Revert "Allow leading 's' & 'd' to be omitted when specifying two rates"

This reverts commit 23bc6f1ab5.

Shorewall/Perl/Shorewall/Chains.pm

@@ -186,13 +186,12 @@ our %EXPORT_TAGS = (
 				       input_chain
 				       input_option_chain
 				       zone_input_chain
-				       use_input_chain
+				       use_interface_chain
 				       output_chain
 				       output_option_chain
 				       prerouting_chain
 				       postrouting_chain
 				       zone_output_chain
-				       use_output_chain
 				       masq_chain
 				       syn_flood_chain
 				       mac_chain
@@ -2325,7 +2324,7 @@ sub invalid_log($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_log($$) {
-    '&' . &rules_log(@_);
+    '=' . &rules_log(@_);
 }
 
 #
@@ -2431,10 +2430,11 @@ sub zone_input_chain($) {
 }
 
 #
-# Returns true if we're to use the interface's input chain
+# Returns true if we're to use the interface's input or chain, depending on the second argument
+# (use_input_chain or use_output_chain).
 #
-sub use_input_chain($$) {
-    my ( $interface, $chainref ) = @_;
+sub use_interface_chain($$) {
+    my ( $interface, $which ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
@@ -2462,17 +2462,11 @@ sub use_input_chain($$) {
     #                                            the zone has  multiple interfaces
     #                                            and this interface has option rules
     #
-    return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
+    return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1;
     #
     # Interface associated with a single zone -- use the zone's input chain if it has one
     #
-    return 0 if $chainref;
-    #
-    # Use the <zone>->fw rules chain if it is referenced.
-    #
-    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
-
-    ! ( $chainref->{referenced} || $chainref->{is_policy} )
+    return 0;
 }
 
 #
@@ -2509,41 +2503,6 @@ sub zone_output_chain($) {
     $_[0] . '_output';
 }
 
-#
-# Returns true if we're to use the interface's output chain
-#
-sub use_output_chain($$) {
-    my ( $interface, $chainref)  = @_;
-    my $interfaceref = find_interface($interface);
-    my $nets = $interfaceref->{nets};
-    #
-    # We must use the interfaces's chain if the interface is associated with multiple Zones
-    #
-    return 1 if ( keys %{interface_zones $interface} ) > 1;
-    #
-    # Use interface's chain if there are multiple nets on the interface
-    #
-    return 1 if $nets > 1;
-    #
-    # Use interface's chain if it is a bridge with ports
-    #
-    return 1 if $interfaceref->{ports};
-    #
-    # Don't need it if it isn't associated with any zone
-    #
-    return 0 unless $nets;
-    #
-    # Interface associated with a single zone -- use the zone's output chain if it has one
-    #
-    return 0 if $chainref;
-    #
-    # Use the fw-><zone> rules chain if it is referenced.
-    #
-    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
-
-    ! ( $chainref->{referenced} || $chainref->{is_policy} )
-}
-
 #
 # Masquerade Chain for an interface
 #
@@ -5391,8 +5350,8 @@ sub do_ratelimit( $$ ) {
     my @rates = split_list3 $rates, 'rate';
 
     if ( @rates == 2 ) {
-	$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s:/;
-	$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d:/;
+	$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s(?:\/\d+)?:/;
+	$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d(?:\/\d+)?:/;
     } elsif ( @rates > 2 ) {
 	fatal error "Only two rates may be specified";
     }
@@ -8531,6 +8490,18 @@ sub enter_cmd_mode() {
     $mode = CMD_MODE;
 }
 
+#
+# These two assure that we're in a particular mode
+#
+
+sub ensure_cat_mode() {
+    enter_cat_mode unless $mode == CAT_MODE;
+}
+
+sub ensure_cmd_mode() {
+    enter_cmd_mode unless $mode == CMD_MODE;
+}
+
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
@@ -8546,7 +8517,7 @@ sub emitr( $$ ) {
 	    #
 	    # A rule
 	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
+	    ensure_cat_mode;
 
 	    if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
 		emit_unindented '# ' . $origin;
@@ -8557,7 +8528,7 @@ sub emitr( $$ ) {
 	    #
 	    # A command
 	    #
-	    enter_cmd_mode unless $mode == CMD_MODE;
+	    ensure_cmd_mode;
 
 	    if ( exists $ruleref->{cmd} ) {
 		emit join( '', '    ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
@@ -8590,6 +8561,14 @@ sub enter_cmd_mode1() {
     $mode = CMD_MODE;
 }
 
