => 256,     # recent match
 	   };
 
 our %opttype = ( rule          => CONTROL,
@@ -740,6 +745,9 @@ our %opttype = ( rule          => CONTROL,
 		 targetopts    => TARGET,
 	       );
 
+#
+# These allow the user to specify long option names in raw ip[6]tables input
+#
 our %aliases = ( protocol        => 'p',
 		 source          => 's',
 		 destination     => 'd',
@@ -759,7 +767,7 @@ our %isocodes;
 
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 
-our %switches;
+our %switches;   # Recoreds switches (conditions)
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -785,7 +793,9 @@ sub initialize( $$$ ) {
     $filter_table  = $chain_table{filter};
     %renamed       = ();
     #
-    # Used to sequence chain names in each table.
+    # Used to sequence chain names in each table. $hard is true on the initial call to this function and
+    # false, when this function is called a second time to re-initialize before generating stopped ip[6]tables-
+    # restore input
     #
     %chainseq = () if $hard;
     #
@@ -1134,16 +1144,30 @@ sub set_rule_option( $$$ ) {
 	#
 	# Consider each subtype as a separate type
 	#
-	my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+	if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+	    my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
 
-	if ( $invert eq '!' ) {
-	    assert( ! supplied $rest );
-	    $option = join( ' ', $option, $invert, $subtype );
-	    $value  = $val;
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $subtype );
+		$value  = join( ' ', $invert, $val );
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $invert , $option );
+		$value   = $invert;
+	    }
 	} else {
-	    assert( ! supplied $val );
-	    $option  = join( ' ', $option, $invert );
-	    $value   = $subtype;
+	    my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $invert, $subtype );
+		$value  = $val;
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $option, $invert );
+		$value   = $subtype;
+	    }
 	}
 
 	$opttype = EXCLUSIVE;
@@ -1216,8 +1240,8 @@ sub transform_rule( $;\$ ) {
 	    $option = $2;
 	} elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) {
 	    $invert = '!' if $1;
-	    my $opt = $option = $2;
-	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
+	    my $opt = $2;
+	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$opt};
 	} else {
 	    fatal_error "Unrecognized iptables option string ($input)";
 	}
@@ -1416,7 +1440,7 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies
+    # Don't combine rules where each specifies
     #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
@@ -1745,6 +1769,10 @@ sub add_rule($$;$) {
 #
 # New add_rule implementation
 #
+
+#
+# Push a set of matches into an irule (a rule using the new hash representation)
+#
 sub push_matches {
 
     my $ruleref = shift;
@@ -1911,6 +1939,9 @@ sub compare_values( $$ ) {
     }
 }
 
+#
+# Add an irule with matches but no target
+#
 sub add_irule( $;@ ) {
     my ( $chainref, @matches ) = @_;
 
@@ -2712,6 +2743,12 @@ sub add_expanded_jump( $$$$ ) {
     add_reference( $chainref, $toref ) while --$splitcount > 0;
 }
 
+#
+# Utility function used by add_ijump() and add_ijump_extended().
+# Returns a reference to the added rule. Return may be reference
+# to the dummy rule if the chain was already complete (last rule
+# is a simple jump to a terminating target).
+#
 sub add_ijump_internal( $$$$$;@ ) {
     my ( $fromref, $jump, $to, $expandports, $origin, @matches ) = @_;
 
@@ -2759,16 +2796,26 @@ sub add_ijump_internal( $$$$$;@ ) {
     $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
 }
 
+#
+# Add an jump to the end of a chain
+#
 sub add_ijump( $$$;@ ) {
     my ( $fromref, $jump, $to, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, '', @matches );
 }
 
+#
+# Like add_ijump() but also accepts an origin of the jump (the config file and line number
+# that caused the jump to be generated).
+#
 sub add_ijump_extended( $$$$;@ ) {
     my ( $fromref, $jump, $to, $origin, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, $origin, @matches );
 }
 
+#
+# Insert a jump at a zero-relative index into a chain.
+#
 sub insert_ijump( $$$$;@ ) {
     my ( $fromref, $jump, $to, $index, @matches ) = @_;
 
@@ -2840,6 +2887,9 @@ sub delete_jumps ( $$ ) {
     }
 }
 
+#
+# Reset the passed flag(s) in the passed chain
+#
 sub reset_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2852,6 +2902,9 @@ sub reset_optflags( $$ ) {
     $chainref;
 }
 
+#
+# Set the passed flag(s) in the passed chain
+#
 sub set_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2966,6 +3019,10 @@ sub accounting_chainrefs() {
     grep $_->{accounting} , values %$filter_table;
 }
 
+#
+# Ensure the existance of a chain in the mangle table and return
+# a reference to its chain table entry
+#
 sub ensure_mangle_chain($;$$) {
     my ( $chain, $number, $restriction ) = @_;
 
@@ -2976,6 +3033,10 @@ sub ensure_mangle_chain($;$$) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the nat table and return
+# a reference to its chain table entry
+
 sub ensure_nat_chain($) {
     my $chain = $_[0];
 
@@ -2984,6 +3045,10 @@ sub ensure_nat_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the raw table and return
+# a reference to its chain table entry
+#
 sub ensure_raw_chain($) {
     my $chain = $_[0];
 
@@ -3007,12 +3072,18 @@ sub new_builtin_chain($$$)
     $chainref;
 }
 
+#
+# Create a chain in the filter table, returning a reference to its chain table entry
+#
 sub new_standard_chain($) {
     my $chainref = new_chain 'filter' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new action chain, returning a reference to its chain table entry
+#
 sub new_action_chain($$) {
     my $chainref = &new_chain( @_ );
     $chainref->{referenced} = 1;
@@ -3020,12 +3091,18 @@ sub new_action_chain($$) {
     $chainref;
 }
 
+#
+# Create a chain in the nat table, returning a reference to its chain table entry
+#
 sub new_nat_chain($) {
     my $chainref = new_chain 'nat' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new manual chain, returning a reference to its chain table entry
+#
 sub new_manual_chain($) {
     my $chain = $_[0];
     fatal_error "Chain name ($chain) too long" if length $chain > 29;
@@ -3036,6 +3113,9 @@ sub new_manual_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a manual chain and return a reference to its chain table entry
+#
 sub ensure_manual_chain($) {
     my $chain = $_[0];
     my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
@@ -3045,6 +3125,9 @@ sub ensure_manual_chain($) {
 
 sub log_irule_limit( $$$$$$$$@ );
 
+#
+# Ensure the existance of the blacklist logging chain (blacklog)
+#
 sub ensure_blacklog_chain( $$$$$ ) {
     my ( $target, $disposition, $level, $tag, $audit ) = @_;
 
@@ -3063,6 +3146,9 @@ sub ensure_blacklog_chain( $$$$$ ) {
     'blacklog';
 }
 
+#
+# Ensure the existance of the audited blacklist logging chain (A_blacklog)
+#
 sub ensure_audit_blacklog_chain( $$$ ) {
     my ( $target, $disposition, $level ) = @_;
 
@@ -3084,7 +3170,6 @@ sub ensure_audit_blacklog_chain( $$$ ) {
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 #
-
 sub ensure_audit_chain( $;$$$ ) {
     my ( $target, $action, $tgt, $table ) = @_;
 
@@ -3121,7 +3206,6 @@ sub ensure_audit_chain( $;$$$ ) {
 #
 # Return the appropriate target based on whether the second argument is 'audit'
 #
-
 sub require_audit($$;$) {
     my ($action, $audit, $tgt ) = @_;
 
