Merge branch 'busybox-shell-fixes/v1' into 'master'

lib.cli-std: fix two shell errors when AUTOMAKE is false

See merge request shorewall/code!14

.gitattributes

@@ -0,0 +1 @@
+*targetname export-ignore

Shorewall-core/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall-core/Shorewall-core-targetname

@@ -0,0 +1 @@
+5.2.8-RC1

Shorewall-core/configure

@@ -4,7 +4,7 @@
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/configure.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
 
 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+#
+# Install stop_service
+#
+if [ -n "${STOPSERVICEFILE}" ]; then
+    install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
+
+    echo
+    echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
+fi
 
 #
 # Install the libraries

Shorewall-core/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.cli

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207
 
 if [ -z "$g_basedir" ]; then
     #
@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc1() {
+show_one_classifier() {
+    local class
 
+    qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
+    tc filter show dev $1
+    tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+	if [ -n "$class" ]; then
+	    echo
+	    echo Node $class
+	    tc filter show dev $device parent $class
+	fi
+    done
+    echo
+}
+
+show_classifier1() {
+    local device
+    local qdisc
+
+    device=${1%@*}
+    qdisc=$(tc qdisc list dev $device)
+    if [ -n "$qdisc" ]; then
+	echo Device $device:
+	show_one_classifier $device
+    fi
+}
+
+show_tc1() {
     show_one_tc() {
 	local device
+	local qdisc
+	local ingress
+
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 
@@ -260,6 +289,7 @@ show_tc1() {
 	    echo
 	    tc -s -d class show dev $device
 	    echo
+	    show_one_classifier $device "$qdisc"
 	fi
     }
 
@@ -270,7 +300,6 @@ show_tc1() {
 	    show_one_tc ${interface%:}
 	done
     fi
-
 }
 
 show_tc() {
@@ -291,28 +320,8 @@ show_tc() {
 #
 show_classifiers() {
 
-    show_one_classifier() {
-	local device
-	device=${1%@*}
-	qdisc=$(tc qdisc list dev $device)
-
-	if [ -n "$qdisc" ]; then
-	    echo Device $device:
-	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc filter show dev $device
-	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
-		if [ -n "$class" ]; then
-		    echo
-		    echo Node $class
-		    tc filter show dev $device parent $class
-		fi
-	    done
-	    echo
-	fi
-    }
-
     ip -o link list | while read inx interface details; do
-	show_one_classifier ${interface%:}
+	show_classifier1 ${interface%:}
     done
 
 }
@@ -937,11 +946,28 @@ show_events() {
     fi
 }
 
+sort_actions() {
+    local sep #separates sort keys from the action[.std] record
+    sep="##"
+
+    awk -v sep="$sep" \
+         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
+	  /^#/	  	  { next; };\
+	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
+	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
+			  { action = $1; };\
+	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
+			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
+}
+
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
+    local actions
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    actions=$(find_file actions)
+
+    if [ -f ${actions} ]; then
+	cat ${actions} ${g_sharedir}/actions.std | sort_actions
     else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
     fi
 }
 
@@ -1000,6 +1026,8 @@ show_mangle() {
 show_classifiers_command() {
     echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
     echo
+    echo "Warning: This command is deprecated in favor of the 'show tc' command"
+    echo
     show_classifiers
 }
 
@@ -1108,10 +1136,6 @@ show_blacklists() {
     show_bl;
 }
 
-show_actions_sorted() {
-    show_actions | sort
-}
-
 show_macros() {
     for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1567,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -1891,8 +1915,6 @@ do_dump_command() {
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
 	show_tc1
-	heading "TC Filters"
-	show_classifiers
 	fi
 }
 
@@ -2651,6 +2673,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
 
@@ -2667,6 +2690,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -2863,6 +2887,7 @@ determine_capabilities() {
     NETMAP_TARGET=
     NFLOG_SIZE=
     RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -3230,6 +3255,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
     fi
 
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@@ -3373,6 +3402,7 @@ report_capabilities_unsorted() {
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
     report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3479,6 +3509,7 @@ report_capabilities_unsorted1() {
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
     report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3574,7 +3605,7 @@ status_command() {
 
     [ $# -eq 0 ] || missing_argument
 
-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
     [ -n "$interfaces" ] && show_interfaces
     exit $status
@@ -3622,6 +3653,7 @@ reject_command() {
 
 blacklist_command() {
     local family
+    local timeout
 
     [ $# -gt 0 ] || fatal_error "Missing address"
 
@@ -3639,10 +3671,17 @@ blacklist_command() {
 	    ;;
     esac
 
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3897,7 +3936,7 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 
@@ -3905,11 +3944,49 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
     esac
@@ -3942,9 +4019,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
     local config
     local lib
 
@@ -3964,7 +4047,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4093,7 +4176,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -4106,10 +4189,22 @@ get_config() {
     [ -f $lib ] && . $lib
 
 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
     local finished
     finished=0
 
@@ -4120,14 +4215,14 @@ start_command() {
 
 	if [ -x $g_firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
 
@@ -4196,10 +4291,21 @@ start_command() {
     do_it
 }
 
+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
     local finished
     finished=0
     local rc
@@ -4256,11 +4362,11 @@ restart_command() {
     [ -n "$g_nolock" ] || mutex_on
 
     if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $COMMAND
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
 
@@ -4268,9 +4374,20 @@ restart_command() {
     return $rc
 }
 
+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
     if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it $g_firewall $@
     else
 	fatal_error "$g_firewall does not exist or is not executable"
     fi
@@ -4287,14 +4404,20 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
     echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -4317,7 +4440,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
     fi
 
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
@@ -4335,7 +4457,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     if [ -z "$g_lite" ]; then
@@ -4351,7 +4473,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4366,12 +4488,11 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] {classifiers|filters)"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
     echo "   [ show | list | ls ] event [ <event> ...]"
     echo "   [ show | list | ls ] events"
-    echo "   [ show | list | ls ] filters"
     echo "   [ show | list | ls ] ip"
 
     if [ $g_family -eq 4 ]; then
@@ -4415,20 +4536,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
     g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
     if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
     fi
 
+    g_debugging=
     g_noroutes=
     g_purge=
     g_ipt_options="-nv"
@@ -4456,6 +4573,9 @@ shorewall_cli() {
     g_blacklistipset=
     g_disconnect=
     g_havemutex=
+    g_trace=
+    g_dbltimeout=
+    g_dbllog=
 
     VERBOSE=
     VERBOSITY=1
@@ -4587,6 +4707,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4622,7 +4753,7 @@ shorewall_cli() {
 	exit 1
     fi
 
-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
 
     COMMAND=$1
 
@@ -4639,7 +4770,7 @@ shorewall_cli() {
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
@@ -4648,7 +4779,7 @@ shorewall_cli() {
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
@@ -4661,12 +4792,12 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4712,7 +4843,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
@@ -4744,7 +4875,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)
@@ -4816,7 +4947,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument

Shorewall-core/lib.common

@@ -3,7 +3,7 @@
 #
 #     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
 
     case $COMMAND in
         start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
     esac
 
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
     local script
-    local options
+    local options='-'
 
     export VARDIR
 
     script=$1
     shift
 
-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
+
-	options="$1 -"
+    if [ "$g_debugging" = debug ]; then
-	shift;
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
     else
-	options='-'
+	options='-';
     fi
 
     [ -n "$g_noroutes" ]   && options=${options}n
@@ -411,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -736,8 +738,8 @@ truncate() # $1 = length
 
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
-# the first argument. Example "shorewall nolock refresh"
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the

Shorewall-core/lib.core

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -337,8 +337,15 @@ ensure_config_path() {
 	. $F
     fi
 
-    if [ -n "$g_shorewalldir" ]; then
+    if [ -n "$g_shorewalldir" ] && [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ];then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+	case $CONFIG_PATH in
+	    :*)
+		CONFIG_PATH=${g_shorewalldir}${CONFIG_PATH}
+		;;
+	    *)
+		CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+		;;
+	esac
     fi
 }
 

Shorewall-core/lib.installer

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.uninstaller

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/shorewall

@@ -5,7 +5,7 @@
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/shorewallrc.debian.systemd

@@ -22,3 +22,4 @@ SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
+STOPSERVICEFILE=stop_service.debian	#Name of script to stop systemd service that honours `SAFESTOP`.