+sub ensure_cat_mode1() {
+    enter_cat_mode1 unless $mode == CAT_MODE;
+}
+
+sub ensure_cmd_mode1() {
+    enter_cmd_mode1 unless $mode == CMD_MODE;
+}
+
 sub emitr1( $$ ) {
     my ( $chainref, $ruleref ) = @_;
 
@@ -8598,14 +8577,14 @@ sub emitr1( $$ ) {
 	    #
 	    # A rule
 	    #
-	    enter_cat_mode1 unless $mode == CAT_MODE;
+	    ensure_cat_mode1;
 
 	    print format_rule( $chainref, $ruleref ) . "\n";
 	} else {
 	    #
 	    # A command
 	    #
-	    enter_cmd_mode1 unless $mode == CMD_MODE;
+	    ensure_cmd_mode1;
 
 	    if ( exists $ruleref->{cmd} ) {
 		emitstd $ruleref->{cmd};
@@ -9159,29 +9138,26 @@ sub create_netfilter_load( $ ) {
 
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-USER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
+			ensure_cat_mode;
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
+		    ensure_cat_mode;
 		    emit_unindented ":$name - [0:0]";
 		}
 
@@ -9199,17 +9175,19 @@ sub create_netfilter_load( $ ) {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode;
+
 	for my $chainref ( @chains ) {
 	    emitr( $chainref, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_mode unless $mode == CAT_MODE;
+	ensure_cat_mode;
 	emit_unindented 'COMMIT';
     }
 
-    enter_cmd_mode;
+    ensure_cmd_mode;
 
     pop_indent, emit "fi\n";
     #
@@ -9274,33 +9252,31 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode1;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			ensure_cmd_mode1;
 			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
-			enter_cat_mode1;
 		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
-			enter_cat_mode1;
+			ensure_cmd_mode1;
+			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			print "\n";
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			print "\n";
-			enter_cat_mode1;
 		    } elsif ( $name eq 'DOCKER-USER' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			ensure_cmd_mode1;
 			print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
 			print "\n";
-			enter_cat_mode1;
-		    } else {		    
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+		    } else {
+			ensure_cmd_mode1;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
+		    ensure_cat_mode1;
 		    print( ":$name - [0:0]\n" );
 		}
 
@@ -9310,13 +9286,15 @@ sub preview_netfilter_load() {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode1;
+
 	for my $chainref ( @chains ) {
 	    emitr1($chainref, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_mode1 unless $mode == CAT_MODE;
+	ensure_cat_mode1;
 	print "COMMIT\n";
     }
 
@@ -9376,29 +9354,26 @@ sub create_stop_load( $ ) {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-USER' ) {
-			enter_cmd_mode;
+			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
+			ensure_cat_mode;
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
+		    ensure_cat_mode;
 		    emit_unindented ":$name - [0:0]";
 		}
 
@@ -9408,6 +9383,8 @@ sub create_stop_load( $ ) {
 	#
 	# Then emit the rules
 	#
+	ensure_cat_mode;
+
 	for my $chainref ( @chains ) {
 	    emitr( $chainref, $_ ) for @{$chainref->{rules}};
 	}

Shorewall/Perl/Shorewall/Config.pm

@@ -5925,7 +5925,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' || $_ eq 'SW_CONFDIR' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}

Shorewall/Perl/Shorewall/Misc.pm

@@ -1724,9 +1724,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );
 
-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1735,10 +1735,10 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
 
-	    if ( use_output_chain $interface, $outputref ) {
+	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1927,7 +1927,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
     my @zone_interfaces   = keys %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2061,7 +2061,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
     my @source            = imatch_source_net $net;
     my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 
-    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or

Shorewall/Perl/Shorewall/Providers.pm

@@ -1917,18 +1917,18 @@ sub setup_providers() {
 
 	push_indent;
 
+	emit "undo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}
 
-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
 
 	if ( $config{NULL_ROUTE_RFC1918} ) {
+	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}

Shorewall/Perl/Shorewall/Rules.pm

@@ -2781,7 +2781,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 
 	      HELPER => sub { 
-		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER requires that a helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,
 

Shorewall/helpers

@@ -67,5 +67,4 @@ loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
-loadmodule ipt_ULOG
 loadmodule nfnetlink_log

Shorewall/lib.cli-std

@@ -456,6 +456,16 @@ compiler() {
 
     ensure_root
     #
+    # Let params and the compiler know the base configuration directory
+    #
+    if [ -n "$g_shorewalldir" ]; then
+	SW_CONFDIR="$g_shorewalldir"
+    else
+	SW_CONFDIR="$g_confdir"
+    fi
+
+    export SW_CONFDIR
+    #
     # We've now set g_shorewalldir so recalculate CONFIG_PATH
     #
     [ -n "$g_haveconfig" ] || ensure_config_path