@@ -3300,13 +3384,13 @@ sub initialize_chain_table($) {
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS           ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
-	$chainref = new_standard_chain( 'DOCKER-USER'   );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+	$chainref = new_standard_chain( 'DOCKER-USER'      );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER              ] && cat ${VARDIR}/.filter_DOCKER-USER      >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION         ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
@@ -3623,6 +3707,16 @@ sub optimize_level0() {
     }
 }
 
+#
+# Conditionally sort a list of chain table entry references by name, if -t was specified
+#
+sub sortchainsiftest(\%) {
+    my $hashref = shift;
+
+    return sort { $a->{name} cmp $b->{name} } values %$hashref if $test;
+    return values %$hashref;
+}
+
 sub optimize_level4( $$ ) {
     my ( $table, $tableref ) = @_;
     my $progress = 1;
@@ -3844,7 +3938,7 @@ sub optimize_level4( $$ ) {
     my @chains  = grep ( $_->{referenced}   &&
 			 ! $_->{optflags}   &&
 			 @{$_->{rules}} < 4 &&
-			 keys %{$_->{references}} == 1 , values %$tableref );
+			 keys %{$_->{references}} == 1 , sortchainsiftest %$tableref );
 
     if ( my $chains  = @chains ) {
 	$passes++;
@@ -3853,7 +3947,7 @@ sub optimize_level4( $$ ) {
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
-	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+	    for my $sourceref ( map $tableref->{$_}, sortkeysiftest %{$chainref->{references}} ) {
 		my $name1 = $sourceref->{name};
 
 		if ( $chainref->{references}{$name1} == 1 ) {
@@ -3983,7 +4077,7 @@ sub optimize_level8( $$$ ) {
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
-	    for my $oldname ( @rename ) {
+	    for my $oldname ( sortiftest @rename ) {
 		my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
 
 		trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
@@ -4496,7 +4590,7 @@ sub combine_states {
 
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
-    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
+    my @chains   = ( grep $_->{referenced}, sortchainsiftest %{$tableref} );
     my @chains1  = @chains;
     my $chains   = @chains;
 
@@ -4613,7 +4707,7 @@ sub setup_zone_mss() {
 
 	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
 
-	for my $hostref ( @$hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$hosts : @$hosts ) {
 	    my $mss         = $hostref->[4];
 	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @sourcedev   = imatch_source_dev $hostref->[0];
@@ -4925,10 +5019,10 @@ sub do_proto( $$$;$ )
 
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
-			    $output .= get_set_flags( $ports, 'src' );
+			    $output .= get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5037,7 +5131,9 @@ sub do_proto( $$$;$ )
     $output;
 }
 
-
+#
+# Generate a mac address match
+#
 sub do_mac( $ ) {
     my $mac = $_[0];
 
@@ -5050,6 +5146,9 @@ sub do_mac( $ ) {
     "-m mac ${invert}--mac-source $mac ";
 }
 
+#
+# Version of do_proto() that generates an irule match rather than an iptables text match
+#
 sub do_iproto( $$$ )
 {
     my ($proto, $ports, $sports ) = @_;
@@ -5136,8 +5235,8 @@ sub do_iproto( $$$ )
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
-			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			if ( $sports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5245,6 +5344,9 @@ sub do_iproto( $$$ )
     @output;
 }
 
+#
+# Generate a mac address match in irule format.
+#
 sub do_imac( $ ) {
     my $mac = $_[0];
 
@@ -5307,7 +5409,6 @@ sub verify_small_mark( $ ) {
 #
 # Generate an appropriate -m [conn]mark match string for the contents of a MARK column
 #
-
 sub do_test ( $$ )
 {
     my ($testval, $mask) = @_;
@@ -5462,6 +5563,9 @@ sub do_connlimit( $ ) {
     }
 }
 
+#
+# Create a calendar match
+#
 sub do_time( $ ) {
     my ( $time ) = @_;
 
@@ -5500,6 +5604,11 @@ sub do_time( $ ) {
     $result;
 }
 
+#
+# Resolve a user/group name to the appropriate numeric id. Only do the resolution
+# if we are not compiling for export, since remote name->id mapping is likely to
+# be different.
+#
 sub resolve_id( $$ ) {
     my ( $id, $type ) = @_;
 
@@ -5563,8 +5672,6 @@ sub do_user( $ ) {
 #
 # Create a "-m tos" match for the passed TOS
 #
-# This helper is also used during tos file processing
-#
 sub decode_tos( $$ ) {
     my ( $tos, $set ) = @_;
 
@@ -5668,10 +5775,25 @@ sub validate_helper( $;$ ) {
 
 	    my $protonum = -1;
 
-	    fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
+	    fatal_error "Unknown PROTO ($proto)" unless $proto eq '-' || defined ( $protonum = resolve_proto( $proto ) );
 
-	    unless ( $protonum == $helper_proto ) {
-		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
+	    if ( reftype( $helper_proto ) ) {
+		#
+		# More than one protocol allowed with this helper, so $helper_proto is an array reference
+		#
+		my $found;
+		my $names = '';
+
+		for ( @$helper_proto ) {
+		    $names = $names ? join( ',', $names, proto_name( $_ ) ) : proto_name( $_ );
+		    $found = 1 if $protonum == $_;
+		}
+
+		fatal_error "The $helper_base helper requires PROTO to be one of '$names'" unless $found;
+	    } else {
+		unless ( $protonum == $helper_proto ) {
+		    fatal_error "The $helper_base helper requires PROTO=" . (proto_name( $helper_proto ) );
+		}
 	    }
 	}
     } else {
@@ -6101,6 +6223,9 @@ sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
+#
+# Verify and record a runtime address variable
+#
 sub record_runtime_address( $$;$$ ) {
     my ( $addrtype, $interface, $protect, $provider ) = @_;
 
@@ -6591,6 +6716,9 @@ sub match_ipsec_in( $$ ) {
     @match;
 }
 
+#
+# Match Dest IPSEC
+#
 sub match_ipsec_out( $$ ) {
     my ( $zone , $hostref ) = @_;
     my @match;
@@ -6615,7 +6743,7 @@ sub match_ipsec_out( $$ ) {
 }
 
 #
-# Handle a unidirectional IPSEC Options
+# Handle unidirectional IPSEC Options
 #
 sub do_ipsec_options($$$)
 {
@@ -6692,7 +6820,7 @@ sub do_ipsec($$) {
 }
 
 #
-# Generate a log message
+# Generate a logging rule
 #
 sub log_rule_limit( $$$$$$$$;$ ) {
     my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
@@ -6888,6 +7016,9 @@ sub log_irule_limit( $$$$$$$$@ ) {
     }
 }
 