Shorewall-core/stop_service.debian

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+PRODUCT=$1
+
+. /etc/default/${PRODUCT}
+
+if [ "$SAFESTOP" = 1 ]; then
+  COMMAND=stop
+else
+  COMMAND=clear
+fi
+
+if [ "${PRODUCT}" = shorewall6 ]; then
+  EXEC="/sbin/shorewall -6"
+else
+  EXEC="/sbin/${PRODUCT}"
+fi
+
+exec ${EXEC} ${OPTIONS} ${COMMAND}

Shorewall-core/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -134,6 +134,7 @@ fi
 
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall
 
 #
 # Report Success

Shorewall-core/wait4ifup

@@ -6,7 +6,7 @@
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/ifupdown.debian.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
     *)
         #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
         #
 	INTERFACE="$IFACE"
 
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/ifupdown.fedora.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,6 +90,8 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
+		case "$2" in
+		    up|down)
 			COMMAND="$2"
 			;;
 		    *)
@@ -97,6 +99,11 @@ case $0 in
 			;;
 		esac
 		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
 esac
 
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

Shorewall-init/ifupdown.suse.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,8 +120,15 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
+		case "$2" in
+		    up|down)
 			COMMAND="$2"
 			;;
+		    *)
+			exit 0
+			;;
+		esac
+		;;
 	    *if-up.d*)
 		COMMAND=up
 		;;

Shorewall-init/init.debian.sh

@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/init.suse.sh

@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/install.sh

@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
 
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
     elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
     fi
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -388,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -417,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
+    if [ "$HOST" = debian ]; then
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    else
 	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
 	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;

Shorewall-init/shorewall-init

@@ -6,7 +6,7 @@
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
+
 setstatedir() {
     local statedir
     if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,6 +43,67 @@ setstatedir() {
     fi
 }
 
+# Initialize the firewalls
+
+shorewall_init_start () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Initializing \"Shorewall-based firewalls\": "
+
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
+	fi
+    done
+
+    return 0
+}
+
+# Clear the firewalls
+
+shorewall_init_stop () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Clearing \"Shorewall-based firewalls\": "
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} clear
+		fi
+	    )
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
+	fi
+    fi
+
+    return 0
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -59,62 +121,12 @@ else
     exit 1
 fi
 
-# Initialize the firewall
-shorewall_start () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
-    return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" ]; then
-	mkdir -p $(dirname "$SAVE_IPSETS")
-	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
-	fi
-    fi
-
-    return 0
-}
-
 case "$1" in
     start)
-	shorewall_start
+	shorewall_init_start
 	;;
     stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
     *)
 	echo "Usage: $0 {start|stop}"

Shorewall-init/shorewall-init.service

@@ -12,7 +12,7 @@ Wants=network-pre.target
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
+StandardOutput=journal
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 

Shorewall-init/shorewall-init.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
+Documentation=man:shorewall-init(8)
 Before=network.target
 
 [Service]

Shorewall-lite/Shorewall-lite-targetname

@@ -0,0 +1 @@
+5.2.4.1

Shorewall-lite/init.debian.sh

@@ -13,8 +13,8 @@
 
 . /lib/lsb/init-functions
 
-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall
-SRWL_OPTS="-tvv"
+SRWL_OPTS="-ltvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

Shorewall-lite/init.openwrt.sh

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.sh

@@ -7,7 +7,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.suse.sh

@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -426,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi
 
 if [ -f helpers ]; then
@@ -433,11 +438,6 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #

Shorewall-lite/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -183,7 +183,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>
 
     <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),

Shorewall-lite/shorewall-lite.conf

@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/shorewall-lite.service

@@ -13,7 +13,7 @@ Conflicts=iptables.service firewalld.service
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
+StandardOutput=journal
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 

Shorewall-lite/shorewall-lite.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
+Documentation=man:shorewall-lite(8)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
@@ -16,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall-lite
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/Actions/action.A_REJECT

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.A_REJECT!

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.AllowICMPs

@@ -20,22 +20,23 @@ DEFAULTS ACCEPT
 
 # The following should have a ttl of 255 and must be allowed to transit a bridge
     @1	-		-	ipv6-icmp	router-solicitation
-    @1	-		-	ipv6-icmp	router-advertisement
     @1	-		-	ipv6-icmp	neighbour-solicitation
     @1	-		-	ipv6-icmp	neighbour-advertisement
-    @1	-		-	ipv6-icmp	137	# Redirect
     @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
     @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 
-# The following should have a link local source address and must be allowed to transit a bridge
+# The following must have a link local source address and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	130	# Listener query
     @1	fe80::/10	-	ipv6-icmp	131	# Listener report
     @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	router-advertisement
+    @1	::		-	ipv6-icmp	143	# Listener report v2
     @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	::		-	ipv6-icmp	148	# Certificate path solicitation
-    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+    @1	fe80::/10	-	ipv6-icmp	148	# Certificate path solicitation
+    @1	fe80::/10	-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement

Shorewall/Actions/action.Broadcast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.DNSAmp

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Established

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.FIN

@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.IfEvent

@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -115,8 +115,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
     
-    print "Resetting....\n";
-    
     my $mark = $globals{EVENT_MARK};
     #
     # The event mark bit must be within 32 bits

Shorewall/Actions/action.Invalid

@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Limit

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Multicast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.New

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.NotSyn

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.RST

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Related

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.ResetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.SetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 
 DEFAULTS -,ACCEPT,src

Shorewall/Actions/action.Untracked

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowInvalid

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowinUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcasts

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropInvalid

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.forwardUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.mangletemplate

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.

Shorewall/Actions/action.rejNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.template

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.

Shorewall/Contrib/swping

@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #

Shorewall/Contrib/swping.init

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall/Macros/macro.Bitcoin

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinRegtest

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444

Shorewall/Macros/macro.BitcoinTestnet

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333

Shorewall/Macros/macro.BitcoinTestnetRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnetRPC
+#
+# Macro for handling Bitcoin RPC traffic (Testnet and Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18332

Shorewall/Macros/macro.BitcoinZMQ

@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332

Shorewall/Macros/macro.NFS

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd

Shorewall/Macros/macro.ONCRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.Tor

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorMetrics

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorMetrics
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9035	

Shorewall/Macros/macro.TorSocks

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/ARP.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
+	} elsif ( $action ne 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -37,6 +37,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use strict;
+use sort 'stable';
 
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw(
@@ -319,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -430,13 +432,14 @@ our $VERSION = 'MODULEVERSION';
 #      Untracked       - =<z1-z2>
 #
 our %chain_table;
-our $raw_table;
+our $raw_table;         # Reference to $chain_table{raw}
-our $nat_table;
+our $nat_table;         # Reference to $chain_table{nat}
-our $mangle_table;
+our $mangle_table;      # Reference to $chain_table{mangle}
-our $filter_table;
+our $filter_table;      # Reference to $chain_table{filter}
-our $export;
+
-our %renamed;
+our $export;            # True if we are compiling for export
-our %nfobjects;
+our %renamed;           # Maps chain renaming during optimization
+our %nfobjects;         # Records nfacct objects
 