Shorewall/manpages/shorewall-addresses.xml

@@ -36,7 +36,7 @@
 
           <para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
           where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
-          of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
+          of 1 to 4 hexadecimal digits (leading zeros may be omitted). a
           single series of 0 addresses may be omitted. For example
           2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
         </listitem>

Shorewall/manpages/shorewall-files.xml

@@ -199,7 +199,7 @@
       <listitem>
         <para><ulink url="shorewall-ecn.html">/etc/shorewall/ecn</ulink> -
         disable Explicit Congestion Notification (ECN - RFC 3168) to remote
-        hosts or networks. Superceded by ECN entries in
+        hosts or networks. Superseded by ECN entries in
         <filename>/etc/shorewall/mangle</filename> in Shorewall 5.0.6.</para>
       </listitem>
 
@@ -720,7 +720,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
   <refsect1>
     <title>Time Columns</title>
 
-    <para>Several of the files include a TIME colum that allows you to specify
+    <para>Several of the files include a TIME column that allows you to specify
     times when the rule is to be applied. Contents of this column is a list of
     <replaceable>timeelement</replaceable>s separated by apersands
     (&amp;).</para>

Shorewall/manpages/shorewall-rules.xml

@@ -1900,19 +1900,21 @@
           <simplelist>
             <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
             role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[[<replaceable>name</replaceable>][(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
+            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[<replaceable>name</replaceable>[(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
             role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
 
-            <member>[<replaceable>name</replaceable>1:]<emphasis>rate1</emphasis><emphasis
+            <member>[<emphasis
+            role="bold">s</emphasis>[/<replaceable>vlsm1</replaceable>]:][<replaceable>name</replaceable>1[(<replaceable>ht-buckets1</replaceable>,<replaceable>ht-max1</replaceable>)]:]<emphasis>rate1</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis
             role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2:]<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<emphasis
+            role="bold">d</emphasis>[/<replaceable>vlsm2</replaceable>:][<replaceable>name</replaceable>2[(<replaceable>ht-buckets2</replaceable>,<replaceable>ht-max2</replaceable>)]:]<emphasis>rate2</emphasis><emphasis
             role="bold">/</emphasis>{<emphasis
             role="bold">sec</emphasis>|<emphasis
             role="bold">min</emphasis>|<emphasis

Shorewall/manpages/shorewall.conf.xml

@@ -500,7 +500,7 @@
           each listed directory is to be searched. AUTOMAKE=1 only searches
           each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
           will search each directory and its immediate sub-directories;
-          AUTOMAKE=3 will search each diretory, each of its immediate
+          AUTOMAKE=3 will search each directory, each of its immediate
           sub-directories, and each of their immediate sub-directories,
           etc.</para>
         </listitem>

docs/Anti-Spoofing.xml

@@ -85,7 +85,7 @@
     server. It then sends a packet addressed to itself and from the server.
     Such packets are sent back out the same interface that received them
     (<firstterm>hairpin</firstterm>). In cases where the
-    <option>routerfilter</option> option can't be used, Shorewall 4.4.20 and
+    <option>routefilter</option> option can't be used, Shorewall 4.4.20 and
     later will set up hairpinning traps (see the SFILTER_DISPOSITION and
     SFILTER_LOG_LEVEL options in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>

docs/FAQ.xml

@@ -244,9 +244,25 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
         work</title>
 
         <para><emphasis role="bold">Answer:</emphasis> That is usually the
-        result of one of four things:</para>
+        result of one of five things:</para>
 
         <itemizedlist>
+          <listitem>
+            <para>You are trying to redirect a UDP port and there is already a
+            conntrack table entry for the flow, created via an ACCEPT
+            rule.</para>
+
+            <para>Example:</para>
+
+            <programlisting>        DNAT    loc:192.168.0.2 dmz:192.168.1.3 udp 53</programlisting>
+
+            <para>Assuming that you have installed the
+            <emphasis>conntrack</emphasis> package, you can delete all such
+            conntrack table entries using:</para>
+
+            <programlisting>        conntrack -D -s 192.168.0.2 -p udp --dport 53</programlisting>
+          </listitem>
+
           <listitem>
             <para>You are trying to test from inside your firewall (no, that
             won't work -- see <xref linkend="faq2"/>).</para>