+#
+# Wrappers for the above that use the global default log limit
+#
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
@@ -7335,13 +7466,13 @@ sub set_global_variables( $$ ) {
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sortkeysiftest %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = keys %interfacegateways;
+	@interfaces = sortkeysiftest %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7351,29 +7482,29 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = keys %interfacemacs;
+	@interfaces = sortkeysiftest %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	emit "$interfacegateways{$_}\n" for sortkeysiftest %interfacegateways;
+	emit $interfacemacs{$_}         for sortkeysiftest %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
     }
@@ -7564,11 +7695,13 @@ sub isolate_source_interface( $ ) {
 		) {
 	    $iiface = $1;
 	    $inets  = $2;
+	    $inets =~ s/\]-\[/-/;
 	} elsif ( $source =~ /:/ ) {
 	    if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
 		$inets = $source;
 	    } elsif ( $source =~ /^\[(.+)\]$/ ) {
 		$inets = $1;
+		$inets =~ s/\]-\[/-/;
 	    } else {
 		$inets = $source;
 	    }
@@ -7686,6 +7819,7 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
+	    $dnets =~ s/\]-\[/-/;
 	} elsif (  $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
 		   $dest =~ /^(.+?):(!?\+.+)$/    ||
 		   $dest =~ /^(.+?):(!?[&%].+)$/  ||
@@ -7698,6 +7832,7 @@ sub isolate_dest_interface( $$$$ ) {
 		$dnets = $dest;
 	    } elsif ( $dest =~ /^\[(.+)\]$/ ) {
 		$dnets = $1;
+	        $dnets =~ s/\]-\[/-/;
 	    } else {
 		$dnets = $dest;
 	    }
@@ -8333,7 +8468,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sortkeysiftest %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8419,7 +8554,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sortkeysiftest %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8475,7 +8610,7 @@ sub add_interface_options( $ ) {
 # We may have to generate part of the input at run-time. The rules array in each chain
 # table entry may contain both rules or shell source, determined by the contents of the 'mode'
 # member. We alternate between writing the rules into the temporary file to be passed to
-# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
+# iptables-restore (CAT_MODE) and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
 #
@@ -8603,32 +8738,29 @@ sub emitr1( $$ ) {
 sub save_docker_rules($) {
     my $tool = $_[0];
 
+    my $bridge = $config{DOCKER_BRIDGE};
+
     emit( qq(if [ -n "\$g_docker" ]; then),
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
-	  qq(    [ -n "\$g_dockeruser" ]    && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    rm -f \${VARDIR}/.filter_DOCKER-*),
+	  qq(    [ -n "\$g_dockeringress"  ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+	  qq(    [ -n "\$g_dockeruser"     ] && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    [ -n "\$g_dockeriso"      ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
 	  qq(),
-	  qq(    case "\$g_dockernetwork" in),
-	  qq(        One\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
-	  qq(            ;;),
-	  qq(        Two\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
-	  qq(            ;;),
-	  qq(    esac),
+	  qq(    if [ -n "\$g_dockerisostage" ]; then),
+	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+	  qq(    fi),
 	  qq(),
 	);
 
-    if ( known_interface( 'docker0' ) ) {
+    if ( known_interface( $bridge ) ) {
 	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
     } else {
-	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
     }
 
     emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
@@ -8863,7 +8995,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = keys %ipsets;
+	    my @sets = sortkeysiftest %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -9032,7 +9164,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sortkeysiftest %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -9047,7 +9179,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( @objects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9055,7 +9187,7 @@ sub create_nfobjects() {
 }
 #
 #
-# Generate the netfilter input
+# Generate the input to ip[6]tables-restore or to 'ip[6]tables -R'
 #
 sub create_netfilter_load( $ ) {
     my $test = shift;
@@ -9142,10 +9274,10 @@ sub create_netfilter_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9257,11 +9389,11 @@ sub preview_netfilter_load() {
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode1;
-			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode1;
-			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode1;
@@ -9358,10 +9490,10 @@ sub create_stop_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9420,7 +9552,7 @@ sub create_stop_load( $ ) {
 }
 
 sub initialize_switches() {
-    if ( keys %switches ) {
+    if ( sortkeysiftest %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
 	for my $switch ( keys %switches ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,9 +4,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -47,19 +47,17 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;
+our $export;          # True when compiling for export
 
-our $test;
+our $family;          # IP address family (4 or 6)
 
-our $family;
-
-our $have_arptables;
+our $have_arptables;  # True if we have arptables rules
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+sub initialize_package_globals( $$$$ ) {
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2], $_[3]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -268,13 +266,10 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
-	      '    g_dockernetwork=One',
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
-	      '    g_dockernetwork=Two',
-	      'fi' );
+	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
     }
 
     pop_indent;
@@ -384,7 +379,7 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
 	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
@@ -591,7 +586,7 @@ sub compiler {
        ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
-    $test           = 0;
+    my $test        = 0;
     $have_arptables = 0;
 
     sub validate_boolean( $ ) {
@@ -644,18 +639,19 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
-
+    initialize_package_globals( $update, $test, $shorewallrc, $shorewallrc1 );
+    #
+    # Rather than continuing to extend the argument list of Config::initialize(),
+    # we use a set of small functions to export settings to the Config module.
+    #
     set_config_path( $config_path ) if $config_path;
-
     set_shorewall_dir( $directory ) if $directory ne '';
-
     $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
+    set_command( 'compile', 'Compiling', 'Compiled' );
     #
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
@@ -673,12 +669,7 @@ sub compiler {
     #
     # Create a temp file to hold the script
     #
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
+    create_temp_script( $scriptfilename , $export ) if $scriptfilename;
     #
     #                                     Z O N E   D E F I N I T I O N
     #                              (Produces no output to the compiled script)
@@ -916,7 +907,7 @@ sub compiler {
 	#
 	# Close, rename and secure the script
 	#
-	finalize_script ( $export );
+	finalize_script ( $export, $test );
 	#
 	# And generate the auxilary config file
 	#
@@ -981,11 +972,7 @@ sub compiler {
 	#
 	report_used_capabilities;
 
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
+	progress_message3 "$Product configuration verified";
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -162,10 +162,15 @@ our @EXPORT = qw(
 
 		 have_capability
 		 require_capability
+		 require_mangle_capability
 		 report_used_capabilities
 		 kernel_version
 
-                 compiletime
+		 compiletime
+
+		 sortkeysiftest
+		 sortvaluesiftest
+		 sortiftest
 				       
 		 F_IPV4
 		 F_IPV6
@@ -263,6 +268,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $debug
 				       $file_format
 				       $comment
+				       $test
 
 				       %config
 				       %origin
@@ -396,7 +402,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -523,13 +529,17 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
-
+#
+# Keeps track of which capabilities were used or required - Key is capability name
+#
 our %used;
 
 use constant {
                USED     => 1,
 	       REQUIRED => 2 };
-
+#
+# Common Protocols
+#
 use constant {
 	       ICMP                => 1,
 	       TCP                 => 6,
@@ -541,7 +551,7 @@ use constant {
 	       UDPLITE             => 136,
 	     };
 #
-# Optimization masks
+# Optimization masks (OPTIMIZE option)
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
@@ -550,7 +560,9 @@ use constant {
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	     };
-
+#
+# Map helpers to protocols
+#
 our %helpers = ( amanda          => UDP,
 		 ftp             => TCP,
 		 irc             => TCP,
@@ -625,7 +637,7 @@ our %config_files = ( #accounting      => 1,
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
-# Directories to search for configuration files
+# Directories to search for configuration files (CONFIG_PATH option)
 #
 our @config_path;
 #
@@ -648,10 +660,12 @@ our %compiler_params;
 # Action parameters
 #
 our %actparams;
-our $parmsmodified;
-our $usedcaller;
-our $inline_matches;
-
+our $parmsmodified;          # True of the current action has modified its parameters
+our $usedcaller;             # True if $CALLER has been acceseed in the current action
+our $inline_matches;         # Inline matches from the current rule
+#
+# File handling
+#
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
@@ -669,6 +683,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $ulogcount;              # Used to suppress duplicate warnings about ULOG support
 our $directive_callback;     # Function to call in compiler_directive
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -722,18 +737,19 @@ our %converted = (
 #
 # Eliminated options
 #
-our %eliminated = ( LOGRATE          => 1,
-		    LOGBURST         => 1,
-		    EXPORTPARAMS     => 1,
-		    LEGACY_FASTSTART => 1,
-		    IPSECFILE        => 1,
-		    WIDE_TC_MARKS    => 1,
-		    HIGH_ROUTE_MARKS => 1,
-		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
-                    MODULE_SUFFIX    => 1,
-                    MAPOLDACTIONS    => 1,
-		    INLINE_MATCHES   => 1,
+our %eliminated = ( LOGRATE	      => 1,
+		    LOGBURST	      => 1,
+		    EXPORTPARAMS      => 1,
+		    LEGACY_FASTSTART  => 1,
+		    IPSECFILE	      => 1,
+		    WIDE_TC_MARKS     => 1,
+		    HIGH_ROUTE_MARKS  => 1,
+		    BLACKLISTNEWONLY  => 1,
+		    CHAIN_SCRIPTS     => 1,
+		    MODULE_SUFFIX     => 1,
+		    MAPOLDACTIONS     => 1,
+		    INLINE_MATCHES    => 1,
+		    LOAD_HELPERS_ONLY => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -747,10 +763,11 @@ our $ifstack;
 #    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
 #    [1] - True if the outermost IF evaluated to false
 #    [2] - True if the the last unterminated IF evaluated to false
+#    [3] = The line number of the directive
 #
 # From .shorewallrc
 #
-our ( %shorewallrc, %shorewallrc1 );
+our ( %shorewallrc, %shorewallrc1 ); # Shorewallrc setting from local system and from remote firewall respectively
 #
 # read_a_line options
 #
@@ -781,6 +798,8 @@ our %filecache;
 