 #
 # Target Types
@@ -464,10 +467,10 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 
-	       FILTER_TABLE =>  0x1000000,
+	       FILTER_TABLE =>  0x1000000,     #Target allowed in the filter table
-	       MANGLE_TABLE =>  0x2000000,
+	       MANGLE_TABLE =>  0x2000000,     #Target allowed in the mangle table
-	       RAW_TABLE    =>  0x4000000,
+	       RAW_TABLE    =>  0x4000000,     #Target allowed in the raw table
-	       NAT_TABLE    =>  0x8000000,
+	       NAT_TABLE    =>  0x8000000,     #Target allowed in the nat table
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -535,6 +538,9 @@ our $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
+#
+# Chain optimization flags
+#
 use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
 
 our %dscpmap = ( CS0  => 0x00,
@@ -686,15 +692,15 @@ our %ipset_exists;
 #
 # The following constants and hash are used to classify keys in a rule hash
 #
-use constant { UNIQUE      => 1,
+use constant { UNIQUE      => 1,       # Simple header matches - only allowed once per rule
-	       TARGET      => 2,
+	       TARGET      => 2,       # Rule target or its options
-	       EXCLUSIVE   => 4,
+	       EXCLUSIVE   => 4,       # 'state' or 'conntrack --ctstate'
-	       MATCH       => 8,
+	       MATCH       => 8,       # Currently means 'policy ...'
-	       CONTROL     => 16,
+	       CONTROL     => 16,      # Unsed internally by the compiler - does not contribute to the iptables rule
-	       COMPLEX     => 32,
+	       COMPLEX     => 32,      # Currently means 'contrack --cstate'
-	       NFACCT      => 64,
+	       NFACCT      => 64,      # nfacct match
-	       EXPENSIVE   => 128,
+	       EXPENSIVE   => 128,     # Has high match-processing cost in the kernel
-	       RECENT      => 256,
+	       RECENT      => 256,     # recent match
 	   };
 
 our %opttype = ( rule          => CONTROL,
@@ -721,6 +727,7 @@ our %opttype = ( rule          => CONTROL,
 		 'icmpv6-type' => UNIQUE,
 
 		 comment       => CONTROL,
+		 digest        => CONTROL,
 
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
@@ -740,6 +747,9 @@ our %opttype = ( rule          => CONTROL,
 		 targetopts    => TARGET,
 	       );
 
+#
+# These allow the user to specify long option names in raw ip[6]tables input
+#
 our %aliases = ( protocol        => 'p',
 		 source          => 's',
 		 destination     => 'd',
@@ -759,7 +769,7 @@ our %isocodes;
 
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 
-our %switches;
+our %switches;   # Recoreds switches (conditions)
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -785,7 +795,9 @@ sub initialize( $$$ ) {
     $filter_table  = $chain_table{filter};
     %renamed       = ();
     #
-    # Used to sequence chain names in each table.
+    # Used to sequence chain names in each table. $hard is true on the initial call to this function and
+    # false, when this function is called a second time to re-initialize before generating stopped ip[6]tables-
+    # restore input
     #
     %chainseq = () if $hard;
     #
@@ -882,7 +894,7 @@ sub validate_port( $$ ) {
 
     fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
 
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])";
 }
 
 #
@@ -1134,6 +1146,19 @@ sub set_rule_option( $$$ ) {
 	#
 	# Consider each subtype as a separate type
 	#
+	if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+	    my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
+
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $subtype );
+		$value  = join( ' ', $invert, $val );
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $invert , $option );
+		$value   = $invert;
+	    }
+	} else {
 	    my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
 
 	    if ( $invert eq '!' ) {
@@ -1145,6 +1170,7 @@ sub set_rule_option( $$$ ) {
 		$option  = join( ' ', $option, $invert );
 		$value   = $subtype;
 	    }
+	}
 
 	$opttype = EXCLUSIVE;
     }
@@ -1216,8 +1242,8 @@ sub transform_rule( $;\$ ) {
 	    $option = $2;
 	} elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) {
 	    $invert = '!' if $1;
-	    my $opt = $option = $2;
+	    my $opt = $2;
-	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
+	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$opt};
 	} else {
 	    fatal_error "Unrecognized iptables option string ($input)";
 	}
@@ -1416,7 +1442,7 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies
+    # Don't combine rules where each specifies
     #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
@@ -1745,6 +1771,10 @@ sub add_rule($$;$) {
 #
 # New add_rule implementation
 #
+
+#
+# Push a set of matches into an irule (a rule using the new hash representation)
+#
 sub push_matches {
 
     my $ruleref = shift;
@@ -1911,6 +1941,9 @@ sub compare_values( $$ ) {
     }
 }
 
+#
+# Add an irule with matches but no target
+#
 sub add_irule( $;@ ) {
     my ( $chainref, @matches ) = @_;
 
@@ -2712,6 +2745,12 @@ sub add_expanded_jump( $$$$ ) {
     add_reference( $chainref, $toref ) while --$splitcount > 0;
 }
 
+#
+# Utility function used by add_ijump() and add_ijump_extended().
+# Returns a reference to the added rule. Return may be reference
+# to the dummy rule if the chain was already complete (last rule
+# is a simple jump to a terminating target).
+#
 sub add_ijump_internal( $$$$$;@ ) {
     my ( $fromref, $jump, $to, $expandports, $origin, @matches ) = @_;
 
@@ -2759,16 +2798,26 @@ sub add_ijump_internal( $$$$$;@ ) {
     $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
 }
 
+#
+# Add an jump to the end of a chain
+#
 sub add_ijump( $$$;@ ) {
     my ( $fromref, $jump, $to, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, '', @matches );
 }
 
+#
+# Like add_ijump() but also accepts an origin of the jump (the config file and line number
+# that caused the jump to be generated).
+#
 sub add_ijump_extended( $$$$;@ ) {
     my ( $fromref, $jump, $to, $origin, @matches ) = @_;
     add_ijump_internal( $fromref, $jump, $to, 0, $origin, @matches );
 }
 
+#
+# Insert a jump at a zero-relative index into a chain.
+#
 sub insert_ijump( $$$$;@ ) {
     my ( $fromref, $jump, $to, $index, @matches ) = @_;
 
@@ -2840,6 +2889,9 @@ sub delete_jumps ( $$ ) {
     }
 }
 
+#
+# Reset the passed flag(s) in the passed chain
+#
 sub reset_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2852,6 +2904,9 @@ sub reset_optflags( $$ ) {
     $chainref;
 }
 
+#
+# Set the passed flag(s) in the passed chain
+#
 sub set_optflags( $$ ) {
     my ( $chain, $flags ) = @_;
 
@@ -2966,6 +3021,10 @@ sub accounting_chainrefs() {
     grep $_->{accounting} , values %$filter_table;
 }
 
+#
+# Ensure the existance of a chain in the mangle table and return
+# a reference to its chain table entry
+#
 sub ensure_mangle_chain($;$$) {
     my ( $chain, $number, $restriction ) = @_;
 
@@ -2976,6 +3035,10 @@ sub ensure_mangle_chain($;$$) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the nat table and return
+# a reference to its chain table entry
+
 sub ensure_nat_chain($) {
     my $chain = $_[0];
 
@@ -2984,6 +3047,10 @@ sub ensure_nat_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a chain in the raw table and return
+# a reference to its chain table entry
+#
 sub ensure_raw_chain($) {
     my $chain = $_[0];
 
@@ -3007,12 +3074,18 @@ sub new_builtin_chain($$$)
     $chainref;
 }
 
+#
+# Create a chain in the filter table, returning a reference to its chain table entry
+#
 sub new_standard_chain($) {
     my $chainref = new_chain 'filter' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new action chain, returning a reference to its chain table entry
+#
 sub new_action_chain($$) {
     my $chainref = &new_chain( @_ );
     $chainref->{referenced} = 1;
@@ -3020,12 +3093,18 @@ sub new_action_chain($$) {
     $chainref;
 }
 
+#
+# Create a chain in the nat table, returning a reference to its chain table entry
+#
 sub new_nat_chain($) {
     my $chainref = new_chain 'nat' ,$_[0];
     $chainref->{referenced} = 1;
     $chainref;
 }
 
+#
+# Create a new manual chain, returning a reference to its chain table entry
+#
 sub new_manual_chain($) {
     my $chain = $_[0];
     fatal_error "Chain name ($chain) too long" if length $chain > 29;
@@ -3036,6 +3115,9 @@ sub new_manual_chain($) {
     $chainref;
 }
 
+#
+# Ensure the existance of a manual chain and return a reference to its chain table entry
+#
 sub ensure_manual_chain($) {
     my $chain = $_[0];
     my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
@@ -3045,6 +3127,9 @@ sub ensure_manual_chain($) {
 
 sub log_irule_limit( $$$$$$$$@ );
 