 our $compiletime;
 
+our $test;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -792,9 +811,12 @@ sub add_variables( \% );
 #
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
-#
-sub initialize( $;$$$) {
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+####################################################################################################
+# Do not change the required part of this prototype unless you want to take on a lot of additional
+# work (This function is called from build).
+####################################################################################################
+sub initialize($;$$$$) {
+    ( $family, $export, $test, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -828,6 +850,7 @@ sub initialize( $;$$$) {
     $comment       = '';
     $sr_comment    = '';
     $warningcount  = 0;
+    $ulogcount     = 0;
     #
     # Misc Globals
     #
@@ -838,7 +861,7 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.0-Beta1',
+		    VERSION                 => '5.2.4.1',
 		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -969,7 +992,6 @@ sub initialize( $;$$$) {
 	  OPTIMIZE_ACCOUNTING => undef,
 	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
-	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
 	  FORWARD_CLEAR_MARK => undef,
 	  COMPLETE => undef,
@@ -998,6 +1020,7 @@ sub initialize( $;$$$) {
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  RENAME_COMBINED => undef ,
+	  DOCKER_BRIDGE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1291,7 +1314,7 @@ sub initialize( $;$$$) {
     $compiletime =~ s/ +/ /g;
 }
 
-my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
+my @moabbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 
 sub add_ipset( $ ) {
     $ipsets{$_[0]} = 1;
@@ -1391,7 +1414,7 @@ sub info_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1419,7 +1442,7 @@ sub warning_message
 
     if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
     }
 
     if ( $confess ) {
@@ -1544,7 +1567,7 @@ sub fatal_error	{
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $confess ) {
 	    print $log longmess( "   ERROR: @_$currentlineinfo\n" );
@@ -1567,6 +1590,9 @@ sub fatal_error	{
     }
 }
 
+#
+# This one is used for reporting syntax errors in embedded Perl code
+#
 sub fatal_error1 {
     handle_first_entry if $first_entry;
 
@@ -1574,7 +1600,7 @@ sub fatal_error1 {
 
     if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 
 	if ( $debug ) {
 	    print $log longmess( "   ERROR: @_\n" );
@@ -1684,7 +1710,7 @@ sub emit {
 
     if ( $script || $debug ) {
 	#
-	# 'compile' as opposed to 'check'
+	# 'compile' (as opposed to 'check') or debugging (CLI 'trace' command)
 	#
 	for ( @_ ) {
 	    unless ( /^\s*$/ ) {
@@ -1812,6 +1838,30 @@ sub set_command( $$$ ) {
     ($command, $doing, $done) = @_;
 }
 
+#
+# Return the keys or values of the passed hash. If $test, the keys/values will be sorted by their own values
+#
+sub sortkeysiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort keys %$hashref if $test;
+    return keys %$hashref;
+}
+
+sub sortvaluesiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort values %$hashref if $test;
+    return keys %$hashref;
+}
+
+#
+# Sort a list by the list elements if $test
+#
+sub sortiftest(@) {
+    return $test ? sort @_ : @_;
+}
+
 #
 # Print the current TOD to STDOUT.
 #
@@ -1845,12 +1895,15 @@ sub progress_message {
 
 	    @localtime = localtime unless $havelocaltime;
 
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
     }
 }
 
+#
+# This one doesn't compress out superfluous white space
+#
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
@@ -1864,7 +1917,7 @@ sub progress_message_nocompress {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1885,7 +1938,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1906,7 +1959,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1996,28 +2049,30 @@ sub generate_sha1() {
 #
 # Finalize the script file
 #
-sub finalize_script( $ ) {
-    my $export = $_[0];
+sub finalize_script( $$ ) {
+    my ( $export, $test ) = @_;
     close $script;
     $script = 0;
 
     if ( $file ne '-' ) {
-	my $sha1sum  = generate_sha1;
-	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
-	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+	unless ( $test ) {
+	    my $sha1sum  = generate_sha1;
+	    my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	    my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 
-	@ARGV = ( $tempfile );
-	$^I = '';
+	    @ARGV = ( $tempfile );
+	    $^I = '';
 
-	while ( <> ) {
-	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
-	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
-	    print;
+	    while ( <> ) {
+		s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+		s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+		print;
+	    }
 	}
 
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
-	progress_message3 "Shorewall configuration compiled to $file" unless $export;
+	progress_message3 "$Product configuration compiled to $file" unless $export;
     }
 }
 
@@ -2039,7 +2094,7 @@ sub finalize_aux_config() {
     close $script;
     $script = 0;
     rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
-    progress_message3 "Shorewall configuration compiled to $file";
+    progress_message3 "$Product configuration compiled to $file";
 }
 
 #
@@ -2077,7 +2132,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2094,8 +2149,12 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+#
+# Search the CONFIG_PATH for a file that is writable. Ignore directories where sample/default files are installed,
+# because users have a bad habit of including those in the CONFIG_PATH
+#
 sub find_writable_file($) {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -2117,6 +2176,9 @@ sub supplied( $ ) {
     defined $val && $val ne '';
 }
 
+#
+# This one is used for determining if an action argument has been passed (excludes '-')
+#
 sub passed( $ ) {
     my $val = shift;
 
@@ -2135,7 +2197,7 @@ sub split_list( $$;$ ) {
 }
 
 #
-# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+# This version handles parenthetical list elements containing embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
     my ($list, $type, $keepparens ) = @_;
@@ -2519,7 +2581,7 @@ sub split_line2( $$;$$$ ) {
 }
 
 #
-# Same as above, only it splits the raw current line
+# Same as above, only it splits the raw current line (line prior to variable expansion)
 #
 sub split_rawline2( $$;$$$ ) {
     my $savecurrentline = $currentline;
@@ -2627,6 +2689,7 @@ sub do_open_file( $ ) {
 # - Maximum value allowed in ?FORMAT directives
 # - ?COMMENT allowed in this file
 # - Ignore ?COMMENT in ths file
+# - Default file format
 #
 sub open_file( $;$$$$ ) {
     my ( $fname, $mf, $ca, $nc, $cf ) = @_;
@@ -2719,7 +2782,7 @@ sub clear_currentfilename() {
 }
 