+#
+# Ensure the existance of the blacklist logging chain (blacklog)
+#
 sub ensure_blacklog_chain( $$$$$ ) {
     my ( $target, $disposition, $level, $tag, $audit ) = @_;
 
@@ -3063,6 +3148,9 @@ sub ensure_blacklog_chain( $$$$$ ) {
     'blacklog';
 }
 
+#
+# Ensure the existance of the audited blacklist logging chain (A_blacklog)
+#
 sub ensure_audit_blacklog_chain( $$$ ) {
     my ( $target, $disposition, $level ) = @_;
 
@@ -3084,7 +3172,6 @@ sub ensure_audit_blacklog_chain( $$$ ) {
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 #
-
 sub ensure_audit_chain( $;$$$ ) {
     my ( $target, $action, $tgt, $table ) = @_;
 
@@ -3121,7 +3208,6 @@ sub ensure_audit_chain( $;$$$ ) {
 #
 # Return the appropriate target based on whether the second argument is 'audit'
 #
-
 sub require_audit($$;$) {
     my ($action, $audit, $tgt ) = @_;
 
@@ -3437,6 +3523,33 @@ sub irule_to_string( $ ) {
     $string;
 }
 
+#
+# This one omits the comment
+#
+sub irule_to_string1( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
@@ -3623,6 +3736,16 @@ sub optimize_level0() {
     }
 }
 
+#
+# Conditionally sort a list of chain table entry references by name, if -t was specified
+#
+sub sortchainsiftest(\%) {
+    my $hashref = shift;
+
+    return sort { $a->{name} cmp $b->{name} } values %$hashref if $test;
+    return values %$hashref;
+}
+
 sub optimize_level4( $$ ) {
     my ( $table, $tableref ) = @_;
     my $progress = 1;
@@ -3844,7 +3967,7 @@ sub optimize_level4( $$ ) {
     my @chains  = grep ( $_->{referenced}   &&
 			 ! $_->{optflags}   &&
 			 @{$_->{rules}} < 4 &&
-			 keys %{$_->{references}} == 1 , values %$tableref );
+			 keys %{$_->{references}} == 1 , sortchainsiftest %$tableref );
 
     if ( my $chains  = @chains ) {
 	$passes++;
@@ -3853,7 +3976,7 @@ sub optimize_level4( $$ ) {
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
-	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+	    for my $sourceref ( map $tableref->{$_}, sortkeysiftest %{$chainref->{references}} ) {
 		my $name1 = $sourceref->{name};
 
 		if ( $chainref->{references}{$name1} == 1 ) {
@@ -3957,7 +4080,7 @@ sub optimize_level8( $$$ ) {
 
 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the BLACKLIST section, we can end up with many identical
+			# For simple use of the blrules file, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -3983,7 +4106,7 @@ sub optimize_level8( $$$ ) {
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
-	    for my $oldname ( @rename ) {
+	    for my $oldname ( sortiftest @rename ) {
 		my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
 
 		trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
@@ -4096,10 +4219,10 @@ sub get_multi_sports( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys( $ ) {
-    my %skip = ( dport => 1, comment => 1, origin => 1 );
+    my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4280,51 +4403,42 @@ sub delete_duplicates {
     my @rules;
     my $chainref  = shift;
     my $lastrule  = @_;
-    my $baseref   = pop;
     my $ruleref;
     my %skip = ( comment => 1, origin => 1 );
 
+    for ( @_ ) {
+	$_->{digest} = sha1_hex irule_to_string1( $_ );
+    }
+
+    my $baseref   = pop;
+
     while ( @_ ) {
 	my $docheck;
 	my $duplicate = 0;
 
 	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
-	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
+	    my $bad_key;
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
+	    my $digest   = $baseref->{digest};
 
-	    {
+	    for ( grep ! $skip{$_}, keys( %$baseref ) ) {
-	      RULE:
+		$bad_key = 1, last if $bad_match{$_};
+	    }
 
 	    while ( --$rulenum >= 0 ) {
 		$ruleref = $_[$rulenum];
 
 		last unless $ruleref->{mode} == CAT_MODE;
 
-		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
+		next unless $digest eq $ruleref->{digest};
 
-		    next unless @keys1 == @keys2 ;
+		unless ( $adjacent > 0 ) {
-
-		    my $keynum = 0;
-
-		    if ( $adjacent > 0 ) {
-			#
-			# There are no non-duplicate rules between this rule and the base rule
-			#
-			for my $key (  @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			}
-		    } else {
 		    #
 		    # There are non-duplicate rules between this rule and the base rule
 		    #
-			for my $key ( @keys1 ) {
+		    last if $bad_key;
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			    last RULE if $bad_match{$key};
-			}
 		}
 		#
 		# This rule is a duplicate
@@ -4339,7 +4453,6 @@ sub delete_duplicates {
 		$adjacent--;
 	    }
 	}
-	}
 
 	if ( $duplicate ) {
 	    trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
@@ -4374,10 +4487,10 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys1( $ ) {
-    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+    my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4496,7 +4609,7 @@ sub combine_states {
 
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
-    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
+    my @chains   = ( grep $_->{referenced}, sortchainsiftest %{$tableref} );
     my @chains1  = @chains;
     my $chains   = @chains;
 
@@ -4613,7 +4726,7 @@ sub setup_zone_mss() {
 
 	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
 
-	for my $hostref ( @$hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$hosts : @$hosts ) {
 	    my $mss         = $hostref->[4];
 	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @sourcedev   = imatch_source_dev $hostref->[0];
@@ -4925,10 +5038,10 @@ sub do_proto( $$$;$ )
 
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
-			    $output .= get_set_flags( $ports, 'src' );
+			    $output .= get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5037,7 +5150,9 @@ sub do_proto( $$$;$ )
     $output;
 }
 
-
+#
+# Generate a mac address match
+#
 sub do_mac( $ ) {
     my $mac = $_[0];
 
@@ -5050,6 +5165,9 @@ sub do_mac( $ ) {
     "-m mac ${invert}--mac-source $mac ";
 }
 
+#
+# Version of do_proto() that generates an irule match rather than an iptables text match
+#
 sub do_iproto( $$$ )
 {
     my ($proto, $ports, $sports ) = @_;
@@ -5136,8 +5254,8 @@ sub do_iproto( $$$ )
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
-			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			    push @output, set => ${invert} . get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5245,6 +5363,9 @@ sub do_iproto( $$$ )
     @output;
 }
 
+#
+# Generate a mac address match in irule format.
+#
 sub do_imac( $ ) {
     my $mac = $_[0];
 
@@ -5307,7 +5428,6 @@ sub verify_small_mark( $ ) {
 #
 # Generate an appropriate -m [conn]mark match string for the contents of a MARK column
 #
-
 sub do_test ( $$ )
 {
     my ($testval, $mask) = @_;
@@ -5462,6 +5582,9 @@ sub do_connlimit( $ ) {
     }
 }
 
+#
+# Create a calendar match
+#
 sub do_time( $ ) {
     my ( $time ) = @_;
 
@@ -5500,6 +5623,11 @@ sub do_time( $ ) {
     $result;
 }
 
+#
+# Resolve a user/group name to the appropriate numeric id. Only do the resolution
+# if we are not compiling for export, since remote name->id mapping is likely to
+# be different.
+#
 sub resolve_id( $$ ) {
     my ( $id, $type ) = @_;
 
@@ -5563,8 +5691,6 @@ sub do_user( $ ) {
 #
 # Create a "-m tos" match for the passed TOS
 #
-# This helper is also used during tos file processing
-#
 sub decode_tos( $$ ) {
     my ( $tos, $set ) = @_;
 
@@ -5668,10 +5794,25 @@ sub validate_helper( $;$ ) {
 
 	    my $protonum = -1;
 
-	    fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
+	    fatal_error "Unknown PROTO ($proto)" unless $proto eq '-' || defined ( $protonum = resolve_proto( $proto ) );
 