 #
-# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
+# Utility functions for processing compiler directives
 #
 
 #
@@ -2746,7 +2809,7 @@ sub directive_warning( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 
@@ -2771,7 +2834,7 @@ sub directive_info( $$$$ ) {
 
 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 
@@ -3523,7 +3586,7 @@ sub shorewall {
 # We do this processing in read_a_line() rather than in the higher-level routines because
 # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
 # until we get back to the caller of read_a_line(), we could issue error messages about parsing and
-# running scripts in the file before we'd even indicated that we are processing it.
+# running scripts in the file before we'd even reported that we are processing it.
 #
 sub first_entry( $ ) {
     $first_entry = shift;
@@ -3700,6 +3763,7 @@ sub push_action_params( $$$$$$ ) {
 # Return:
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
+#   3 if both
 #
 sub pop_action_params( $ ) {
     my $oldparms       = shift;
@@ -3710,6 +3774,10 @@ sub pop_action_params( $ ) {
     $return;
 }
 
+#
+# This is called when a DEFAULTS line is found in an action body. It supplies default values
+# for those paramaters that were not passed, or that were passed as '-'.
+#
 sub default_action_params {
     my $action = shift;
     my ( $val, $i );
@@ -3723,6 +3791,9 @@ sub default_action_params {
     fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }
 
+#
+# This function allows embedded Perl in actions to retreive the action paramaters
+#
 sub get_action_params( $ ) {
     my $num = shift;
 
@@ -3738,6 +3809,9 @@ sub get_action_params( $ ) {
     @return;
 }
 
+#
+# Helper for A_* actions
+#
 sub setup_audit_action( $ ) {
     my ( $action ) = @_;
 
@@ -3757,26 +3831,44 @@ sub get_action_logging() {
     @actparams{ 'loglevel', 'logtag' };
 }
 
+#
+# Allow embedded Perl in Actions to get the name of the action chain
+#
 sub get_action_chain() {
     $actparams{0};
 }
 
+#
+# Get the action name from an action file
+#
 sub get_action_chain_name() {
     $actparams{chain};
 }
-
+#
+# This allows an action to make subsequent log messages refer to the invoker of the action rather than the 
+# action itself
+#
 sub set_action_name_to_caller() {
     $actparams{chain} = $actparams{caller};
 }
 
+#
+# Get the current action's disposition
+#
 sub get_action_disposition() {
     $actparams{disposition};
 }
 
+#
+# Set the current action disposition for subsequent logging
+#
 sub set_action_disposition($) {
     $actparams{disposition} = $_[0];
 }
 
+#
+# Alter the value of one of the current actions parameters
+#
 sub set_action_param( $$ ) {
     my $i = shift;
 
@@ -3843,6 +3935,9 @@ sub expand_variables( \$ ) {
     }
 }
 
+#
+# Expand variables from shorewallrc in the current passed line
+#
 sub expand_shorewallrc_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                         $1      $2   $3                  -     $4
@@ -3886,7 +3981,7 @@ sub handle_first_entry() {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
-#   - Handle ?IF, ?ELSE, ?ENDIF
+#   - Handle ?SECTION
 #
 
 sub read_a_line($) {
@@ -4009,18 +4104,23 @@ sub read_a_line($) {
     }
 }
 
+#
+# Process the passed shorewallrc file, populating %shorewallrc
+#
 sub process_shorewallrc( $$ ) {
     my ( $shorewallrc , $product ) = @_;
 
     $shorewallrc{PRODUCT} = $product;
+    $variables{PRODUCT}   = $product;
 
     if ( open_file $shorewallrc ) {
-	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK | EXPAND_VARIABLES ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_shorewallrc_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
+		$variables{$var}   = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
@@ -4029,6 +4129,12 @@ sub process_shorewallrc( $$ ) {
 	fatal_error "Failed to open $shorewallrc: $!";
     }
 
+    #
+    # Older files may contain VARDIR= rather than VARLIB= to specify the directory
+    # where each product maintains its own state directory. This was confusing,
+    # because in the shell context, VARDIR points to the current product's state
+    # directory.
+    #
     if ( supplied $shorewallrc{VARDIR} ) {
 	if ( ! supplied $shorewallrc{VARLIB} ) {
 	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
@@ -4091,12 +4197,19 @@ sub default_yes_no ( $$;$ ) {
     $result;
 }
 
+#
+# This one is used for options that are supported by IPv4 but not IPv6. It issues a
+# warning message if the option is specified in shorewall6.conf.
+#
 sub default_yes_no_ipv4 ( $$ ) {
     my ( $var, $val ) = @_;
     default_yes_no( $var, $val );
     warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 
+#
+# This function handles options that have a numeric value.
+#
 sub numeric_option( $$$ ) {
     my ( $option, $default, $min ) = @_;
 
@@ -4114,6 +4227,9 @@ sub numeric_option( $$$ ) {
     $config{$option} = $val;
 }
 
+#
+# Returns a 32-bit value with the low order n bits set, where n is the passed argument.
+#
 sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
@@ -4214,6 +4330,10 @@ sub validate_level( $;$ ) {
 	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
 	    my $olevel  = $value;
 
+	    if ( $value eq 'ULOG' ) {
+		warning_message "ULOG is deprecated in favor of NFLOG. Support for ULOG will be removed in a future release" unless $ulogcount++;
+	    }
+
 	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
 		my @options = split /,/, $1;
 		my $prefix  = lc $olevel;
@@ -4289,7 +4409,7 @@ sub default_log_level( $$ ) {
 }
 
 #
-# Check a tri-valued variable
+# Check a tri-valued option ("on", "of" and "keep")
 #
 sub check_trivalue( $$ ) {
     my ( $var, $default) = @_;
@@ -4371,7 +4491,7 @@ sub load_kernel_modules( ) {
 	push @moduledirectories, $_ if -d $_;
     }
 
-    if ( $moduleloader &&  @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    if ( $moduleloader &&  @moduledirectories && open_file( 'helpers' ) ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -4425,7 +4545,8 @@ sub determine_kernelversion() {
 }
 
 #
-# Capability Reporting and detection.
+# Capability Reporting and detection. Each of the following functions detect the
+# availability of the related capability.
 #
 sub Nat_Enabled() {
     qt1( "$iptables $iptablesw -t nat -L -n" );
@@ -4520,7 +4641,11 @@ sub New_Conntrack_Match() {
 }
 
 sub Old_Conntrack_Match() {
-    ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    if ( $family == F_IPV4 ) {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    } else {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+    }
 }
 
 sub Multiport() {
@@ -5140,7 +5265,7 @@ sub have_capability( $;$ ) {
 
     $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting;
 
-    $used{$capability} = $required ? 2 : 1 if $setting;
+    $used{$capability} = $required ? REQUIRED : USED if $setting;
 
     $setting;
 }
@@ -5169,111 +5294,6 @@ sub determine_capabilities() {
 	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
-
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
-	#
-	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
-	# functions but it ensures that %detect_capability is initialized properly.
-	#
-	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
-	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
-	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
-	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
-	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
-	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
-	} else {
-	    $capabilities{NEW_CONNTRACK_MATCH} = '';
-	    $capabilities{OLD_CONNTRACK_MATCH} = '';
-	}
-
-	$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
-	$capabilities{EMULTIPORT}   = detect_capability( 'EMULTIPORT' );
-	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
-
-	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
-	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
-	} else {
-	    $capabilities{PHYSDEV_BRIDGE} = '';
-	}
-
-	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
-	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
-	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
-	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
-	$capabilities{OWNER_NAME_MATCH}
-                                       = detect_capability( 'OWNER_NAME_MATCH' );
-	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
-	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
-	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
-	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
-	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
-	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
-	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
-	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
-	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
-	$capabilities{MARK}            = detect_capability( 'MARK' );
-	$capabilities{XMARK}           = detect_capability( 'XMARK' );
-	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
-	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
-	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
-	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
-	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
-	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
-	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
-	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
-	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
-	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
-	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
-	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
-	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
-	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
-	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
-	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
-	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
-	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
-	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
-	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
-	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
-	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
-	$capabilities{BASIC_EMATCH}    = detect_capability( 'BASIC_EMATCH' );
-	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
-	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
-	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
-	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
-	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
-	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
-	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
-	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
-	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
-	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
-	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
-	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
-	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
-	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );
-
-	unless ( have_capability 'CT_TARGET' ) {
-	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-	}
-
-    }
 }
 
 #
@@ -5285,6 +5305,16 @@ sub require_capability( $$$ ) {
     fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
 }
 
+sub require_mangle_capability( $$$ ) {
+    my ( $capability, $description, $singular ) = @_;
+
+    if ( $config{MANGLE_ENABLED} ) {
+	&require_capability( @_ );
+    } else {
+	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
+    }
+}
+
 #
 # Return Kernel Version
 #
@@ -5337,6 +5367,9 @@ sub ensure_config_path() {
     }
 
     if ( $shorewall_dir ) {
+	#
+	# A directory has been specified -- place it at the front of the CONFIG_PATH
+	#
 	$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
@@ -5371,7 +5404,8 @@ sub conditional_quote( $ ) {
 }
 
 #
-# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+# 'update' default values are sometimes different from the normal defaut value, to provide
+# backward compatibility.
 #
 sub update_default($$) {
     my ( $var, $val ) = @_;
@@ -5392,6 +5426,9 @@ sub transfer_permissions( $$ ) {
     }
 }
 
+#
+# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+#
 sub update_config_file( $ ) {
     my ( $annotate ) = @_;
 
@@ -5456,6 +5493,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5790,7 +5828,7 @@ sub unsupported_yes_no_warning( $ ) {
 }
 
 #
-# Process the params file
+# Process the params file. Actually processing is done by the 'getparams' program in $LIBEXECDIR/shorewall/.
 #
 sub get_params( $ ) {
     my $export = $_[0];
@@ -6260,11 +6298,6 @@ sub get_configuration( $$$ ) {
 
     unshift @INC, @config_path;
 
-    #
-    # get_capabilities requires that the true settings of these options be established
-    #
-    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
-
     if ( ! $export && $> == 0 ) {
 	get_capabilities($have_capabilities);
     }
@@ -6317,8 +6350,6 @@ sub get_configuration( $$$ ) {
 	$capabilities{$_}    = 0 for grep /_HELPER/ , keys %capabilities;
     }
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
     #
     # Now initialize the used capabilities hash
     #
@@ -6575,6 +6606,9 @@ sub get_configuration( $$$ ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
 	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
 	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
+	default( 'DOCKER_BRIDGE' , 'docker0' );
+    } elsif ( $family == F_IPV6 ) {
+	warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} );
     }
 
     if ( supplied( $val = $config{RESTART} ) ) {
@@ -6628,6 +6662,7 @@ sub get_configuration( $$$ ) {
     if ( supplied $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+	fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
     } else {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
@@ -6703,7 +6738,7 @@ sub get_configuration( $$$ ) {
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
-    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
+    require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS'         , 8, 0;
     numeric_option 'MASK_BITS'       , 8, 0;
@@ -6947,7 +6982,7 @@ sub get_configuration( $$$ ) {
 
     if ( $config{TC_ENABLED} ) {
 	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
-	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+	require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
     }
 
     if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@@ -6964,9 +6999,7 @@ sub get_configuration( $$$ ) {
     }
 
     default 'RESTOREFILE'           , 'restore';
-
     default 'DROP_DEFAULT'          , 'none';
-
     default 'REJECT_DEFAULT'        , 'none';
     default 'BLACKLIST_DEFAULT'     , 'none';
     default 'QUEUE_DEFAULT'         , 'none';
@@ -7030,9 +7063,9 @@ sub get_configuration( $$$ ) {
     }
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's'                 ) if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's'        ) if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'             ) if $config{TC_ENABLED};
 
     if ( $config{WARNOLDCAPVERSION} ) {
 	if ( $capabilities{CAPVERSION} ) {
@@ -7056,8 +7089,6 @@ sub get_configuration( $$$ ) {
     }
 
     convert_to_version_5_2 if $update;
-
-    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
 
 #
@@ -7196,6 +7227,9 @@ sub generate_aux_config() {
     finalize_aux_config;
 }
 
+#
+# Generate a report of the fwmark layout
+#
 sub dump_mark_layout() {
     sub dumpout( $$$$$ ) {
 	my ( $name, $bits, $min, $max, $mask ) = @_;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use Shorewall::Proc;
+use sort 'stable';
 
 use strict;
 
@@ -66,6 +67,9 @@ sub initialize( $ ) {
     $family = shift;
 }
 
+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -94,7 +98,7 @@ sub setup_ecn()
     if ( my $fn = open_file 'ecn' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
@@ -127,7 +131,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sortkeysiftest %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -145,6 +149,9 @@ sub setup_ecn()
     }
 }
 
+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -329,7 +336,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.net/blacklisting_support.htm for additional
+# Please see https://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -402,6 +409,9 @@ EOF
     }
 }
 
+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -425,9 +435,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+# https://shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# See https://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -662,31 +672,28 @@ sub process_stoppedrules() {
     $result;
 }
 
+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
+    my $bridge = $config{DOCKER_BRIDGE};
+
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
-    add_commands( $chainref ,
-		  '',
-		  'case "$g_dockernetwork" in',
-		  '    One)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
-		  '        ;;',
-		  '    Two)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
-		  '        ;;',
-		  'esac' );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ]  && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]     && echo "-A FORWARD -j DOCKER-USER" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeriso" ]      && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
 
-    if ( my $dockerref = known_interface('docker0') ) {
+    if ( my $dockerref = known_interface( $bridge ) ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
-	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $chainref, j => 'DOCKER', o => $bridge );
+	add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 
@@ -703,6 +710,9 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -1283,6 +1293,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -1306,7 +1323,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sortkeysiftest %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1392,7 +1409,7 @@ sub setup_mac_lists( $ ) {
 	#
 	# Generate jumps from the input and forward chains
 	#
-	for my $hostref ( @$maclist_hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$maclist_hosts : @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
@@ -1785,7 +1802,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sortkeysiftest %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1925,7 +1942,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
+    my @zone_interfaces   = sortkeysiftest %{zone_interfaces( $zone )};
 
     if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
@@ -2297,9 +2314,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sortkeysiftest %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sortkeysiftest %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2384,9 +2401,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sortkeysiftest %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sortkeysiftest %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2454,6 +2471,9 @@ sub generate_matrix() {
     }
 }
 