+	    if ( reftype( $helper_proto ) ) {
+		#
+		# More than one protocol allowed with this helper, so $helper_proto is an array reference
+		#
+		my $found;
+		my $names = '';
+
+		for ( @$helper_proto ) {
+		    $names = $names ? join( ',', $names, proto_name( $_ ) ) : proto_name( $_ );
+		    $found = 1 if $protonum == $_;
+		}
+
+		fatal_error "The $helper_base helper requires PROTO to be one of '$names'" unless $found;
+	    } else {
 		unless ( $protonum == $helper_proto ) {
-		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
+		    fatal_error "The $helper_base helper requires PROTO=" . (proto_name( $helper_proto ) );
+		}
 	    }
 	}
     } else {
@@ -6101,6 +6242,9 @@ sub get_interface_address( $;$ );
 
 sub get_interface_gateway ( $;$$ );
 
+#
+# Verify and record a runtime address variable
+#
 sub record_runtime_address( $$;$$ ) {
     my ( $addrtype, $interface, $protect, $provider ) = @_;
 
@@ -6591,6 +6735,9 @@ sub match_ipsec_in( $$ ) {
     @match;
 }
 
+#
+# Match Dest IPSEC
+#
 sub match_ipsec_out( $$ ) {
     my ( $zone , $hostref ) = @_;
     my @match;
@@ -6615,7 +6762,7 @@ sub match_ipsec_out( $$ ) {
 }
 
 #
-# Handle a unidirectional IPSEC Options
+# Handle unidirectional IPSEC Options
 #
 sub do_ipsec_options($$$)
 {
@@ -6692,7 +6839,7 @@ sub do_ipsec($$) {
 }
 
 #
-# Generate a log message
+# Generate a logging rule
 #
 sub log_rule_limit( $$$$$$$$;$ ) {
     my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
@@ -6888,6 +7035,9 @@ sub log_irule_limit( $$$$$$$$@ ) {
     }
 }
 
+#
+# Wrappers for the above that use the global default log limit
+#
 sub log_rule( $$$$ ) {
     my ( $level, $chainref, $disposition, $matches ) = @_;
 
@@ -7328,20 +7478,20 @@ sub have_address_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $$$ ) {
 
-    my ( $setall, $conditional ) = @_;
+    my ( $setall, $conditional, $call_generate_all_acasts ) = @_;
 
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sortkeysiftest %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = keys %interfacegateways;
+	@interfaces = sortkeysiftest %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7351,29 +7501,30 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = keys %interfacemacs;
+	@interfaces = sortkeysiftest %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
+	emit "$interfacegateways{$_}\n" for sortkeysiftest %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $interfacemacs{$_}         for sortkeysiftest %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
+	if ( $conditional ) {
-	emit $_ for values %interfacenets;
+	    emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	    emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	}
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
-
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
-		emit 'ALL_ACASTS="$(get_all_acasts)"';
+		emit $call_generate_all_acasts;
-		emit $_ for values %interfaceacasts;
+		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
     }
@@ -7564,11 +7715,13 @@ sub isolate_source_interface( $ ) {
 		) {
 	    $iiface = $1;
 	    $inets  = $2;
+	    $inets =~ s/\]-\[/-/;
 	} elsif ( $source =~ /:/ ) {
 	    if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
 		$inets = $source;
 	    } elsif ( $source =~ /^\[(.+)\]$/ ) {
 		$inets = $1;
+		$inets =~ s/\]-\[/-/;
 	    } else {
 		$inets = $source;
 	    }
@@ -7686,6 +7839,7 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
+	    $dnets =~ s/\]-\[/-/;
 	} elsif (  $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
 		   $dest =~ /^(.+?):(!?\+.+)$/    ||
 		   $dest =~ /^(.+?):(!?[&%].+)$/  ||
@@ -7698,6 +7852,7 @@ sub isolate_dest_interface( $$$$ ) {
 		$dnets = $dest;
 	    } elsif ( $dest =~ /^\[(.+)\]$/ ) {
 		$dnets = $1;
+	        $dnets =~ s/\]-\[/-/;
 	    } else {
 		$dnets = $dest;
 	    }
@@ -8333,7 +8488,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sortkeysiftest %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8419,7 +8574,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sortkeysiftest %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8475,7 +8630,7 @@ sub add_interface_options( $ ) {
 # We may have to generate part of the input at run-time. The rules array in each chain
 # table entry may contain both rules or shell source, determined by the contents of the 'mode'
 # member. We alternate between writing the rules into the temporary file to be passed to
-# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
+# iptables-restore (CAT_MODE) and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
 #
@@ -8603,32 +8758,29 @@ sub emitr1( $$ ) {
 sub save_docker_rules($) {
     my $tool = $_[0];
 
+    my $bridge = $config{DOCKER_BRIDGE};
+
     emit( qq(if [ -n "\$g_docker" ]; then),
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    rm -f \${VARDIR}/.filter_DOCKER-*),
 	  qq(    [ -n "\$g_dockeringress"  ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockeruser"     ] && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    [ -n "\$g_dockeriso"      ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
 	  qq(),
-	  qq(    case "\$g_dockernetwork" in),
+	  qq(    if [ -n "\$g_dockerisostage" ]; then),
-	  qq(        One\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
-	  qq(            ;;),
-	  qq(        Two\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
 	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
 	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
-	  qq(            ;;),
+	  qq(    fi),
-	  qq(    esac),
 	  qq(),
 	);
 
-    if ( known_interface( 'docker0' ) ) {
+    if ( known_interface( $bridge ) ) {
 	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
     } else {
-	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
     }
 
     emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
@@ -8740,7 +8892,7 @@ sub ensure_ipsets( @ ) {
     my $set;
     my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8751,12 +8903,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}
 
 	pop_indent;
@@ -8863,7 +9015,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = keys %ipsets;
+	    my @sets = sortkeysiftest %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8933,10 +9085,14 @@ sub create_load_ipsets() {
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
-		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '    if  [ -f ${VARDIR}/ipsets.save ]; then' ,
+		  '        while read verb set rest; do' ,
+		  '            if [ $verb = create ]; then' ,
 		  '                $IPSET flush $set' ,
 		  '                $IPSET destroy $set' ,
-		  "    done" ,
+		  '            fi' ,
+		  '        done < ${VARDIR}/ipsets.save' ,
+		  '    fi',
 		);
 	} else {
 	    #
@@ -8979,7 +9135,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
@@ -9032,7 +9188,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sortkeysiftest %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -9047,7 +9203,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( @objects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9055,7 +9211,7 @@ sub create_nfobjects() {
 }
 #
 #
-# Generate the netfilter input
+# Generate the input to ip[6]tables-restore or to 'ip[6]tables -R'
 #
 sub create_netfilter_load( $ ) {
     my $test = shift;
@@ -9142,10 +9298,10 @@ sub create_netfilter_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9257,11 +9413,11 @@ sub preview_netfilter_load() {
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode1;
-			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode1;
-			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode1;
@@ -9358,10 +9514,10 @@ sub create_stop_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9420,7 +9576,7 @@ sub create_stop_load( $ ) {
 }
 
 sub initialize_switches() {
-    if ( keys %switches ) {
+    if ( sortkeysiftest %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
 	for my $switch ( keys %switches ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,9 +4,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -47,19 +47,17 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;
+our $export;          # True when compiling for export
 
-our $test;
+our $family;          # IP address family (4 or 6)
 
-our $family;
+our $have_arptables;  # True if we have arptables rules
-
-our $have_arptables;
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
+sub initialize_package_globals( $$$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2], $_[3]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -270,23 +268,26 @@ sub generate_script_2() {
 	    );
 	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
-	      '    g_dockernetwork=One',
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
-	      '    g_dockernetwork=Two',
-	      'fi' );
     }
 
     pop_indent;
 
     emit "}\n"; # End of initialize()
 
+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);
 
     my $global_variables    = have_global_variables;
     my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -317,7 +318,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }
 
@@ -331,7 +332,7 @@ sub generate_script_2() {
 	}
 
 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
@@ -384,7 +385,7 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
 	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
@@ -548,13 +549,13 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
         ;;
     reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
         ;;
     restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
         ;;
 esac
 EOF
@@ -591,7 +592,7 @@ sub compiler {
        ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
-    $test           = 0;
+    my $test        = 0;
     $have_arptables = 0;
 
     sub validate_boolean( $ ) {
@@ -644,18 +645,19 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
+    initialize_package_globals( $update, $test, $shorewallrc, $shorewallrc1 );
-
+    #
+    # Rather than continuing to extend the argument list of Config::initialize(),
+    # we use a set of small functions to export settings to the Config module.
+    #
     set_config_path( $config_path ) if $config_path;
-
     set_shorewall_dir( $directory ) if $directory ne '';
-
     $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
+    set_command( 'compile', 'Compiling', 'Compiled' );
     #
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
@@ -673,12 +675,7 @@ sub compiler {
     #
     # Create a temp file to hold the script
     #
-    if ( $scriptfilename ) {
+    create_temp_script( $scriptfilename , $export ) if $scriptfilename;
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
     #
     #                                     Z O N E   D E F I N I T I O N
     #                              (Produces no output to the compiled script)
@@ -867,13 +864,13 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
+	    # Optimize the ruleet
+	    #
+	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 
 	enable_script;
@@ -916,7 +913,7 @@ sub compiler {
 	#
 	# Close, rename and secure the script
 	#
-	finalize_script ( $export );
+	finalize_script ( $export, $test );
 	#
 	# And generate the auxilary config file
 	#
@@ -937,16 +934,16 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }
 
 	    enable_script if $debug;
@@ -981,11 +978,7 @@ sub compiler {
 	#
 	report_used_capabilities;
 
-	if ( $family == F_IPV4 ) {
+	progress_message3 "$Product configuration verified";
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -149,14 +149,13 @@ sub validate_4address( $$ ) {
 
     unless ( valid_4address $addr ) {
 	fatal_error "Invalid IP Address ($addr)" unless $allow_name;
-	fatal_error "Unknown Host ($addr)" unless  @addrs = gethostbyname( $addr );
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
+	    family => Socket::AF_INET,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;
 
-	if ( defined wantarray ) {
+	@addrs = translate_addr_structs( @addr_structs );
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = ( inet_ntoa( $_ ) );
-	    }
-	}
     }
 
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@@ -164,14 +163,14 @@ sub validate_4address( $$ ) {
 
 sub resolve_4dnsname( $ ) {
     my $net = $_[0];
-    my @addrs;
 
-    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
+	family => Socket::AF_INET,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;
 
-    shift @addrs for (1..4);
+    my @addrs = translate_addr_structs( @addr_structs );
-    for ( @addrs ) {
-	$_ = ( inet_ntoa( $_ ) );
-    }
 
     @addrs;
 } 
@@ -508,15 +507,13 @@ sub validate_6address( $$ ) {
 
     unless ( valid_6address $addr ) {
 	fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
-	require Socket6;
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
-	fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
+	    family => Socket::AF_INET6,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;
 
-	if ( defined wantarray ) {
+	@addrs = translate_addr_structs( @addr_structs );
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-	    }
-	}
     }
 
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@@ -524,15 +521,14 @@ sub validate_6address( $$ ) {
 
 sub resolve_6dnsname( $ ) {
     my $net = $_[0];
-    my @addrs;
     
-    require Socket6;
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
-    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+	family => Socket::AF_INET6,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;
 
-    shift @addrs for (1..4);
+    my @addrs = translate_addr_structs( @addr_structs );
-    for ( @addrs ) {
-	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-    }
 
     @addrs;
 }
@@ -661,6 +657,19 @@ sub validate_6host( $$ ) {
     }
 }
 
+sub translate_addr_structs {
+    my @addr_structs = @_;
+
+    my @addrs;
+    foreach my $addr_struct ( @addr_structs ) {
+	my ( $err, $ip_addr ) = Socket::getnameinfo( $addr_struct->{addr},
+	    Socket::NI_NUMERICHOST, Socket::NIx_NOSERV );
+        push @addrs, $ip_addr if $err == 0;
+    }
+
+    return @addrs;
+}
+
 my %ipv6_icmp_types = ( any                          => 'any',
 			'destination-unreachable'    => 1,
 			'no-route'                   => '1/0',

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use Shorewall::Proc;
+use sort 'stable';
 
 use strict;
 
@@ -66,6 +67,9 @@ sub initialize( $ ) {
     $family = shift;
 }
 
+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -94,7 +98,7 @@ sub setup_ecn()
     if ( my $fn = open_file 'ecn' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
@@ -127,7 +131,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sortkeysiftest %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -145,6 +149,9 @@ sub setup_ecn()
     }
 }
 
+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -329,7 +336,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.net/blacklisting_support.htm for additional
+# Please see https://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -402,6 +409,9 @@ EOF
     }
 }
 
+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -425,9 +435,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+# https://shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# See https://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -662,31 +672,28 @@ sub process_stoppedrules() {
     $result;
 }
 
+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
+    my $bridge = $config{DOCKER_BRIDGE};
+
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ]  && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
-    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]     && echo "-A FORWARD -j DOCKER-USER" >&3' );
-    add_commands( $chainref ,
+    add_commands( $chainref, '[ -n "$g_dockeriso" ]      && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
-		  '',
+    add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
-		  'case "$g_dockernetwork" in',
-		  '    One)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
-		  '        ;;',
-		  '    Two)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
-		  '        ;;',
-		  'esac' );
 
-    if ( my $dockerref = known_interface('docker0') ) {
+    if ( my $dockerref = known_interface( $bridge ) ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
-	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'DOCKER', o => $bridge );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
+	add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 
@@ -703,6 +710,9 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -725,6 +735,7 @@ sub add_common_rules ( $ ) {
     my $dbl_tag;
     my $dbl_src_target;
     my $dbl_dst_target;
+    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -786,9 +797,10 @@ sub add_common_rules ( $ ) {
 
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -799,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -820,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1283,6 +1295,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -1306,7 +1325,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sortkeysiftest %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1392,7 +1411,7 @@ sub setup_mac_lists( $ ) {
 	#
 	# Generate jumps from the input and forward chains
 	#
-	for my $hostref ( @$maclist_hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$maclist_hosts : @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
@@ -1785,7 +1804,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sortkeysiftest %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1925,7 +1944,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
+    my @zone_interfaces   = sortkeysiftest %{zone_interfaces( $zone )};
 
     if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
@@ -2269,12 +2288,15 @@ sub generate_matrix() {
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
+
+	unless ( $zoneref->{type} == LOCAL ) {
 	    if ( @zones > 2 || $zoneref->{complex} ) {
 		handle_complex_zone( $zone, $zoneref );
 	    } else {
 		new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
 	    }
 	}
+    }
     #
     # Main source-zone matrix-generation loop
     #
@@ -2297,9 +2319,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sortkeysiftest %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sortkeysiftest %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2384,9 +2406,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sortkeysiftest %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sortkeysiftest %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2454,6 +2476,9 @@ sub generate_matrix() {
     }
 }
 
+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
@@ -2515,6 +2540,7 @@ sub compile_stop_firewall( $$$$ ) {
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
     my $forward = $filter_table->{FORWARD};
+    my $absentminded = $config{ ADMINISABSENTMINDED };
 
     emit <<'EOF';
 #
@@ -2522,7 +2548,7 @@ sub compile_stop_firewall( $$$$ ) {
 #
 stop_firewall() {
 EOF
-    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
+    $output->{policy} = 'ACCEPT' if $absentminded;
 
     if ( $family == F_IPV4 ) {
 	emit <<'EOF';
@@ -2559,13 +2585,13 @@ EOF
     emit <<'EOF';
             case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                 enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
             esac
 
@@ -2681,7 +2707,7 @@ EOF
     #
     create_docker_rules if $config{DOCKER};
 
-    if ( $config{ADMINISABSENTMINDED} ) {
+    if ( $absentminded ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
     }
 
@@ -2690,7 +2716,7 @@ EOF
 	add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
 
-	unless ( $config{ADMINISABSENTMINDED} ) {
+	unless ( $absentminded ) {
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
 	}
@@ -2704,12 +2730,25 @@ EOF
     
     process_stoppedrules;
 
+    if ( $family == F_IPV6 ) {
+	my $chain = new_action_chain( 'filter', 'AllowICMPs' );
+
+	for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
+	    add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
+	}
+
+	for $chain ( $input, $output, $forward ) {
+	    next if $chain eq $output && $absentminded;
+	    add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
+	}
+    }
+
     if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
-	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
     } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
-	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
     }
 
     my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2719,7 +2758,7 @@ EOF
 
 	for my $interface ( @$interfaces ) {
 	    add_ijump $input,  j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
-	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED};
+	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
 	    #
 	    # This might be a bridge
 	    #
@@ -2775,7 +2814,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	}
 
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Proc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -62,23 +62,61 @@ our @routemarked_interfaces;
 our %provider_interfaces;
 our @load_providers;
 
-our $balancing;
+our $balancing;               # True, if there are balanced providers
-our $fallback;
+our $fallback;                # True, if there are fallback providers
-our $balanced_providers;
+our $balanced_providers;      # Count of balanced providers
-our $fallback_providers;
+our $fallback_providers;      # Count of fallback providers
-our $metrics;
+our $metrics;                 # True, if using statistical balancing
-our $first_default_route;
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
-our $first_fallback_route;
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
-our $maxload;
+our $maxload;                 # Sum of 'load' values
-our $tproxies;
+our $tproxies;                # Count of tproxy providers
 
-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }
 
-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 
 
-our $family;
+our $family;       # Address family
 
-our $lastmark;
+our $lastmark;     # Highest assigned mark
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -132,7 +170,6 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -557,7 +594,7 @@ sub process_a_provider( $ ) {
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -677,8 +714,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
@@ -1144,14 +1180,14 @@ CEOF
 	emit "fi\n";
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
+	    my $variable = get_interface_address( $interface );
 
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	    emit( "echo $variable > \${VARDIR}/${physical}.address" );
 	}
 
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
+	    my $variable = get_interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	    emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
     } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -1856,8 +1892,8 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
+    for my $provider ( @providers ) {
-	if ( $providerref->{optional} ) {
+	if ( ( my $providerref=$providers{$provider} )->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
@@ -2018,8 +2054,7 @@ sub compile_updown() {
 	    );
     }
 
-    my @nonshared = ( grep $providers{$_}->{optional},
+    my @nonshared = ( grep $providers{$_}->{optional}, sortvaluesiftest %provider_interfaces );
-		      values %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2034,7 +2069,7 @@ sub compile_updown() {
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2075,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );
 
 	push_indent;
@@ -2210,10 +2245,12 @@ sub handle_optional_interfaces() {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $provider ( @providers ) {
+	if ( ( my $providerref = $providers{$provider} )->{optional} ) {
 	    push @interfaces, $providerref->{interface};
 	    $wildcards ||= $providerref->{wildcard};
 	}
+    }
 
     #
     # Now do the optional wild interfaces
@@ -2260,17 +2297,7 @@ sub handle_optional_interfaces() {
 
 		emit( "$physical)" ), push_indent if $wildcards;
 
-		if ( $provider eq $physical ) {
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
 		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
 
 		push_indent;
 
@@ -2287,22 +2314,22 @@ sub handle_optional_interfaces() {
 		emit( 'fi' );
 
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
+		    my $variable = get_interface_address( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
+		    my $variable = get_interface_gateway( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -155,7 +155,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sortkeysiftest %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +164,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sortkeysiftest %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -292,6 +292,8 @@ our $mangle;
 
 our $sticky;
 
+our $excludefw;
+
 our $divertref; # DIVERT chain
 
 our %validstates = ( NEW                => 0,
@@ -365,6 +367,10 @@ sub initialize( $ ) {
     #
     %actions           = ();
     #
+    # Count of 'all[+]=' encountered
+    #
+    $excludefw         = 0;
+    #
     # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
@@ -437,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
     my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
 
     $chainref->{is_policy}   = 1;
+    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
     $chainref->{policy}      = $policy;
     $chainref->{provisional} = $provisional;
     $chainref->{audit}       = $audit;
@@ -605,8 +612,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
+sub handle_nfqueue( $ ) {
-    my ($params, $allow_bypass ) = @_;
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -619,7 +626,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -647,7 +653,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -656,7 +661,7 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $queue2 ) {
 	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
     } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
     }
@@ -672,14 +677,42 @@ sub process_a_policy1($$$$$$$) {
 
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
-    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+    my $clientwild = ( "\L$client" =~ /^all(\+)?(?:!(.+))?$/ );
+    my $clientexclude;
+    my %clientexcluded;
 
-    $intrazone  ||= $clientwild && $1;
+    if ( $clientwild ) {
+	$intrazone ||= $1;
+
+	if ( $clientexclude = $2 ) {
+	    for my $client ( split_list( $clientexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($client)" unless defined_zone( $client );
+		$clientexcluded{$client} = 1;
+	    }
+
+	    $client = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
-    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
+    my $serverwild = ( "\L$server" =~ /^all(\+)?(?:!(.+))?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    my $serverexclude;
+    my %serverexcluded;
+
+
+    if ( $serverwild ) {
+	$intrazone ||= $1;
+
+	if ( $serverexclude = $2 ) {
+	    for my $server ( split_list( $serverexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($server)" unless defined_zone( $server );
+		$serverexcluded{$server} = 1;
+	    }
+
+	    $server = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -687,7 +720,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -702,9 +741,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
+	$policy = handle_nfqueue( $queue );
-				  0 # Don't allow 'bypass'
-	    );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -762,20 +799,20 @@ sub process_a_policy1($$$$$$$) {
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
-	    for my $zone ( @zonelist ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, @zonelist ) ) {
-		for my $zone1 ( @zonelist ) {
+		for my $zone1 ( grep( ! $serverexcluded{zone}, @zonelist ) ) {
 		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
-	    for my $zone ( all_zones ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, all_zones ) ) {
 		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
-	for my $zone ( @zonelist ) {
+	for my $zone ( grep( ! $serverexcluded{$_}, @zonelist ) ) {
 	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
@@ -802,11 +839,15 @@ sub process_a_policy() {
 
     my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $clientlist = ( $clients =~ /,/ ) ) {
+    if ( $clients =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
 	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $serverlist = ( $servers =~ /,/ ) ) {
+    if ( $servers =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
 	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
@@ -816,12 +857,14 @@ sub process_a_policy() {
 
     if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
     } else {
-	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
     }
 }
 
@@ -958,6 +1001,24 @@ sub determine_action_protocol( $$ ) {
     $proto;
 }
 
+sub determine_action_dport( $$$ ) {
+    my ( $action, $proto, $dport ) = @_;
+
+    if ( my $actiondport = $actions{$action}{dport} ) {
+	if ( $dport eq '-' ) {
+	    $dport = $actiondport;
+	} else {
+	    fatal_error( "The $action action is only usable with destination port $actiondport" ) if $dport =~ /[,]/;
+	    if ( ( my $portnum = validate_port( $proto, $dport ) ) ne '-' ) {
+		fatal_error( "The $action action is only usable with destination port $actiondport"  ) unless $actiondport = $portnum;
+		$dport = $portnum;
+	    }
+	}
+    }
+
+    $dport;
+}
+
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
@@ -972,7 +1033,11 @@ sub add_policy_rules( $$$$$ ) {
 		# Policy action is a regular action -- jump to the action chain
 		#
 		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
+		    if ( my $dport = determine_action_dport( $action, $proto, '' ) ) {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto, dport => $dport );
+		    } else {
 			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    }
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
@@ -1105,7 +1170,7 @@ sub complete_policy_chains() {
 		}
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1210,6 +1275,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
     my $chain               = $chainref->{name};
     my $save_comment        = push_comment;
+    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
     my %state;
 
     $state{$_} = 1 for split ',', $state;
@@ -1220,6 +1286,7 @@ sub finish_chain_section ($$$) {
 
     $chain1ref->{sections}{$_} = 1 for keys %state;
 
+    unless ( $wild ) {
 	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
 	    if ( $state{$_} ) {
 		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
@@ -1289,6 +1356,7 @@ sub finish_chain_section ($$$) {
 
 	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
 	}
+    }
 
     if ($sections{NEW} ) {
 	if ( $chain1ref->{is_policy} ) {
@@ -1455,13 +1523,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto, $dport ) = @_;
 
     fatal_error "Reserved action name ($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto, dport => $dport };
 
     $targets{$action} = $type;
 }
@@ -1564,8 +1632,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
+    my @supparts = split_list2( $superior ,    'Action' );
-    my @subparts = split /:/, $subordinate;
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 
@@ -1732,7 +1800,7 @@ sub isolate_basic_target( $ ) {
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
-sub process_snat1( $$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 
 #
@@ -1926,13 +1994,17 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+	    my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
+
+	    if ( $file_format == 1 ) {
+		( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
 		    split_line2( 'snat file',
 				 { action =>0,
 				   source => 1,
 				   dest => 2,
 				   proto => 3,
 				   port => 4,
+				   dport => 4,
 				   ipsec => 5,
 				   mark => 6,
 				   user => 7,
@@ -1943,6 +2015,28 @@ sub process_action(\$\$$) {
 				 {},
 				 11,
 				 1 );
+		$sport = '-';
+	    } else {
+		( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   sport => 5,
+				   ipsec => 6,
+				   mark => 7,
+				   user => 8,
+				   switch => 9,
+				   origdest => 10,
+				   probability => 11,
+				 },
+				 {},
+				 12,
+				 1 );
+	    }
 
 	    fatal_error 'ACTION must be specified' if $action eq '-';
 
@@ -1958,6 +2052,7 @@ sub process_action(\$\$$) {
 			       $dest,
 			       $proto,
 			       $port,
+			       $sport,
 			       $ipsec,
 			       $mark,
 			       $user,
@@ -2056,6 +2151,7 @@ sub process_actions() {
 
 	    my $state = '';
 	    my $proto = 0;
+	    my $dport = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2075,6 +2171,10 @@ sub process_actions() {
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
+		    } elsif ( /^dport=(.+)$/ ) {
+			fatal_error "The 'dport' option requires the 'proto' option" unless $proto;
+			$dport = validate_port($proto, $1);
+			fatal_error "A destination port may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2096,10 +2196,12 @@ sub process_actions() {
 		    }
 
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2143,7 +2245,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto , $dport );
 	    }
 	}
     }
@@ -2609,7 +2711,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -2658,9 +2760,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
+	$action = handle_nfqueue( $param );
-				  1 # Allow 'bypass'
-	    );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2848,6 +2948,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	    $log_action = "$basictarget($setname)";
 
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
@@ -3023,9 +3124,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $actiontype & ACTION ) {
 	#
-	# Verify action 'proto', if any
+	# Verify action 'proto', and 'dport' if any
 	#
-	$proto = determine_action_protocol( $basictarget, $proto );
+	if ( ( $proto = determine_action_protocol( $basictarget, $proto ) ) ne '-' ) {
+	    $ports = determine_action_dport( $basictarget, $proto, $ports );
+	}
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3659,6 +3762,7 @@ sub next_section() {
 #
 sub build_zone_list( $$$\$\$ ) {
     my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $original_input = $input;
     my $any = ( $input =~ s/^any/all/ );
     my $exclude;
     my $rest;
@@ -3687,9 +3791,25 @@ sub build_zone_list( $$$\$\$ ) {
 	    if ( $input eq 'all+' ) {
 		$$intrazoneref = 1;
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
+		    } else {
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
+		    }
+		}
+
 		$$intrazoneref = 1;
 		$exclude{$fw} = 1;
 	    } elsif ( $input eq 'all-' ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
+		    } else {
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+		    }
+		}
+
 		$exclude{$fw} = 1;
 	    } else {
 		fatal_error "Invalid $which ($input)";
@@ -3866,9 +3986,8 @@ sub process_rules() {
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
 
-	unless ( @zones <= 2 && ! $zoneref->{complex} ) {
+	unless ( $zoneref->{type} == LOCAL || ( @zones <= 2 && ! $zoneref->{complex} ) ) {
 	    #
 	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	    #
@@ -4760,9 +4879,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
+	    # Verify action 'proto' and 'dport' if any
 	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
+	    if ( ( $proto = determine_action_protocol( $cmd, $proto ) ) ne '-' ) {
+		$ports = determine_action_dport( $cmd, $proto, $ports );
+	    }
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
@@ -4889,7 +5010,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -5306,8 +5427,8 @@ sub process_mangle_rule( $ ) {
     }
 }
 
-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
+sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
@@ -5326,18 +5447,22 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 
     progress_message "..Expanding inline action $inlinefile...";
 
-    push_open $inlinefile, 2, 1, undef , 2;
+    push_open $inlinefile, 2, 1, undef , 1;
 
     my $save_comment = push_comment;
 
     while ( read_a_line( NORMAL_READ ) ) {
-	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
+
+	if ( $file_format == 1 ) {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
 		split_line2( 'snat file',
 			     { action =>0,
 			       source => 1,
 			       dest => 2,
 			       proto => 3,
 			       port => 4,
+			       dport => 4,
 			       ipsec => 5,
 			       mark => 6,
 			       user => 7,
@@ -5348,6 +5473,28 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			     {},
 			     11,
 			     1 );
+	    $msports = '-';
+	} else {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       sport => 5,
+			       ipsec => 6,
+			       mark => 7,
+			       user => 8,
+			       switch => 9,
+			       origdest => 10,
+			       probability => 11,
+			     },
+			     {},
+			     12,
+			     1 );
+	}
 
 	fatal_error 'ACTION must be specified' if $maction eq '-';
 
@@ -5375,6 +5522,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			   $mdest,
 			   $proto,
 			   merge_macro_column( $mports,          $ports ),
+			   merge_macro_column( $msports,         $sports ),
 			   merge_macro_column( $mipsec,          $ipsec ),
 			   merge_macro_column( $mmark,           $mark ),
 			   merge_macro_column( $muser,           $user ),
@@ -5401,8 +5549,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 #
 # Process a record in the snat file
 #
-sub process_snat1( $$$$$$$$$$$$ ) {
+sub process_snat1( $$$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $inchain;
     my $inaction;
@@ -5422,6 +5570,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     my ( $action, $loglevel ) = split_action( $origaction );
     my $logaction;
     my $param;
+    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/^s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
 
     if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5514,7 +5669,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, $sports );
     #
     # Handle Mark
     #
@@ -5710,9 +5865,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;
 
 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;
@@ -5761,6 +5916,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
+				 $sports,
 				 $ipsec,
 				 $mark,
 				 $user,
@@ -5771,9 +5927,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
+		# Verify action 'proto' and 'dport', if any
 		#
-		$proto = determine_action_protocol( $target, $proto );
+		if ( ( $proto = determine_action_protocol( $target, $proto ) ) ne '-' ) {
+		    $ports = determine_action_dport( $target, $proto, $ports );
+		}
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
@@ -5871,18 +6029,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 sub process_snat( )
 {
-    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+
+    if ( $file_format == 1 ) {
+	($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'snat file',
-		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 			 {},    #Nopad
-		     undef, #Columns
+			 11,    #Columns
 			 1 );   #Allow inline matches
+	$sports = '-';
+    } else {
+	($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
+			 {},    #Nopad
+			 12,    #Columns
+			 1 );   #Allow inline matches
+    }
 
     fatal_error 'ACTION must be specified' if $action eq '-';
     fatal_error 'DEST must be specified' if $dest eq '-';
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
     }
 }
 
@@ -5897,7 +6067,7 @@ sub setup_snat()
 	#
 	# Masq file was empty or didn't exist
 	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}