+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
@@ -2515,6 +2535,7 @@ sub compile_stop_firewall( $$$$ ) {
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
     my $forward = $filter_table->{FORWARD};
+    my $absentminded = $config{ ADMINISABSENTMINDED };
 
     emit <<'EOF';
 #
@@ -2522,7 +2543,7 @@ sub compile_stop_firewall( $$$$ ) {
 #
 stop_firewall() {
 EOF
-    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
+    $output->{policy} = 'ACCEPT' if $absentminded;
 
     if ( $family == F_IPV4 ) {
 	emit <<'EOF';
@@ -2681,7 +2702,7 @@ EOF
     #
     create_docker_rules if $config{DOCKER};
 
-    if ( $config{ADMINISABSENTMINDED} ) {
+    if ( $absentminded ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
     }
 
@@ -2690,7 +2711,7 @@ EOF
 	add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
 
-	unless ( $config{ADMINISABSENTMINDED} ) {
+	unless ( $absentminded ) {
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
 	}
@@ -2704,12 +2725,25 @@ EOF
     
     process_stoppedrules;
 
+    if ( $family == F_IPV6 ) {
+	my $chain = new_action_chain( 'filter', 'AllowICMPs' );
+
+	for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
+	    add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
+	}
+
+	for $chain ( $input, $output, $forward ) {
+	    next if $chain eq $output && $absentminded;
+	    add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
+	}
+    }
+
     if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
-	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
     } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
-	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
     }
 
     my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2719,7 +2753,7 @@ EOF
 
 	for my $interface ( @$interfaces ) {
 	    add_ijump $input,  j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
-	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED};
+	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
 	    #
 	    # This might be a bridge
 	    #

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	}
 
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Proc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -62,23 +62,61 @@ our @routemarked_interfaces;
 our %provider_interfaces;
 our @load_providers;
 
-our $balancing;
-our $fallback;
-our $balanced_providers;
-our $fallback_providers;
-our $metrics;
-our $first_default_route;
-our $first_fallback_route;
-our $maxload;
-our $tproxies;
+our $balancing;               # True, if there are balanced providers
+our $fallback;                # True, if there are fallback providers
+our $balanced_providers;      # Count of balanced providers
+our $fallback_providers;      # Count of fallback providers
+our $metrics;                 # True, if using statistical balancing
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
+our $maxload;                 # Sum of 'load' values
+our $tproxies;                # Count of tproxy providers
 
-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }
 
-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 
 
-our $family;
+our $family;       # Address family
 
-our $lastmark;
+our $lastmark;     # Highest assigned mark
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -132,7 +170,6 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -557,7 +594,7 @@ sub process_a_provider( $ ) {
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -677,8 +714,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
@@ -1144,14 +1180,14 @@ CEOF
 	emit "fi\n";
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
+	    my $variable = get_interface_address( $interface );
 
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	    emit( "echo $variable > \${VARDIR}/${physical}.address" );
 	}
 
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	    my $variable = get_interface_gateway( $interface );
+	    emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
     } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -1856,8 +1892,8 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
-	if ( $providerref->{optional} ) {
+    for my $provider ( @providers ) {
+	if ( ( my $providerref=$providers{$provider} )->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
@@ -2018,8 +2054,7 @@ sub compile_updown() {
 	    );
     }
 
-    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+    my @nonshared = ( grep $providers{$_}->{optional}, sortvaluesiftest %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2034,7 +2069,7 @@ sub compile_updown() {
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    elif [ "$PHASE" != pre-down ]; then # post-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2210,9 +2245,11 @@ sub handle_optional_interfaces() {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
-	push @interfaces, $providerref->{interface};
-	$wildcards ||= $providerref->{wildcard};
+    for my $provider ( @providers ) {
+	if ( ( my $providerref = $providers{$provider} )->{optional} ) {
+	    push @interfaces, $providerref->{interface};
+	    $wildcards ||= $providerref->{wildcard};
+	}
     }
 
     #
@@ -2260,17 +2297,7 @@ sub handle_optional_interfaces() {
 
 		emit( "$physical)" ), push_indent if $wildcards;
 
-		if ( $provider eq $physical ) {
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 
 		push_indent;
 
@@ -2287,22 +2314,22 @@ sub handle_optional_interfaces() {
 		emit( 'fi' );
 
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
+		    my $variable = get_interface_address( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
+		    my $variable = get_interface_gateway( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -155,7 +155,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sortkeysiftest %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +164,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sortkeysiftest %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -292,6 +292,8 @@ our $mangle;
 
 our $sticky;
 
+our $excludefw;
+
 our $divertref; # DIVERT chain
 
 our %validstates = ( NEW                => 0,
@@ -365,6 +367,10 @@ sub initialize( $ ) {
     #
     %actions           = ();
     #
+    # Count of 'all[+]=' encountered
+    #
+    $excludefw         = 0;
+    #
     # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
@@ -605,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
+sub handle_nfqueue( $ ) {
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -619,7 +625,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -647,7 +652,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -672,14 +676,42 @@ sub process_a_policy1($$$$$$$) {
 
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
-    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+    my $clientwild = ( "\L$client" =~ /^all(\+)?(?:!(.+))?$/ );
+    my $clientexclude;
+    my %clientexcluded;
 
-    $intrazone  ||= $clientwild && $1;
+    if ( $clientwild ) {
+	$intrazone ||= $1;
+
+	if ( $clientexclude = $2 ) {
+	    for my $client ( split_list( $clientexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($client)" unless defined_zone( $client );
+		$clientexcluded{$client} = 1;
+	    }
+
+	    $client = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
-    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    my $serverwild = ( "\L$server" =~ /^all(\+)?(?:!(.+))?/ );
+    my $serverexclude;
+    my %serverexcluded;
+
+
+    if ( $serverwild ) {
+	$intrazone ||= $1;
+
+	if ( $serverexclude = $2 ) {
+	    for my $server ( split_list( $serverexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($server)" unless defined_zone( $server );
+		$serverexcluded{$server} = 1;
+	    }
+
+	    $server = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -687,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -702,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	$policy = handle_nfqueue( $queue );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -762,20 +798,20 @@ sub process_a_policy1($$$$$$$) {
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
-	    for my $zone ( @zonelist ) {
-		for my $zone1 ( @zonelist ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, @zonelist ) ) {
+		for my $zone1 ( grep( ! $serverexcluded{zone}, @zonelist ) ) {
 		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
-	    for my $zone ( all_zones ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, all_zones ) ) {
 		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
-	for my $zone ( @zonelist ) {
+	for my $zone ( grep( ! $serverexcluded{$_}, @zonelist ) ) {
 	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
@@ -802,11 +838,15 @@ sub process_a_policy() {
 
     my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $clientlist = ( $clients =~ /,/ ) ) {
+    if ( $clients =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
 	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $serverlist = ( $servers =~ /,/ ) ) {
+    if ( $servers =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
 	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
@@ -816,12 +856,14 @@ sub process_a_policy() {
 
     if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
     } else {
-	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
     }
 }
 
@@ -1564,8 +1606,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
-    my @subparts = split /:/, $subordinate;
+    my @supparts = split_list2( $superior ,    'Action' );
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 
@@ -2609,7 +2651,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -2658,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	$action = handle_nfqueue( $param );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -3659,6 +3699,7 @@ sub next_section() {
 #
 sub build_zone_list( $$$\$\$ ) {
     my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $original_input = $input;
     my $any = ( $input =~ s/^any/all/ );
     my $exclude;
     my $rest;
@@ -3687,9 +3728,25 @@ sub build_zone_list( $$$\$\$ ) {
 	    if ( $input eq 'all+' ) {
 		$$intrazoneref = 1;
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
+		    } else {
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
+		    }
+		}
+
 		$$intrazoneref = 1;
 		$exclude{$fw} = 1;
 	    } elsif ( $input eq 'all-' ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
+		    } else {
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+		    }
+		}
+
 		$exclude{$fw} = 1;
 	    } else {
 		fatal_error "Invalid $which ($input)";
@@ -4889,7 +4946,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -5710,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;
 
 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;

Shorewall/Perl/Shorewall/Tc.pm

@@ -10,7 +10,7 @@
 #     Modified by Tom Eastep for integration into the Shorewall distribution
 #     published under GPL Version 2#
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -2284,11 +2284,11 @@ sub open_mangle_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##############################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
@@ -2300,11 +2300,11 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -4,7 +4,7 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -29,6 +29,7 @@ package Shorewall::Zones;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
+use sort 'stable';
 
 use strict;
 
@@ -222,6 +223,9 @@ use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };
 
+#
+# Zone types
+#
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -231,6 +235,9 @@ use constant { FIREWALL => 1,
 	       LOCAL    => 64,
 	   };
 
+#
+# Interface option classification
+#
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
 	       ENUM_IF_OPTION     => 3,
@@ -247,11 +254,17 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 
+#
+# 'ignore' option flags
+#
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
 our %validinterfaceoptions;
 
+#
+# Interface options that are implemented in /proc
+#
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
@@ -263,6 +276,9 @@ our %procinterfaceoptions=( accept_ra   => 1,
 			    sourceroute => 1,
 			  );
 
+#
+# Options that are not allowed with unmanaged interfaces
+#
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -281,10 +297,15 @@ our %prohibitunmanaged = (
 			  upnp           => 1,
 			  upnpclient     => 1,
 			 );
-
+#
+# Default values for options that admit an optional value
+#
 our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
+#
+# Maximum value for options that accept a range of values
+#
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 300 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
 
 our %validhostoptions;
 
@@ -701,7 +722,7 @@ sub determine_zones()
 }
 
 #
-# Return true of we have any ipsec zones
+# Return true If we have any ipsec zones
 #
 sub haveipseczones() {
     for my $zoneref ( values %zones ) {
@@ -827,10 +848,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sortkeysiftest %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sortkeysiftest %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -872,6 +893,9 @@ sub single_interface( $ ) {
     @keys == 1 ? $keys[0] : '';
 }
 
+#
+# This function adds an interface:network pair to a zone
+#
 sub add_group_to_zone($$$$$$)
 {
     my ($zone, $type, $interface, $networks, $options, $inherit_options) = @_;
@@ -976,6 +1000,9 @@ sub find_zone( $ ) {
     $zoneref;
 }
 
+#
+# Access functions for zone members
+#
 sub zone_type( $ ) {
     find_zone( $_[0] )->{type};
 }
@@ -990,26 +1017,44 @@ sub zone_mark( $ ) {
     $zoneref->{mark};
 }
 
+#
+# Returns the zone table entry for the passed zone name
+#
 sub defined_zone( $ ) {
     $zones{$_[0]};
 }
 
+#
+# Returns a list of all defined zones
+#
 sub all_zones() {
     @zones;
 }
 
+#
+# Returns a list of zones in the firewall itself (the firewall zone and vserver zones)
+#
 sub on_firewall_zones() {
    grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall and vserver zones
+#
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
+#
+# Returns a list of zones excluding the firewall zones
+#
 sub non_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }
 
+#
+# Returns the list of zones that don't contain sub-zones
+#
 sub all_parent_zones() {
     #
     # Although the firewall zone is technically a parent zone, we let the caller decide
@@ -1018,22 +1063,37 @@ sub all_parent_zones() {
     grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 
+#
+# Returns a list of complex zones (ipsec or with multiple interface:subnets)
+#
 sub complex_zones() {
     grep( $zones{$_}{complex} , @zones );
 }
 
+#
+# Returns a list of vserver zones
+#
 sub vserver_zones() {
     grep ( $zones{$_}{type} & VSERVER, @zones );
 }
 
+#
+# Returns the name of the firewall zone
+#
 sub firewall_zone() {
     $firewall_zone;
 }
 
+#
+# Returns a list of loopback zones
+#
 sub loopback_zones() {
     @loopback_zones;
 }
 
+#
+# Returns a list of local zones
+#
 sub local_zones() {
     @local_zones;
 }
@@ -1182,7 +1242,7 @@ sub process_interface( $$ ) {
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
-	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
+	fatal_error qq("Virtual" interfaces are not supported -- see https://shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
 
@@ -2261,9 +2321,9 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2291,9 +2351,9 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,8 @@
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
+#         --test                      # Used by the regression library to omit versions and time/dates
+#                                     # from the generated script
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #         --shorewallrc=<path>        # Path to global shorewallrc file.

Shorewall/Perl/getparams

@@ -4,7 +4,7 @@
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -897,6 +897,14 @@ detect_dynamic_gateway() { # $1 = interface
 	fi
     done
 
+    if [ -z "$gateway" -a -n "$(mywhich nmcli)" ]; then
+	if [ $g_family = 4 ]; then
+	    gateway=$(nmcli --fields DHCP4.OPTION,IP4.GATEWAY device show ${1} 2> /dev/null | sed -rn '/( routers = |IP4.GATEWAY:.*[1-9])/{s/.* //;p;q}')
+	else
+	    gateway=$(nmcli --terse --fields IP6.GATEWAY device show ${1} 2> /dev/null | cut -f2- -d':')
+	fi
+    fi
+
     [ -n "$gateway" ] && echo $gateway
 }
 

Shorewall/Perl/prog.footer

@@ -42,6 +42,7 @@ usage() {
     echo "   up <interface>"
     echo "   savesets <file>"
     echo "   call <function> [ <parameter> ... ]"
+    echo "   help"
     echo "   version"
     echo "   info"
     echo
@@ -54,6 +55,8 @@ usage() {
     echo "   -c               Save/restore iptables counters"
     echo "   -V <verbosity>   Set verbosity explicitly"
     echo "   -R <file>        Override RESTOREFILE setting"
+    echo "   -T               Trace execution"
+    echo "   -D               Debug iptables"
     exit $1
 }
 
@@ -109,20 +112,6 @@ reload_command() {
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 #
-# Start trace if first arg is "debug" or "trace"
-#
-g_debug_iptables=
-
-if [ $# -gt 1 ]; then
-    if [ "x$1" = "xtrace" ]; then
-	set -x
-	shift
-    elif [ "x$1" = "xdebug" ]; then
-	g_debug_iptables=Yes
-	shift
-    fi
-fi
-#
 # Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
@@ -148,9 +137,11 @@ g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
-g_dockernetwork=
+g_dockeriso=
+g_dockerisostage=
 g_forcereload=
 g_fallback=
+g_debug_iptables=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -257,6 +248,14 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			RESTOREFILE=$option
 			option=
 			;;
+		    T*)
+			set -x;
+			option=${option#T}
+			;;
+		    D*)
+			g_debug_iptables=Yes
+			option=${option#D}
+			;;
 		    *)
 			usage 1
 			;;

Shorewall/Samples/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.net/shorewall_quickstart_guide.htm
+https://shorewall.org/shorewall_quickstart_guide.htm
 
     Shorewall Samples
     Copyright (C) 2006 by the following authors:

Shorewall/Samples/Universal/interfaces

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
+# https://shorewall.org/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 ?FORMAT 2

Shorewall/Samples/Universal/policy

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
+# https://shorewall.org/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT

Shorewall/Samples/Universal/rules

@@ -4,7 +4,7 @@
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
+# https://shorewall.org/manpages/shorewall-rules.html
 #
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER